Results 1 to 8 of 8

Thread: Exim SSL/TLS enable to transfer emails between any email servers

  1. #1
    Join Date
    Jun 2010
    Posts
    70

    Question Exim SSL/TLS enable to transfer emails between any email servers

    Greetings community!

    I`m in the corner with exim configuration. I not getting why exim is not using SSL/TLS connection to send email to other server e.g. gmail.com so that sent message should be sent via encrypted channel.

    Followed this tutorial to use SSL for domains - https://www.directadmin.com/features.php?id=2019

    I have tested ssl on the server (in terminal):

    Code:
    openssl s_client -connect server.domain.com:465

    1. Test: Certificate is installed and verified.

    Tested server via: https://www.checktls.com/TestReceiver
    Results all 100%.

    2. Test: To test TLS for sending emails:

    Tested server via: https://www.checktls.com/TestSender
    Result: Fail

    Could anyone give me a hint how to correctly configure Exim to use TLS as a client? See what I mean: http://www.exim.org/exim-html-3.20/d...38.html#SEC774

    Possible reason: ---> servers-domain.com did not encrypt this message

    When i send email (for example to gmail.com) i see that:
    from: Sender M. <info@mydomain.com>
    to: reciver@gmail.com
    date: Jul 12, 2018, 7:48 PM
    subject: test tls
    mailed-by: mydomain.com
    signed-by: mydomain.com
    security: servers-domain.com did not encrypt this message


    Both mydomain.com and servers-domain.com have valid ssl certificates.

  2. #2
    Join Date
    Jun 2010
    Posts
    70

    Why exim dose not see CA?

    In log file i see that "CV=no" CA was not found, but i have checked /var/exim.cert and there is correct CA inserted.

    Code:
    2018-07-12 23:11:06 1fdhvd-0004XP-SN <= info@mydomain.com H=([10.10.20.203]) [10.10.20.204]:60811 I=[10.10.20.205]:587 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no A=plain:info@mydomain.com S=742 id=dead5fb5-92cd-ae3e-2a4f-c07884f6f94a@mydomain.com T="Test TLS #18" from <info@mydomain.com> for reciver@gmail.com
    What next?... :|

  3. #3
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    Might have nothing to do with it, but did you also update dovecot for ssl?

    Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?

    Code:
    cd /usr/local/directadmin/custombuild/
    ./build update
    ./build dovecot_conf
    I editted this message, because by accident I gave the old beta code.
    Last edited by Richard G; 07-13-2018 at 05:49 AM. Reason: corrected messages.
    Greetings, Richard.

  4. #4
    Join Date
    Jun 2010
    Posts
    70
    Hello, Richard!

    Q: update dovecot for ssl
    A: Yes, I did, but correct me if i`m wrong, but dovecot is for receiving emails. Also Doveot is using the same SSL as exim:

    From docevot config:
    Code:
    !include conf/ssl.conf
    ssl.conf
    Code:
    ssl_cert = </etc/exim.cert
    ssl_key = </etc/exim.key
    
    ssl_min_protocol = TLSv1
    ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    ssl_dh=</etc/dovecot/dh.pem
    The problem is somewhere in exim.

    p.s. I have played with log levels on exim, but nothing changed in log file (log level changed in exim.conf and service exim restart) - nothing changed.

  5. #5
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    Yes, I did, but correct me if i`m wrong, but dovecot is for receiving emails.
    Correct, that's why I wrote that it might have nothing to do with it.

    Q:
    Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?
    ??

    I've just had a look at this again:
    Code:
    openssl s_client -connect server.domain.com:465
    If you really use that, your hostname also needs a letsencrypt certificate.

    If you have mail_sni=1 then you should check it like:
    Code:
    openssl s_client -connect smtp.domain.com:465
    or mail.domain.com or whatever you use for outgoing mail.

    Which version exim.conf and exim.pl are you using?
    Greetings, Richard.

  6. #6
    Join Date
    Jun 2010
    Posts
    70
    Greeting Richard,

    Q: Dit you enabled mail_sni=1 in directadmin.conf and restarted DA?
    A: Yes, as it was in instruction: https://www.directadmin.com/features.php?id=2019

    Q: If you have mail_sni=1 then you should check it...
    A: Yes, I did - tested with involved domains:
    Servers domain: server.domain.com
    Hosted domains sub domains: mail.mydomain.com, smtp.mydomain.com

    All returned valid SSL`s

    Q: Which version exim.conf and exim.pl are you using?
    A: here you go:
    Code:
    [root@server ~]# grep '#VERSION=' /etc/exim.pl
    #VERSION=24
    Code:
    # SpamBlockerTechnology* powered exim.conf, Version 4.5.9
    # April 13, 2018
    # Exim configuration file for DirectAdmin

  7. #7
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    That's odd.

    If you have this in exim.variables.conf too:
    Code:
    tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
    tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}
    openssl_options=+no_sslv2 +no_sslv3
    tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    then I'm out of idea's and hope SMTalk or zEitEr will have a look, or send in a ticket for it.

    As you I'm very curious now what's causing this because it all looks oke.
    Greetings, Richard.

  8. #8
    Join Date
    Jun 2010
    Posts
    70
    Richard,

    Q: check config: exim.variables.conf
    A: Also did before starting this thread. This is why I have started this thread

    I have started a support ticket.
    Let`s see if something comes up. I will update this thread.
    Last edited by indexs; 07-16-2018 at 07:51 AM. Reason: Added answer on exim.variables.conf

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •