diff options
Diffstat (limited to 'debian/README.TLS')
| -rw-r--r-- | debian/README.TLS | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/debian/README.TLS b/debian/README.TLS new file mode 100644 index 0000000..679d1ef --- /dev/null +++ b/debian/README.TLS @@ -0,0 +1,117 @@ +Notes about TLS/SSL support +------------------- +[written by Sander Smeenk <ssmeenk@debian.org>] +[modified by AndreasMetzler <ametzler@downhill.at.eu.org>] + +For a real cool example on what is possible with Exim 4's new ACLs visit +Marc Merlin's Exim 4 Page: http://marc.merlins.org/linux/exim/ + +Further down is explanation about dhparams, you might have been directed +here through exim-gencerts or the package supplied exim configuration file. + + +HOW TO ENABLE TLS SUPPORT WITH EXIM-TLS V4+ +------------------------------------------- + +Install a flavour of exim that is compiled with TLS support, i.e. +exim4-daemon-heavy (or a exim4-daemon-custom) but NOT +exim4-daemon-light. + +You should have created certificates in /etc/exim4/ either by hand +or by usage of the exim-gencert (which requires openssl). +exim-gencert is shipped in /usr/share/doc/exim4-base/examples/ + +Next edit /etc/exim4/conf.d/main/03_exim4-base_tlsoptions and activate +these options by removing the hash-mark ("#") in front of them. +# hostlist auth_over_tls_hosts = * +# log_selector = +tls_cipher +tls_peerdn +# tls_advertise_hosts = * +# tls_certificate = /etc/exim4/exim.crt +# tls_privatekey = /etc/exim4/exim.key + +If you don't manage exim's configuration with debconf, you'll have to add +these options to your handcrafted configuration file +/etc/exim4/exim4.conf instead. + +* auth_over_tls_hosts + Defines what hosts to 'advertise' AUTHentication to when they connect + via TLS. Setting this to * will advertise this functionality to all + hosts that connect with TLS and this is a good default + +* log_selector + Defines that you want to log what cipher your exim and the peer's mailer + uses to encrypt the transaction. It also defines you want to log the 'DN' + (Distinguished Name) of the certificate of the peer. + +* tls_advertise_hosts + Defines what hosts to 'advertise' STARTTLS functionality to. Setting this + to * will advertise to all hosts that connect with EHLO, and this is a + good default + +* tls_certificate & tls_privatekey + Defines where your SSL-certificate and SSL-Private Key are located. + This requires a full path. The files pointed to must be kept 'secret' + and should be owned my root.mail mode 640 (-rw-r-----). Usually the + exim-gencert script takes care of these prerequisites. + + + +EXIM TELLS ME '454 TLS currently unavailable' WHAT IS WRONG?!! +-------------------------------------------------------------- + +Please refer to /var/log/exim/mainlog and/or paniclog. +You should see messages like: + 2003-01-27 19:06:45 TLS error on connection from localhost [127.0.0.1] + (cert/key setup): Error while reading file) + + + +DURING TRANSACTION EXIM TELLS ME 'not enough random bytes available' +'please do some other work to give the OS a chance to collect more entropy' +WHAT IS WRONG?!! +--------------------------------------------------------------------------- + +Exim was unable to read enough random data from /dev/random to seed it's +Diffie Hellman parameter generation. Please check that your /dev/random +device is setup properly. It has been reported that with 2.5.53 kernels +/dev/random sometimes won't give any output. + +Try generating alot of load for a while by doing things (as root) like: + + % find / -type f -exec cat {} \; + % tar cvzf - / | zcat > /dev/null + +Or build a kernel or X11 :) + +This will cause alot of interrupts and data to be read. It should generate +enough entropy. If it doesn't, check if your /dev/random *EVER* returns +data. + + +DHPARAMS AND WHY IT IS DISABLED EVERYWHERE +------------------------------------------ + +This version of Exim is compiled against GnuTLS. GnuTLS is a replacement +for the restrictive licensed OpenSSL libraries. GnuTLS does not support +varying its Diffie-Hellman parameters. Therefore tls_dhparam settings are +ignored in Exim's configuration file, and no dhparam file is generated by +exim-gencerts. + +GnuTLS uses RSA and D-H parameters that are computed when they are needed. +(eg. when someone sends STARTTLS, exim will compute these parameters). +After successful computation Exim will store these parameters in a cache +file located in Exim's spooldirectory (/var/spool/exim4/gnutls.params). + +It is wise to remove this file periodically so Exim creates a new set of +gnutls parameters. This is done by a cronjob that runs every 12 hrs. + +It's "more secure" when you have this file regenerated more often. +But remember that the exim process that has to create the file could take +a little longer before it responds to a STARTTLS command. (You should not +notice this on current computers). + +NOTE! The fact that GnuTLS does not support generated Diffie-Hellman +parameters does NOT make it less secure. + +Also refer to /usr/share/doc/exim4-base/NewStuff.gz, section 18. + |