logs archiveIRC Archive / Freenode / #exim / 2010 / April / 23 / 1
socram
i want my desktop (debian+exim) to deliver via shell a mail to my company server mail, executing exim -t < mail gives me "Unrouteable address". never worked with exim before. how do i route my company domain for mail delivery?
henk
socram: it's probably not configured to handle non-local mail...
mtrg
Hi
does exim support MTA to MTA TLS?
where, say, MTA-1 is sending a mail to MTA-2
How does certificate verification happen?
I know HTTPS looks for domain name against DN in cert. But what about SMTP
Simon-
there is no name verification
you can however validate the name yourself in an ACL if you wish
but there's no defined standard or common practise that would allow you to do so for all hosts connecting
(or that you connect to)
mtrg
is there any RFC that talks about this?
use of TLS i SMTP for inter-domain
Simon-
there will be an RFC for TLS over SMTP
but there is still no way to verify the certificate name
mtrg
there *will* be? means there isn't any yet?
Simon-
it's not a simple task either, imagine example.com example.net example.org all using blah.example.com as the MX
which name do you use to check the certificate? blah.example.com is just the MX record name so it can be altered
like HTTPS there is no way to know which domain the client wants when it connects
I imagine the only way for this to proceed is with the use of DNSSEC
the MX record will be signed, and then that hostname can have an RR specifying the public key
mtrg
so then we can use MX's domain for DN?
         

Simon-
no, at that stage you won't need certificates ;)
as you'll already have the private key
mtrg
what private key
Simon-
but yes, you'd be able to be certain that example.org wants you to deliver mail to blah.example.com, and so you can check the certificate says blah.example.com
er, sorry, public key
mtrg
public key through DNSSEC of that domain?
Simon-
yes
mtrg
similar to DKIM?
Simon-
yes
although it'd have to be on the MX record name, you can't possibly maintain it on every domain handled by the MTA
the best you can currently do is verify the certificate is signed by a CA and log the DN
mtrg
why not just make the @foo.com in the DN, and let every MTA have the associated private key
Simon-
because most MTAs handle more than one domain
mtrg
so let them have more private keys per domain
Simon-
the MTA won't know which domain it's expected to handle when TLS is set up
and it could be requested to deliver mail to multiple different domains
mtrg
this scenario is like a backward transparent https proxy
Simon-
the only way verification will ever be possible is through extra data in DNS
until DNSSEC is deployed, anyone intercepting your TLS connection will intercept DNS too
mtrg
and poison DNS
Simon-: where can i find the SMTP TLS RFC thing?
Simon-
google
you won't find anything on verifying the DN
it's impractical
also, you have no way of knowing that they provide TLS
and they can't possibly disable plaintext
${reduce{</$tls_peerdn}{}{${if match{$item}{\N^CN=\N}{$value/$item}{$value}}}}
that should evaluate to: /CN=hostname
mtrg
Simon-: yeah, DN is challenging
Simon-: I meant the RFC you said "there will be an RFC" -- I only found rfc3207 but it seems for client to MTA (not mta to mta)
Simon-
erm those are the same
mtrg
Simon-: so Exim's use for MTA-to-MTA TLS is equal to Client to MTA?
Simon-
yes
with the exception that Exim and all other MTAs are unable to verify the name on the certificate
mtrg
Simon-: what about the "there is going to be an RFC"
         

Simon-
I didn't say that... but that is the usual way to introduce new standards
in theory it will be included as part of whatever is done for HTTPS
mtrg
< Simon-> there will be an RFC for TLS over SMTP
Simon-
yes, some RFC will specify the STARTTLS command
mtrg
isn't it already specified
Simon-: why can't a recipient MTA tell which domain is needed for STARTTLS?
Simon-
mtrg: because you can deliver to multiple domains for one email
mtrg
Simon-: doesn't the MTA send multiple messages per recipient?
Simon-
no
not if they're all going to the same host
mtrg
Simon-: is this part of RFC, or exim optimizations?
Simon-
every MTA does it
mtrg
wondering if it is mandated by RFC
with S/MIME, the client would send multiple emails per recipient (since they have different key pairs obviously)
if SMTP is encrypted, I think it would make sense to send multiple copies of emails per host
per domain
Simon-
no, you encrypt the email with a temporary key and then encrypt that key per recipient
or encrypt the entire mail multiple times and send it to all recipients
mtrg: that is inefficient and not necessary
mtrg
Simon-: yeah, symmetric keys are encrypted to users' public key. are you saying that only the encrypted key is sent per user, and not the full mail?
Simon-
that's how PGP does it
mtrg
encrypted keys sent as a separate email?
do you mean the enctyped semmetric key, or the per-user mail thingy
Simon-
the symmetric key is encrypted with each user's key and sent as one email to everyone
the same process is used even if there's only one recipient (if you don't sign it with your own key you can't read it either...)
er, encrypt it with your own key
xcyclist
All the documentation I've read slates you up to read a giant novel to configure the simplest email server. All I want to do is make it so I can receive email from another central point, and send it out using that point as a hop. I don't need any customizations. Low end. But I need to specify THAT HOSTNAME FOR THE HOP. There must be an easy way.
henk
xcyclist: exim can't "actively" receive email. it's got to be sent to exim. that's what smtp is for: sending email. if you need to "actively" receive email, you use pop or imap.
xcyclist
henk: I don't even care that much about receiving. I just need to send out with xmail from the command line.
henk
xcyclist: and where's the problem?
xcyclist
henk: And I need to be able to specify a specific host to hop through that allows outgoing. The standard default that it hooks up to is internal only.
xcyclist: Nothing tells me how to specify the host. It's a maze of dang verbiage.
henk
xcyclist: what distribution are you running?
xcyclist
henk: How do I tell?
henk
xcyclist: uhm... you don't know if you run exim on debian, gentoo, fedora, $whatever?
xcyclist
They are versions mostly on Ubuntu server, but one on CentOS.
all recent, last 5 years.
henk
xcyclist: ubuntu probably has the same debconf interface debian provides... have you tried that?
xcyclist
I just say debconf exim4?
That doesn't work.
# debconf exim4
Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,
not directly from a shell command line. Options and/or arguments control
what it does when called. For a list of options, see the Exim documentation.
henk
xcyclist: read the docs on the package. they are pretty good... /usr/share/doc/exim4-doc-html/
hm or something in /usr/share/doc/exim4*
xcyclist
# cd /usr/share/doc/exim4-doc-html/
-su: cd: /usr/share/doc/exim4-doc-html/: No such file or directory
henk
xcyclist: stop just doing exactly what i say and think about it first please... just find the f...ine manual your distribution provides for exim.
xcyclist
There is a 778 line example.conf I am finding very obscure.
Is there a name I can search for? This must be a simple configuration just to set a hostname and a port number...?
It is probably not faster to learn chinese and go to China and find someone there to do it for me...
« prev next »