<html> <head> <title>The Exim FAQ Section 17</title> </head> <body bgcolor="#F8F8F8" text="#00005A" link="#FF6600" alink="#FF9933" vlink="#990000"> <h1>The Exim FAQ</h1> <a href="FAQ.html#TOC">Contents</a> <a href="FAQ_16.html">Previous</a> <a href="FAQ_18.html">Next</a> <hr><br> <h2><a href="FAQ.html#TOC324">17. ENCRYPTION (TLS/SSL)</a></h2> <p> <a name="TOC325" href="FAQ.html#TOC325">Q1701:</a> I am trying to set up an Exim server that uses a self-signed certificate to enable my clients to use TLS. However, clients other than Exim refuse to accept this certificate. What's wrong? </p> <p> <font color="#00BB00">A1701:</font> It seems that some clients require that the certificate presented by the server be a user (also called “leaf” or “site”) certificate, and not a self-signed certificate. In this situation, the self-signed certificate must be installed on the client as a trusted root <i>certification authority</i> (CA), and the certificate used by the server must be a user certificate signed with that self-signed certificate. </p> <p> For information on creating self-signed CA certificates and using them to sign user certificates, see the <i>General implementation overview</i> chapter of the Open-source PKI book, available online at <a href="http://ospkibook.sourceforge.net/">http://ospkibook.sourceforge.net/</a>. Here is a quick overview. First, read this message: </p> <p> <a href="http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com">http://www.FreeBSD.org/cgi/mid.cgi?id=3C3F3A93.C1ECF9B0%40mindspring.com</a> </p> <p> Then, follow the instructions found on these two (consecutive) pages: </p> <p> <a href="http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm">http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/initialisation.htm</a> <a href="http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm">http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/keygensign.htm</a> </p> <p> Two points on the PKI Book literature: </p> <p> (1) It's assumed that it's okay to use a passphrase-protected key to encrypt the user/site/leaf certificate. If this isn't acceptable, you seem to be able to strip out the passphrase as follows: </p> <pre> openssl rsa -in user.key -our user.key.new mv user.key.new</pre> <p> This should be done immediately after <i>user.key</i> is created. </p> <p> (2) The <i>sign.sh</i> script is available in the <i>mod_ssl</i> distribution, available at <a href="http://www.modssl.org/source/">http://www.modssl.org/source/</a>. </p> <p> Having followed the instructions, you end up with the following files: </p> <p> (a) <i>ca.crt</i> </p> <p> This file should be installed into the client software as a trusted root certification authority. In Windows XP, this can be done as follows: </p> <p> Call the file <i>ca_cert.cer</i><br> Double-click on the file<br> "Install Certificate";<br> "Next"<br> "Place all certificates in the following store"<br> "Browse..."<br> "Trusted Root Certification Authorities"<br> "OK"<br> "Next"<br> "Finish"<br> "Yes"<br> "OK" </p> <p> (b) <i>user.crt</i> and <i>user.key</i> </p> <p> These files should be installed into the server software. In Exim, this can be done by adding these lines to the configuration file: </p> <pre> tls_certificate = /usr/local/etc/exim/tls_cert tls_privatekey = /usr/local/etc/exim/tls_key</pre> <p> Then install <i>user.crt</i> and <i>user.key</i> under the names <i>tls_cert</i> and <i>tls_key</i> in the appropriate directory. </p> <p> <a name="TOC326" href="FAQ.html#TOC326">Q1702:</a> How can I arrange for Exim to advertise support for SMTP authentication only when the session is encrypted? </p> <p> <font color="#00BB00">A1702:</font> Use this setting: </p> <pre> auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}</pre> <p> <a name="TOC327" href="FAQ.html#TOC327">Q1703:</a> I have some legacy clients that don't use STARTTLS, but which expect to negotiate a TLS session automatically on connection to the ssmtp port (465). Can Exim handle this? </p> <p> <font color="#00BB00">A1703:</font> If you are using release 4.43 or later, you can set </p> <pre> tls_on_connect_ports = 465</pre> <p> and then arrange for your daemon to listen on both port 25 and port 465 by setting <tt>daemon_smtp_ports</tt> or <tt>local_interfaces</tt> or the <b>-X</b> command line option. Or use <i>inetd</i> to listen on port 465. </p> <p> If you are using an earlier release of Exim, you need to run two Exim listeners, on different ports, one of which is started with the <b>-tls-on-connect</b> option (which makes all ports act this way). You can either use two daemons, or a single daemon, with the other listener using <i>inetd</i>. For example, here are commands to start two daemons: </p> <pre> exim -bd -q15m exim -bd -oX '[0.0.0.0]::465' -tls-on-connect</pre> <p> The first is a “normal” daemon; the second listens on port 465 and expects to negotiate a TLS session at the start of each connection. </p> <p> <a name="TOC328" href="FAQ.html#TOC328">Q1704:</a> When my Outlook Express 6.0 client sends a STARTTLS command to begin a TLS session, Exim doesn't seem to receive it. </p> <p> <font color="#00BB00">A1704:</font> See <a href="FAQ_0.html#TOC59">Q0059</a>. </p> <p> <a name="TOC329" href="FAQ.html#TOC329">Q1705:</a> I have listed some hosts in <tt>tls_try_verify_hosts</tt>, but when they connect, no data appears in <i>$tls_peerdn</i>. </p> <p> <font color="#00BB00">A1705:</font> This means that the clients have not sent certificates when asked by the server to do so. If the clients are running Exim, check that <tt>tls_certificate</tt> is correctly set in their <b>smtp</b> transports. Note that this value is not automatically inherited from the global <tt>tls_certificate</tt> option. </p> <p> <a name="TOC330" href="FAQ.html#TOC330">Q1706:</a> I have listed some hosts in <tt>tls_verify_hosts</tt> and provided them with certificates, but their connections are always rejected. </p> <p> <font color="#00BB00">A1706:</font> Make sure that the server file containing the expected certificates (defined by <tt>tls_verify_certificates</tt>) is readable by the Exim user. See also the answer to <a href="FAQ_17.html#TOC329">Q1705</a>. </p> <p> <a name="TOC331" href="FAQ.html#TOC331">Q1707:</a> I am trying to use TLS with Evolution as a client, and keep seeing this error: <i>SMTP protocol violation: synchronization error (next input sent too soon): rejected "\200F^A^C".</i> What does it mean? </p> <p> <font color="#00BB00">A1707:</font> See <a href="FAQ_0.html#TOC86">Q0086</a> for a general explanation of the error. In this case, it probably means that Evolution is trying to negotiate a TLS session immediately it connects, without first using the STARTTLS command. This was an older way of starting up TLS, before STARTTLS was defined. See <a href="FAQ_17.html#TOC327">Q1703</a> for how to deal with this. </p> <p> <a name="TOC332" href="FAQ.html#TOC332">Q1708:</a> I trying to use TLS with Outlook as a client on a box that is running Norton Antivirus, but all my email is being rejected with <i>Unsupported command</i> errors. Why? </p> <p> <font color="#00BB00">A1708:</font> Norton Antivirus does not support TLS or AUTH. It puts a broken SMTP proxy between you and the Exim server. You need to turn off outbound scanning of email. </p> <hr><br> <a href="FAQ.html#TOC">Contents</a> <a href="FAQ_16.html">Previous</a> <a href="FAQ_18.html">Next</a> </body> </html>