<html>
<head>
<title>The Exim FAQ Section 17</title>
</head>
<body bgcolor="#F8F8F8" text="#00005A" link="#FF6600" alink="#FF9933" vlink="#990000">
<h1>The Exim FAQ</h1>
<a href="FAQ.html#TOC">Contents</a>
<a href="FAQ_16.html">Previous</a>
<a href="FAQ_18.html">Next</a>
<hr><br>
<h2><a href="FAQ.html#TOC324">17. ENCRYPTION (TLS/SSL)</a></h2>
<p>
<a name="TOC325" href="FAQ.html#TOC325">Q1701:</a> I am trying to set up an Exim server that uses a self-signed certificate
to enable my clients to use TLS. However, clients other than Exim
refuse to accept this certificate. What's wrong?
</p>
<p>
<font color="#00BB00">A1701:</font> It seems that some clients require that the certificate presented by
the server be a user (also called “leaf” or “site”) certificate, and not
a self-signed certificate. In this situation, the self-signed
certificate must be installed on the client as a trusted root
<i>certification authority</i> (CA), and the certificate used by the server
must be a user certificate signed with that self-signed certificate.
</p>
<p>
For information on creating self-signed CA certificates and using them
to sign user certificates, see the <i>General implementation overview</i>
chapter of the Open-source PKI book, available online at
<a href="http://ospkibook.sourceforge.net/">http://ospkibook.sourceforge.net/</a>. Here is a quick overview. First,
read this message:
</p>
<p>
<a href="http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com">http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com</a>
</p>
<p>
Then, follow the instructions found on these two (consecutive) pages:
</p>
<p>
<a href="http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm">http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm</a>
<a href="http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm">http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm</a>
</p>
<p>
Two points on the PKI Book literature:
</p>
<p>
(1) It's assumed that it's okay to use a passphrase-protected key to
encrypt the user/site/leaf certificate. If this isn't acceptable,
you seem to be able to strip out the passphrase as follows:
</p>
<pre>
openssl rsa -in user.key -our user.key.new
mv user.key.new</pre>
<p>
This should be done immediately after <i>user.key</i> is created.
</p>
<p>
(2) The <i>sign.sh</i> script is available in the <i>mod_ssl</i> distribution,
available at <a href="http://www.modssl.org/source/">http://www.modssl.org/source/</a>.
</p>
<p>
Having followed the instructions, you end up with the following files:
</p>
<p>
(a) <i>ca.crt</i>
</p>
<p>
This file should be installed into the client software as a trusted
root certification authority. In Windows XP, this can be done as follows:
</p>
<p>
Call the file <i>ca_cert.cer</i><br> Double-click on the file<br> "Install Certificate";<br> "Next"<br> "Place all certificates in the following store"<br> "Browse..."<br> "Trusted Root Certification Authorities"<br> "OK"<br> "Next"<br> "Finish"<br> "Yes"<br> "OK"
</p>
<p>
(b) <i>user.crt</i> and <i>user.key</i>
</p>
<p>
These files should be installed into the server software. In Exim, this
can be done by adding these lines to the configuration file:
</p>
<pre>
tls_certificate = /usr/local/etc/exim/tls_cert
tls_privatekey = /usr/local/etc/exim/tls_key</pre>
<p>
Then install <i>user.crt</i> and <i>user.key</i> under the names <i>tls_cert</i>
and <i>tls_key</i> in the appropriate directory.
</p>
<p>
<a name="TOC326" href="FAQ.html#TOC326">Q1702:</a> How can I arrange for Exim to advertise support for SMTP authentication
only when the session is encrypted?
</p>
<p>
<font color="#00BB00">A1702:</font> Use this setting:
</p>
<pre>
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}</pre>
<p>
<a name="TOC327" href="FAQ.html#TOC327">Q1703:</a> I have some legacy clients that don't use STARTTLS, but which expect to
negotiate a TLS session automatically on connection to the ssmtp port
(465). Can Exim handle this?
</p>
<p>
<font color="#00BB00">A1703:</font> If you are using release 4.43 or later, you can set
</p>
<pre>
tls_on_connect_ports = 465</pre>
<p>
and then arrange for your daemon to listen on both port 25 and port 465
by setting <tt>daemon_smtp_ports</tt> or <tt>local_interfaces</tt> or the <b>-X</b>
command line option. Or use <i>inetd</i> to listen on port 465.
</p>
<p>
If you are using an earlier release of Exim, you need to run two
Exim listeners, on different ports, one of which is started with the
<b>-tls-on-connect</b> option (which makes all ports act this way). You can
either use two daemons, or a single daemon, with the other listener
using <i>inetd</i>. For example, here are commands to start two daemons:
</p>
<pre>
exim -bd -q15m
exim -bd -oX '[0.0.0.0]::465' -tls-on-connect</pre>
<p>
The first is a “normal” daemon; the second listens on port 465 and
expects to negotiate a TLS session at the start of each connection.
</p>
<p>
<a name="TOC328" href="FAQ.html#TOC328">Q1704:</a> When my Outlook Express 6.0 client sends a STARTTLS command to begin a
TLS session, Exim doesn't seem to receive it.
</p>
<p>
<font color="#00BB00">A1704:</font> See <a href="FAQ_0.html#TOC59">Q0059</a>.
</p>
<p>
<a name="TOC329" href="FAQ.html#TOC329">Q1705:</a> I have listed some hosts in <tt>tls_try_verify_hosts</tt>, but when they
connect, no data appears in <i>$tls_peerdn</i>.
</p>
<p>
<font color="#00BB00">A1705:</font> This means that the clients have not sent certificates when asked by
the server to do so. If the clients are running Exim, check that
<tt>tls_certificate</tt> is correctly set in their <b>smtp</b> transports. Note
that this value is not automatically inherited from the global
<tt>tls_certificate</tt> option.
</p>
<p>
<a name="TOC330" href="FAQ.html#TOC330">Q1706:</a> I have listed some hosts in <tt>tls_verify_hosts</tt> and provided them with
certificates, but their connections are always rejected.
</p>
<p>
<font color="#00BB00">A1706:</font> Make sure that the server file containing the expected certificates
(defined by <tt>tls_verify_certificates</tt>) is readable by the Exim user.
See also the answer to <a href="FAQ_17.html#TOC329">Q1705</a>.
</p>
<p>
<a name="TOC331" href="FAQ.html#TOC331">Q1707:</a> I am trying to use TLS with Evolution as a client, and keep seeing this
error: <i>SMTP protocol violation: synchronization error (next input
sent too soon): rejected "\200F^A^C".</i> What does it mean?
</p>
<p>
<font color="#00BB00">A1707:</font> See <a href="FAQ_0.html#TOC86">Q0086</a> for a general explanation of the error. In this case, it
probably means that Evolution is trying to negotiate a TLS session
immediately it connects, without first using the STARTTLS command. This
was an older way of starting up TLS, before STARTTLS was defined. See
<a href="FAQ_17.html#TOC327">Q1703</a> for how to deal with this.
</p>
<p>
<a name="TOC332" href="FAQ.html#TOC332">Q1708:</a> I trying to use TLS with Outlook as a client on a box that is running
Norton Antivirus, but all my email is being rejected with <i>Unsupported
command</i> errors. Why?
</p>
<p>
<font color="#00BB00">A1708:</font> Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP
proxy between you and the Exim server. You need to turn off outbound
scanning of email.
</p>
<hr><br>
<a href="FAQ.html#TOC">Contents</a>
<a href="FAQ_16.html">Previous</a>
<a href="FAQ_18.html">Next</a>
</body>
</html>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
a4080654d049ad31b216b761b9173c1f
>
files
>
79
