logs archiveIRC Archive / Freenode / #exim / 2010 / March / 14 / 1
fastputty1
hello, all my email send to hotmail and other email service is falling into the junk box. I heard they got some policy about it. Anyone know how to make my domain legit> please point me to the right direction thanks
nachos
anyone about?
i need help with running a TLS only server
no matter what i do i cant make exim4 REQUIRE tls for a smtp client sending email
ive tried server_advertise_condition
and auth_advertise_condition
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
djce
nachos: have you got TLS working yet, i.e. it is offered to clients?
nachos
yeah it works
both on thunderbird and my iphone
djce
using starttls?
(as opposed to tls-on-connect)
nachos
is that,
tls_advertise_hosts = * ?
djce
sort of. What ports is exim listening on? 25? 465? 587?
nachos
25
djce
only 25, yes?
         

nachos
yes
djce
that's fine. So, if a client connects to port 25 then issues STARTTLS, do they then get offered AUTH ?
nachos
how do i debug that?
swaks
djce
bingo.
nachos
ill debug it
djce
So far I'm unclear if your problem is that your TLS'd clients are being offered AUTH, or the auth is being offered or isn't working, or that auth is being offered with TLS (which I assume you don't want).
swaks is very handy for this :-)
nachos
yeah i got a full debug
i just need to install net::dns
djce
apt-get install swaks should do it all, no? I thought it did anyway.
nachos
nup
waiting ... waiting
djce hm
looks like its trying to connect from 0.0.0.0
swaks that is
i cant reach it
djce
I wouldn't worry about that, sounds fine.
0.0.0.0 just means "any ip address"
nachos
i think its thunderbird
i think
swaks fails to send the emale
yeah its thunderbird i think
djce
So, did you run swaks with --tls and --auth ? What did it say?
nachos
got to install more perl modules
okay done it djce
djce
and?
nachos
it prints out STARTTTLS after ELHO and before AUTH
for some reason thunderbird can get around it
djce
Please see my comment above that starts "So far I'm unclear if your problem is ..."
nachos
ahh ok
sorry mate ill start from the top
basicly
i would like my exim server to only allow clients to connect via TLS
so far
by setting server_advertise_conditions and server_advertise_hosts, it thunderbird still can send email over the connection
but for some reason swaks fails
and my iphone fails too
djce
ok, let's concentrate on swaks then. Can you pastebin the output from swaks, taking care only to remove what you really have to, e.g. username/password ?
nachos
sure
whats the pastbin of choice here
djce
don't mind.
Anything where I can easily read it
         

nachos
http://erxz.com/pb/24123
djce
(Action) reads
nachos
(Action) thanks djce for his time
djce
ok. So in that example, STARTTLS and AUTH PLAIN are working just fine.
nachos
yeap
djce
It fails on RCPT, because "recipient address must contain a domain"
nachos
yeah thats negiable
i could add a domain and it would work
djce
So, swaks is working then? I thought you said swaks wasn't working.
nachos
oh nah
djce
(Action) is still unsure what problem we're trying to solve
nachos
i said swaks FAILS .. as in no tls it doesnt send the email
but thunderbird
i disable the TLS and it sends anyway
djce
Ah. So, the problem is that it allows mail to be sent even without tls?
nachos
yes
djce
ok. When that happens, does it use auth?
i.e. is it doing connect, mail, done; or is it doing connect, auth, mail, done.
nachos
not sure
any way i can make exim4 dump that?
djce
Check the exim main logs. e.g. it might say "A=plain_server", if it used the authenticator called plain_server.
(That's on the "<=" line)
nachos
is says P=esmtp
not A
djce
no "A=" ? OK, so it's not using auth.
nachos
ah
i see
djce
So, what we need to do is make exim reject the "MAIL" command if a client isn't authenticated.
You've already got it set up so that you can only auth if you're using TLS, so therefore that means a client must be using tls too.
nachos
yeap
i see
djce
Does this server ONLY accept mails from these types of client, e.g. it's not an MX taking in mail from the outside world?
nachos
i did that
oh
yeah it takes mail from the outside world
like forwarded on from gmail to local hosts
djce
ok. So, what we need to do is modify your "rcpt" acl . But this is where it gets trickier for me, because I don't know what config you already have in place.
Do you have something like "accept hosts = +relay_from_hosts" in your acl_check_rcpt ?
nachos
ah ok
yes
djce
Do you also have something like " accept authenticated = *" ?
nachos
yes
djce
OK. Sounds like you're using something closely based on the default config then, which is good.
nachos
yeah
djce
"relay_from_hosts" is those hosts who are allowed to relay without auth, so probably that's the problem. Does that host list include your clients?
If so, I suggest you modify that hostlist to exclude them. e.g. just set it to 127.0.0.1, perhaps.
nachos
127.0.0.1 : ::::1
is ::::1 IPv6 for localhost?
djce
yup (think so. Never used IPv6 :-)
nachos
same
yeah its not in my relay_from_hosts
djce
What isn't? Your client's IP?
nachos
yeap
djce
Hmm. So, next question:
When your client sends a mail without using auth (which you want to stop), what domain is it sending it to? One of yours?
nachos
yes
djce
Can you retry using a different domain, e.g. get thunderbird to try sending mail to your gmail address?
nachos
ah wow
i did
and it doesnt work
stops on my ACL clause stopping relaying
djce
which is what you want, isn't it?
nachos
yes
djce
So... nothing to fix? All working just fine?
nachos
but yes it works great
wait what im thinking doesnt make sense
djce
Sounds like you were just getting confused by testing your tls/auth thing using your own domains, but that's a bad example because your server accepts mail for its own domains without requiring tls/auth (because it *has* to, 'cos its an MX)
nachos
yeah exactly
so it DOES work but what i expected was wrong
djce
Exactly! That's what I'm thinking too.
nachos
thanks djce
much apreciated
djce
You /could/ make exim require tls/auth even for your own domains (from Thunderbird), but there's probably no need.
nachos
yeah
one more question
djce
shoot.
nachos
what is the inverse of a empty ( : ) list ?
djce
for a host list? "*"
nachos
ah
djce
See http://exim.org/exim-html-current/doc/html/spec_html/ch10.html#SECThostlist
nachos
thakns djce
how can i specify in the relay_to_domains that i want NO domains in the list?
just do this
hostlist relay_to_domains=
and leave it empty?
djce
Yes. Which is the default, in fact.
lijil
is there a way to configure exim to just log all messages to a file, instead of actually sending them?
petemc
you could redirect everything to a mbox
lijil
petemc: can you elaborate a bit?
petemc
simple redirect router would do it
foo:
driver = redirect
data = someaddress@localhost
lijil
not too familiar with this, can this be set up via the dpkg-reconfigure prompts?
petemc
no
lijil
looks like the local delivery only option will do it. everything is saved in /var/mail
artur
Hi
I have problem with my exim installation. One message have double ID in mainlog. http://wklej.org/hash/ed8cfe7e2fe/ Exim version 4.71 compiled from source on debian lenny with Directadmin installed. Any ideas?