blob: 14466ac6e8b94d6ef789961c313943d3caea8972 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
Notes about TLS/SSL support
-------------------
[written by Sander Smeenk <ssmeenk@debian.org>]
[modified by AndreasMetzler <ametzler@downhill.at.eu.org>]
For a real cool example on what is possible with Exim 4's new ACLs visit
Marc Merlin's Exim 4 Page: http://marc.merlins.org/linux/exim/
Further down is explanation about dhparams, you might have been directed
here through exim-gencerts or the package supplied exim configuration file.
HOW TO ENABLE TLS SUPPORT WITH EXIM-TLS V4+
-------------------------------------------
Install a flavour of exim that is compiled with TLS support, i.e.
exim4-daemon-heavy (or a exim4-daemon-custom) but NOT
exim4-daemon-light.
You should have created certificates in /etc/exim4/ either by hand
or by usage of the exim-gencert (which requires openssl).
exim-gencert is shipped in /usr/share/doc/exim4-base/examples/
Next edit /etc/exim4/conf.d/main/03_exim4-config_tlsoptions and activate
these options by removing the hash-mark ("#") in front of them.
# hostlist auth_over_tls_hosts = *
# log_selector = +tls_cipher +tls_peerdn
# tls_advertise_hosts = *
# tls_certificate = /etc/exim4/exim.crt
# tls_privatekey = /etc/exim4/exim.key
If you don't manage exim's configuration with debconf, you'll have to add
these options to your handcrafted configuration file
/etc/exim4/exim4.conf instead.
* auth_over_tls_hosts
Defines what hosts to 'advertise' AUTHentication to when they connect
via TLS. Setting this to * will advertise this functionality to all
hosts that connect with TLS and this is a good default
* log_selector
Defines that you want to log what cipher your exim and the peer's mailer
uses to encrypt the transaction. It also defines you want to log the 'DN'
(Distinguished Name) of the certificate of the peer.
* tls_advertise_hosts
Defines what hosts to 'advertise' STARTTLS functionality to. Setting this
to * will advertise to all hosts that connect with EHLO, and this is a
good default
* tls_certificate & tls_privatekey
Defines where your SSL-certificate and SSL-Private Key are located.
This requires a full path. The files pointed to must be kept 'secret'
and should be owned my root.mail mode 640 (-rw-r-----). Usually the
exim-gencert script takes care of these prerequisites.
EXIM TELLS ME '454 TLS currently unavailable' WHAT IS WRONG?!!
--------------------------------------------------------------
Please refer to /var/log/exim/mainlog and/or paniclog.
You should see messages like:
2003-01-27 19:06:45 TLS error on connection from localhost [127.0.0.1]
(cert/key setup): Error while reading file)
DURING TRANSACTION EXIM TELLS ME 'not enough random bytes available'
'please do some other work to give the OS a chance to collect more entropy'
WHAT IS WRONG?!!
---------------------------------------------------------------------------
Exim was unable to read enough random data from /dev/random to seed it's
Diffie Hellman parameter generation. Please check that your /dev/random
device is setup properly. It has been reported that with 2.5.53 kernels
/dev/random sometimes won't give any output.
Try generating alot of load for a while by doing things (as root) like:
% find / -type f -exec cat {} \;
% tar cvzf - / | zcat > /dev/null
Or build a kernel or X11 :)
This will cause alot of interrupts and data to be read. It should generate
enough entropy. If it doesn't, check if your /dev/random *EVER* returns
data.
DHPARAMS AND WHY IT IS DISABLED EVERYWHERE
------------------------------------------
This version of Exim is compiled against GnuTLS. GnuTLS is a replacement
for the restrictive licensed OpenSSL libraries. GnuTLS does not support
varying its Diffie-Hellman parameters. Therefore tls_dhparam settings are
ignored in Exim's configuration file, and no dhparam file is generated by
exim-gencerts.
GnuTLS uses RSA and D-H parameters that are computed when they are needed.
(eg. when someone sends STARTTLS, exim will compute these parameters).
After successful computation Exim will store these parameters in a cache
file located in Exim's spooldirectory (/var/spool/exim4/gnutls.params).
It is wise to remove this file periodically so Exim creates a new set of
gnutls parameters. This is done by a cronjob that runs every 12 hrs.
It's "more secure" when you have this file regenerated more often.
But remember that the exim process that has to create the file could take
a little longer before it responds to a STARTTLS command. (You should not
notice this on current computers).
NOTE! The fact that GnuTLS does not support generated Diffie-Hellman
parameters does NOT make it less secure.
Also refer to /usr/share/doc/exim4-base/NewStuff.gz, section 18.
|
