Discussion:
[Pkg-exim4-users] Support for tls on connect on outgoing smtp connections?
ael
2014-12-07 18:36:14 UTC
Permalink
Hello,

One major UK ISP does not support STARTTLS on their "smarthost"/smtp
server. Even on an alternative port: hard to believe but sadly true
it seems.

Here is a swaks session (with a few sensitive edits):-
---------------------------------------------------------
$ swaks --to ***@foo.bah --server mail.dumbisp.com -p 465 -tlsc -a

=== Trying mail.dumbisp.com:465...
=== Connected to mail.dumbisp.com.
=== TLS started with cipher TLSv1.2:RC4-MD5:128
=== TLS no local certificate set
=== TLS peer DN={cert details}
<~ 220 dumb.smtp ESMTP Service ready
~> EHLO this.example
<~ 250-dumb.smtp
<~ 250-DSN
<~ 250-8BITMIME
<~ 250-PIPELINING
<~ 250-AUTH=LOGIN
<~ 250-AUTH LOGIN PLAIN
<~ 250-DELIVERBY 300
<~ 250 SIZE 41943040
~> AUTH LOGIN
<~ 334 123456789...
~> abcdef1233456.....
<~ 334 aaaaa.....
~> abcdef.....
<~ 235 LOGIN authentication successful
~> MAIL FROM:<***@this.example>
<~ 250 MAIL FROM:<***@this.example> OK
~> RCPT TO:<***@foo.bah>
<~ 250 RCPT TO:<***@foo.bah> OK
~> DATA
<~ 354 Start mail input; end with <CRLF>.<CRLF>
~> Date: Sun, 07 Dec 2014 18:08:48 +0000
~> To: ***@foo.bah
~> From: ***@this.example
~> Subject: test Sun, 07 Dec 2014 18:08:48 +0000
~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
~>
~> This is a test mailing
~>
~> .
<~ 250 <547FB491007065A0> Mail accepted
~> QUIT
<~ 221 dumb.smtp QUIT
=== Connection closed with remote host.
--------------------------------------------------------------

AFAICS exim4 does not support "tls_on_connect" when it is the client -
that is on outgoing connections. And the debian exim4.conf.template
certainly does not unedited.

I did try adding "protocol = smtps" to the remote_smtp_smarthost and
this at least stopped exim and the remote dumb smtp servers hanging.
Now I get an error message instead.

Scanning spec.txt I could find all the support for tls_on_connect,
but all of that seems to be for incoming messages, and none for
outgoing.

Has no one met this before? Do I have to find another MTA?
I will read spec.txt properly, but I am not optimistic from what I
have seen so far.

Any advice or help?

ael
Andreas Metzler
2014-12-08 06:33:39 UTC
Permalink
Post by ael
One major UK ISP does not support STARTTLS on their "smarthost"/smtp
server. Even on an alternative port: hard to believe but sadly true
it seems.
Here is a swaks session (with a few sensitive edits):-
---------------------------------------------------------
[...]

In what respect is the remote hostname "sensitive" information which
needs to be edited out?
Post by ael
AFAICS exim4 does not support "tls_on_connect" when it is the client -
that is on outgoing connections.[...]
It does, with ...
Post by ael
I did try adding "protocol = smtps"
[...]

... exactly this option.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
ael
2014-12-08 10:45:28 UTC
Permalink
Post by Andreas Metzler
Post by ael
One major UK ISP does not support STARTTLS on their "smarthost"/smtp
server. Even on an alternative port: hard to believe but sadly true
it seems.
Here is a swaks session (with a few sensitive edits):-
---------------------------------------------------------
[...]
In what respect is the remote hostname "sensitive" information which
needs to be edited out?
Well, I was just playing safe. In the UK we have a broken legal system
with "libel laws" which are regularly abused to silence, for example,
critics of homeopathy.
Post by Andreas Metzler
Post by ael
AFAICS exim4 does not support "tls_on_connect" when it is the client -
that is on outgoing connections.[...]
It does, with ...
Post by ael
I did try adding "protocol = smtps"
[...]
... exactly this option.
Interesting. Thanks for the reply. It did not work when I tried it, but
I will have another go. And finish rereading spec.txt.

Thanks for the reply.

ael
ael
2014-12-23 20:11:46 UTC
Permalink
Post by ael
One major UK ISP does not support STARTTLS on their "smarthost"/smtp
server. Even on an alternative port: hard to believe but sadly true
it seems.
I have just got back to this after a busy time on other things. I now
have it working with
protocol = smtps.
I have discovered why it did not work before.

The problem was that the name of the smarthost was aliased, so it did
not match the entry in /etc/exim4/passswd.client.

As you can see by looking at the headers on this message which was sent
via that smarthost, its name is mail.btinternet.com, but this is an
alias for mail.btinternet.bt.lon5.cpcloud.co.uk. Since that alias may
change, it is a bit fragile to put that explicitly into
/etc/exim4/passswd.client
but that is what I have done for the moment. I now realise that I have
met this problem before with another smarthost, so it seems to be a
common situation.

The debian template does not seem to cater for this, or have I missed
something?

Otherwise, I will see if I can write the required dns lookup for a more
robust password check via /etc/exim4/passwd.client. Should I bug report
this, perhaps with my potential patch?

Also, would it be simple to add another variable to
update-exim4.conf(.conf) to control whether "protocol = smtps" appears
in the smarthost transport. Just a conditional there?

ael
Andreas Metzler
2014-12-26 07:51:58 UTC
Permalink
On 2014-12-23 ael <***@ntlworld.com> wrote:
[...]
Post by ael
I have discovered why it did not work before.
The problem was that the name of the smarthost was aliased, so it did
not match the entry in /etc/exim4/passswd.client.
As you can see by looking at the headers on this message which was sent
via that smarthost, its name is mail.btinternet.com, but this is an
alias for mail.btinternet.bt.lon5.cpcloud.co.uk. Since that alias may
change, it is a bit fragile to put that explicitly into
/etc/exim4/passswd.client
but that is what I have done for the moment. I now realise that I have
met this problem before with another smarthost, so it seems to be a
common situation.
It is. See <https://bugs.debian.org/244724>
Post by ael
The debian template does not seem to cater for this, or have I missed
something?
Otherwise, I will see if I can write the required dns lookup for a more
robust password check via /etc/exim4/passwd.client. Should I bug report
this, perhaps with my potential patch?
This is not trivial to fix, see exim4_passwd_client(5)
Post by ael
Also, would it be simple to add another variable to
update-exim4.conf(.conf) to control whether "protocol = smtps" appears
in the smarthost transport. Just a conditional there?
I do not think that the added complexity of suppporting smtps out of
the box is worth it.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
ael
2014-12-26 12:14:20 UTC
Permalink
Post by Andreas Metzler
Post by ael
The problem was that the name of the smarthost was aliased, so it did
not match the entry in /etc/exim4/passswd.client.
but that is what I have done for the moment. I now realise that I have
met this problem before with another smarthost, so it seems to be a
common situation.
It is. See <https://bugs.debian.org/244724>
Thanks for pointing me at that bug. I had started on that path
independently, so very useful. I guess that it is unlikely that I will
come up with anything better given how long it has been there and the
number of people involved. If by any chance, I find anything useful,
I will report it there.

I too (obviously) had missed the alert in the exim4_passwd_client man
page. And as others have said, this sort of problem is not the first
thing that comes to mind when trying to get a new smarthost to work, even
when I had see it before.

Thanks for the reply.

ael
ael
2014-12-29 11:26:16 UTC
Permalink
Post by Andreas Metzler
[...]
Post by ael
I have discovered why it did not work before.
This is not trivial to fix, see exim4_passwd_client(5)
In passing, I think that man page needs improving. Surely
# the regular expression
^smtp[0-9]*.mail.server.example:user:password

should rather have
^smtp[0-9]*\.mail\.server\.example:user:password
for a tighter match.

Should I bug report this as a minor bug?

ael
Andreas Metzler
2015-01-04 07:36:15 UTC
Permalink
ael <***@ntlworld.com> wrote:
[...]
Post by ael
In passing, I think that man page needs improving. Surely
# the regular expression
^smtp[0-9]*.mail.server.example:user:password
should rather have
^smtp[0-9]*\.mail\.server\.example:user:password
for a tighter match.
[...]

Thanks, fixed in git.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Loading...