Inode Ltd

A secure smarthost setup for Exim

A Linux/Unix server usually needs to be able to send email, even if only for internal reporting purposes. There’s no point in having a full-featured mail server for this, so you should configure the server to send messages via some other MTA, a “smarthost”. This could be one of your own machines, or perhaps it’s one belonging to your ISP.

Of course, when submitting to the smarthost you need to be able to differentiate yourself from spammers; this generally means you have to authenticate yourself. And if you’re doing that, it should be over an encrypted connection and you should authenticate the smarthost too. Let’s see a minimal Exim configuration that does just that …

# This is the Exim4 configuration for "leaf node".
# It provides the following behaviour :-
# • NO SMTP listeners
# • Local process submission only
# • NO local delivery
# • qualify_domain @mydomain.tld
# • /etc/aliases remapping
# • ALL mail sent to smarthost smarthost.tld
# •• with verified TLS and AUTH/LOGIN
# •• Whitelisted at smarthost

### Main
# No SMTP listeners is not a config item, it’s based on daemon invocation
# Debian packaged exim: update-exim4defaults –queuerunner queueonly

qualify_domain = mydomain.tld

### Routers
begin routers

etc_aliases:
driver = redirect
data = ${lookup{$local_part}lsearch{/etc/aliases}}

# Send everything to a smarthost
send_to_smarthost:
driver = manualroute
route_list = * smarthost.tld
transport = smarthost

### Transports
begin transports

smarthost:
driver = smtp
hosts_require_tls = smarthost.tld
hosts_require_auth = smarthost.tld
tls_verify_certificates = /etc/exim4/tls/smarthost-ca.crt

### Authenticators
begin authenticators

smarthost_login:
driver = plaintext
public_name = LOGIN
hide client_send = : MTAuserid : MTAuserpassword


Posted in Technology | No Comments »

Exim tls_verify_certificates …

So you’re using Exim4, and you want to verify the TLS certificates of the MTA you are sending email to (especially useful if you want to use a smarthost).

Here’s my smarthost transport :-

smarthost:
driver = smtp
hosts_require_tls = my smarthost
tls_verify_certificates = /etc/exim4/tls/my_smarthost-ca.crt


I was reading Philip Hazel’s ‘The Exim SMTP mail server’, and it claimed that tls_verify_certificates could be a link to a directory instead of a single (possibly large) file.

However, there’s a gotcha … this is only possible if you are using the OpenSSL library with Exim4; the Debian 5 packaged version uses GnuTLS, and that can only accept the file version. You get a cryptic error in the logs if you try …

TLS error on connection to my_smarthost [IP Address] (setup_certs): Error while reading file.

See http://www.exim.org/exim-html-current/doc/html/spec_html/ch30.html for the clarifying documentation. To be fair, this has been ‘well known’ for many years …

Posted in Technology | No Comments »