The Exim FAQ

Contents   Previous   Next

17. ENCRYPTION (TLS/SSL)

Q1701:  I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong?

A1701:  It seems that some clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate. In this situation, the self-signed certificate must be installed on the client as a trusted root certification authority (CA), and the certificate used by the server must be a user certificate signed with that self-signed certificate.

For information on creating self-signed CA certificates and using them to sign user certificates, see the General implementation overview chapter of the Open-source PKI book, available online at http://ospkibook.sourceforge.net/. Here is a quick overview. First, read this message:

http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com

Then, follow the instructions found on these two (consecutive) pages:

http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm

Two points on the PKI Book literature:

(1)  It's assumed that it's okay to use a passphrase-protected key to encrypt the user/site/leaf certificate. If this isn't acceptable, you seem to be able to strip out the passphrase as follows:

   	     openssl rsa -in user.key -our user.key.new
	     mv user.key.new

This should be done immediately after user.key is created.

(2)  The sign.sh script is available in the mod_ssl distribution, available at http://www.modssl.org/source/.

Having followed the instructions, you end up with the following files:

(a) ca.crt

This file should be installed into the client software as a trusted root certification authority. In Windows XP, this can be done as follows:

  Call the file ca_cert.cer
  Double-click on the file
  "Install Certificate";
  "Next"
  "Place all certificates in the following store"
  "Browse..."
  "Trusted Root Certification Authorities"
  "OK"
  "Next"
  "Finish"
  "Yes"
  "OK"

(b) user.crt and user.key

These files should be installed into the server software. In Exim, this can be done by adding these lines to the configuration file:

   tls_certificate = /usr/local/etc/exim/tls_cert
   tls_privatekey = /usr/local/etc/exim/tls_key

Then install user.crt and user.key under the names tls_cert and tls_key in the appropriate directory.

Q1702:  How can I arrange for Exim to advertise support for SMTP authentication only when the session is encrypted?

A1702:  Use this setting:

   auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

Q1703:  I have some legacy clients that don't use STARTTLS, but which expect to negotiate a TLS session automatically on connection to the ssmtp port (465). Can Exim handle this?

A1703:  If you are using release 4.43 or later, you can set

   tls_on_connect_ports = 465

and then arrange for your daemon to listen on both port 25 and port 465 by setting daemon_smtp_ports or local_interfaces or the -X command line option. Or use inetd to listen on port 465.

If you are using an earlier release of Exim, you need to run two Exim listeners, on different ports, one of which is started with the -tls-on-connect option (which makes all ports act this way). You can either use two daemons, or a single daemon, with the other listener using inetd. For example, here are commands to start two daemons:

   exim -bd -q15m
   exim -bd -oX '[0.0.0.0]::465' -tls-on-connect

The first is a “normal” daemon; the second listens on port 465 and expects to negotiate a TLS session at the start of each connection.

Q1704:  When my Outlook Express 6.0 client sends a STARTTLS command to begin a TLS session, Exim doesn't seem to receive it.

A1704:  See Q0059.

Q1705:  I have listed some hosts in tls_try_verify_hosts, but when they connect, no data appears in $tls_peerdn.

A1705:  This means that the clients have not sent certificates when asked by the server to do so. If the clients are running Exim, check that tls_certificate is correctly set in their smtp transports. Note that this value is not automatically inherited from the global tls_certificate option.

Q1706:  I have listed some hosts in tls_verify_hosts and provided them with certificates, but their connections are always rejected.

A1706:  Make sure that the server file containing the expected certificates (defined by tls_verify_certificates) is readable by the Exim user. See also the answer to Q1705.

Q1707:  I am trying to use TLS with Evolution as a client, and keep seeing this error: SMTP protocol violation: synchronization error (next input sent too soon): rejected "\200F^A^C". What does it mean?

A1707:  See Q0086 for a general explanation of the error. In this case, it probably means that Evolution is trying to negotiate a TLS session immediately it connects, without first using the STARTTLS command. This was an older way of starting up TLS, before STARTTLS was defined. See Q1703 for how to deal with this.

Q1708:  I trying to use TLS with Outlook as a client on a box that is running Norton Antivirus, but all my email is being rejected with Unsupported command errors. Why?

A1708:  Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP proxy between you and the Exim server. You need to turn off outbound scanning of email.



Contents   Previous   Next