exim4 configuratie voor remote smtp met het smtps protocol [en]

Introduction

exim4 has been around for a long time and has seen many changes. In the modern SMTP / MTA mail world the use of the STARTSSL command has become the standard. However their are still some mail providers which require tls on connect otherwise known as the SMTPS protocol. Configuring a modern version of Exim to use SMTPS has become rather difficult. If you follow along in a few steps you will be shown to make a modern version of Exim (4.82) use the deprecated SMTPS protocol for smarthosts.

This guide is made for Debian / Ubuntu based systems and might not work on other distributions of Linux

Requirements

Make sure the required packages are installed by executing apt-get remove exim4-daemon-light; apt-get install exim4-daemon-heavy swaks openssl If you want to install the requirements manually the following packages are required but not necessarily installed by default.

exim4-daemon-heavy
swaks
openssl

Getting to business

Exim configuration on Debian and Ubuntu has been greatly simplified for most types of configuration because of dpkg-reconfigure exim4-config. Start by executing the dpkg-reconfigure exim4-config command and select the following options values marked between [] are to be replaced with your own data accordingly

General type of mail configuration: mail sent by smarthost; no local mail
System mail name: [system name as described in /etc/hostname]
IP-addresses to listen on for incoming SMTP connections: [required listening interface default: ‘127.0.0.1 ; ::1’]
Other destinations for which mail is accepted: [system name as described in /etc/hostname]
Machines to relay mail for: [empty line]
IP address or host name of the outgoing smarthost: [remote smtp server: ‘address::port’]
Hide local mail name in outgoing mail: yes
Visible domain name for local users: [system name as described in /etc/hostname]
Keep number of DNS-queries minimal (Dial-on-Demand): no
Delivery method for local mail: mbox format in /var/mail/
Split configuration into small files: no

Various parts of the Exim documentation as well as information provided by dpkg-reconfigure exim4-config and various articles on the internet will provide misinformation around the declaration of a remote smarthost. For the smarthost to work with SMTPS both the address and the port need to be described, for the address an DNS address is preferred. Between the address and the port you need to delimit with two : characters. Example: mail.domain::587. Never use a single : or replace the port declaration with a protocol since it will not work!

With the address and port configured the first configuration hurdle has been conquered. Now the final step is to change the configuration templates. The configuration template can be found in /etc/exim4/exim4.conf.template. open this file using your favorite file editor and make sure you have write permissions. Now scroll down to the line remote_smtp_smarthost:. The final step is to add two lines below driver = smtp described as part of the smarthost configuration.

hosts_require_tls = [remote smtp server without port]
protocol = smtps

After this you should have something which looks like the following:

remote_smtp_smarthost:
  debug_print = “T: remote_smtp_smarthost for $local_part@$domain”
  driver = smtp
  hosts_require_tls = mail.example-domain.net
  protocol = smtps
  …

Now just restart the exim4 daemon by executing service exim4 restart and the configuration for an smtps remote smarthost is now complete, on to testing.

testing

For the testing of the newly configured SMTP relay both swaks and sendmail will be used. First copy and execute the command after changing the to and from email addresses: swaks -f m1@example.com -t m2@example.com -s localhost -p 25. The execution of this command should pass with flying colors, if succesful the output will look similar to this.

=== Trying localhost:25…
=== Connected to localhost.
<- 220 local.WORKGROUP ESMTP Exim 4.82 Ubuntu Sun, 05 Mar 2017 16:47:32 +0100
-> EHLO test.com
<- 250-local.WORKGROUP Hello localhost [::1]
<- 250-SIZE 52428800
<- 250-8BITMIME
<- 250-PIPELINING
<- 250 HELP
-> MAIL FROM:<m1@example.com>
<- 250 OK
-> RCPT TO:<m2@example.com>
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with “.” on a line by itself
-> Date: Sun, 05 Mar 2017 16:47:32 +0100
-> To: m2@example.com
-> From: m1@example.com
-> Subject: test Sun, 05 Mar 2017 16:47:32 +0100
-> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
->
-> This is a test mailing
->
-> .
<- 250 OK id=1ckYNg-0004Qe-Eh
-> QUIT
<- 221 local.WORKGROUP closing connection

If at this point you receive the email on the email address as defined after the swaks -f parameter. Well then you are done although it is best to continue to ensure some other configuration parameters. At this point it is possible to stop and enjoy your working SMTP relay.

Next test is using sendmail and this test will identify how to remote SMTP server responds to what is being send. Execute echo "Subject: test" | sendmail -v replaceme@example.com. The output should look similar to:

LOG: MAIN
<= local.WORKGROUP U=root P=local S=345
root@h2351298:/etc/exim4# delivering 1ckbCq-0004Z0-Tw
R: smarthost for mail@example.com
T: remote_smtp_smarthost for @
Transport port=465 replaced by host-specific port=587
Connecting to mail.example.nl [133.133.133.133]:587 … connected
SMTP<< 220 mail.example.nl ESMTP ready
SMTP>> EHLO local.WORKGROUP
SMTP<< 250-mail.example.nl
SMTP<< 235 2.0.0 OK
SMTP>> MAIL FROM:<local.WORKGROUP> AUTH=user@local.WORKGROUP
SMTP<< 250 OK
SMTP>> RCPT TO:<mail@example.com>
SMTP<< 250 Accepted
SMTP>> DATA
SMTP<< 354 Enter message, ending with “.” on a line by itself
SMTP>> writing message and terminating “.”
SMTP<< 250 OK id=1ckbCv-0006HX-CQ
SMTP>> QUIT
LOG: MAIN
=> mail@example.com R=smarthost T=remote_smtp_smarthost H=mail.example.nl [133.133.133.133] X=TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128
DN=”jurisdictionOfIncorporationCountryName=NL,businessCategory=Private Organization,serialNumber=61838454,C=NL,ST=Flevoland,L=Almere,O=EXAMPLE BV,CN=mail.example.nl” A=plain C=”250 OK id=1ckbCv-0006HX-CQ”
LOG: MAIN
Completed

configuring auth

At this you might see a totally different result stating something similar to Relay not permitted authentication required. This simply means you need to add a valid SMTP account for the remote server. The server, username and password need to be added on a single line in /etc/exim4/passwd.client. Once again use : to delimit between the server, username and password, this time a single : is used to delimit between the different variables. An example would be example.com:bestuser@example.com:verysecurepassword

That settles it a modern version of exim using the deprecated smtps protocol. Hope this might save you the struggle I had figuring this out. If you have any questions feel free to ask them in comments below.

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

*