LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   "Connection reset by peer" on exim4 with SSL/TLS (https://www.linuxquestions.org/questions/linux-server-73/connection-reset-by-peer-on-exim4-with-ssl-tls-4175583348/)

allnex 06-29-2016 10:13 AM
"Connection reset by peer" on exim4 with SSL/TLS
 
Hello.

I'm setting up a mail server with SSL/TLS. I configured Courier with IMAPS correctly on port 993. The problem is that exim4, and using the same cert and key as on Courier, doesn't work.

The certificate is from Let's Encrypt.

Code:
openssl s_client -connect localhost:465


CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg  : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1467212828
    Timeout  : 300 (sec)
    Verify return code: 0 (ok)
---
Thanks.

AlucardZero 06-29-2016 12:35 PM
It does not appear that exim is correctly configured to use SSL on port 465, but you didn't post any configuration details so it's hard to say more.

allnex 06-29-2016 03:44 PM
Here, is autogenerated by the control panel.

Code:
#--AUTOMATICALLY GENERATED - DO NO EDIT!

#--MACROS

SMTP_PORT = 25
LOCAL_INTERFACES = <; 0.0.0.0.25 ; 0.0.0.0.465 ; [::0]:25 ; [::0]:465
CONFDIR = /etc/exim4

LOCAL_DOMAINS = domain.xyz : localhost
ETC_MAILNAME = domain.xyz
LOCAL_DELIVERY = mail_spool
CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

DKIM_ENABLE=1
DKIM_SELECTOR = correo
DKIM_PRIVATE_KEY = /etc/exim4/dkim/private.key
DKIM_CANON = relaxed
DKIM_STRICT = 1

TLS_ENABLE=1
TLS_ADVERTISE_HOSTS = *
TLS_CERTIFICATE = /etc/letsencrypt/live/domain.xyz/fullchain.pem
TLS_PRIVATEKEY = /etc/letsencrypt/live/domain.xyz/privkey.pem
TLS_VERIFY_CERTIFICATES = ${if exists{/etc/ssl/certs/ca-certificates.crt} {/etc/ssl/certs/ca-certificates.crt} {/dev/null}}

COURIERSOCKET = /var/run/courier/authdaemon/socket

ACL_SMTP_MAIL = acl_check_mail
ACL_SMTP_RCPT = acl_check_rcpt
ACL_SMTP_DATA = acl_check_data

#--CONFIGURATION

hostlist relay_from_hosts = 127.0.0.1

tls_dhparam = /etc/ssl/certs/dhparam.pem

daemon_smtp_ports = SMTP_PORT
local_interfaces = LOCAL_INTERFACES
domainlist local_domains = LOCAL_DOMAINS
qualify_domain = ETC_MAILNAME

gecos_pattern = ^([^,:]*)
gecos_name = $1

acl_smtp_mail = ACL_SMTP_MAIL
acl_smtp_rcpt = ACL_SMTP_RCPT
acl_smtp_data = ACL_SMTP_DATA

# spamd_address = 127.0.0.1 783

local_from_check = false
local_sender_retain = true
untrusted_set_sender = *

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
freeze_tell = postmaster
spool_directory = /var/spool/exim4

trusted_users = uucp

.ifdef TLS_ENABLE
tls_on_connect_ports = 465
tls_advertise_hosts = TLS_ADVERTISE_HOSTS
tls_certificate = TLS_CERTIFICATE
tls_privatekey = TLS_PRIVATEKEY
tls_verify_certificates = TLS_VERIFY_CERTIFICATES
.endif


begin acl



acl_check_mail:
  .ifdef CHECK_MAIL_HELO_ISSUED
  deny
    message = no HELO given before MAIL command
    condition = ${if def:sender_helo_name {no}{yes}}
  .endif

  accept

acl_check_rcpt:
  accept
    hosts = :
    control = dkim_disable_verify

  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif

  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif

  accept
    .ifndef CHECK_RCPT_POSTMASTER
    local_parts = postmaster
    .else
    local_parts = CHECK_RCPT_POSTMASTER
    .endif
    domains = +local_domains

  .ifdef CHECK_RCPT_VERIFY_SENDER
  deny
    message = Sender verification failed
    !verify = sender
  .endif

  accept
    authenticated = *
    control = submission/sender_retain
    control = dkim_disable_verify

  require
    message = relay not permitted
    domains = +local_domains

  require
    verify = recipient

  .ifdef CHECK_RCPT_SPF
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
              Please see \
          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                  \"$sender_host_address\" --identity \
                  ${if def:sender_address_domain \
                      {--scope mfrom  --identity \"$sender_address\"}\
                      {--scope helo --identity  \"$sender_helo_name\"}}}\
                  {no}{${if eq {$runrc}{1}{yes}{no}}}}

  defer
    message = Temporary DNS error while checking SPF record.  Try again later.
    condition = ${if eq {$runrc}{5}{yes}{no}}

  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                {${if eq {$runrc}{3}{neutral}\
                  {${if eq {$runrc}{4}{permerror}\
                  {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
                } client-ip=$sender_host_address; \
                ${if def:sender_address_domain \
                  {envelope-from=${sender_address}; }{}}\
                helo=$sender_helo_name

  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  .endif


  .ifdef CHECK_RCPT_IP_DNSBLS
  warn
    dnslists = CHECK_RCPT_IP_DNSBLS
    add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif

  .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  warn
    !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
                    {CONFDIR/local_domain_dnsbl_whitelist}\
                    {}}
    dnslists = CHECK_RCPT_DOMAIN_DNSBLS
    add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif

  accept


acl_check_data:

  deny
    message = Message headers fail syntax check
    !verify = header_syntax

  accept

begin routers



vforward:
  debug_print = "R: vforward for $local_part@$domain"
  driver = redirect
  allow_defer
  allow_fail
  domains = +local_domains
  file = /etc/exim.forward/$local_part@$domain
  file_transport = address_file
  pipe_transport = address_pipe


vdomain:
  debug_print = "R: vdomain for $local_part@$domain"
  driver = accept
  domains = dsearch;/etc/exim.domains
  local_parts = lsearch;/etc/exim.domains/$domain
  transport = vmail


dnslookup:
  debug_print = "R: dnslookup for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  headers_remove = received
  same_domain_copy_routing = yes
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16
  no_more

nonlocal:
  debug_print = "R: nonlocal for $local_part@$domain"
  driver = redirect
  domains = ! +local_domains
  allow_fail
  data = :fail: Mailing to remote domains not supported
  no_more


COND_LOCAL_SUBMITTER = "\
              ${if match_ip{$sender_host_address}{:@[]}\
                    {1}{0}\
        }"

real_local:
  debug_print = "R: real_local for $local_part@$domain"
  driver = accept
  domains = +local_domains
  condition = COND_LOCAL_SUBMITTER
  local_part_prefix = real-
  check_local_user
  transport = LOCAL_DELIVERY


procmail:
  debug_print = "R: procmail for $local_part@$domain"
  driver = accept
  domains = +local_domains
  check_local_user
  transport = procmail_pipe
  # emulate OR with "if exists"-expansion
  require_files = ${local_part}:\
                  ${if exists{/etc/procmailrc}\
                    {/etc/procmailrc}{${home}/.procmailrc}}:\
                  +/usr/bin/procmail
  no_verify
  no_expn

maildrop:
  debug_print = "R: maildrop for $local_part@$domain"
  driver = accept
  domains = +local_domains
  check_local_user
  transport = maildrop_pipe
  require_files = ${local_part}:${home}/.mailfilter:+/usr/bin/maildrop
  no_verify
  no_expn


local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
  check_local_user
  local_parts = ! root
  transport = LOCAL_DELIVERY
  cannot_route_message = Unknown user


mail4root:
  debug_print = "R: mail4root for $local_part@$domain"
  driver = redirect
  domains = +local_domains
  data = /var/mail/mail
  file_transport = address_file
  local_parts = root
  user = mail
  group = mail



begin transports




vmail:
  debug_print = "T: vmail for $local_part@$domain"
  driver = appendfile
  user = mail
  maildir_format = true
  directory = /var/vmail/$domain/$local_part
  create_directory
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600

mail_spool:
  debug_print = "T: appendfile for $local_part@$domain"
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0660
  mode_fail_narrower = false

maildir_home:
  debug_print = "T: maildir_home for $local_part@$domain"
  driver = appendfile
  .ifdef MAILDIR_HOME_MAILDIR_LOCATION
  directory = MAILDIR_HOME_MAILDIR_LOCATION
  .else
  directory = $home/Maildir
  .endif
  .ifdef MAILDIR_HOME_CREATE_DIRECTORY
  create_directory
  .endif
  .ifdef MAILDIR_HOME_CREATE_FILE
  create_file = MAILDIR_HOME_CREATE_FILE
  .endif
  delivery_date_add
  envelope_to_add
  return_path_add
  maildir_format
  .ifdef MAILDIR_HOME_DIRECTORY_MODE
  directory_mode = MAILDIR_HOME_DIRECTORY_MODE
  .else
  directory_mode = 0700
  .endif
  .ifdef MAILDIR_HOME_MODE
  mode = MAILDIR_HOME_MODE
  .else
  mode = 0600
  .endif
  mode_fail_narrower = false

maildrop_pipe:
  debug_print = "T: maildrop_pipe for $local_part@$domain"
  driver = pipe
  path = "/bin:/usr/bin:/usr/local/bin"
  command = "/usr/bin/maildrop"
  return_path_add
  delivery_date_add
  envelope_to_add

procmail_pipe:
  debug_print = "T: procmail_pipe for $local_part@$domain"
  driver = pipe
  path = "/bin:/usr/bin:/usr/local/bin"
  command = "/usr/bin/procmail"
  return_path_add
  delivery_date_add
  envelope_to_add

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  .ifdef DKIM_ENABLE
    dkim_domain = $sender_address_domain
    .ifdef DKIM_SELECTOR
    dkim_selector = DKIM_SELECTOR
    .endif
    .ifdef DKIM_PRIVATE_KEY
    dkim_private_key = DKIM_PRIVATE_KEY
    .endif
    .ifdef DKIM_CANON
    dkim_canon = DKIM_CANON
    .endif
    .ifdef DKIM_STRICT
    dkim_strict = DKIM_STRICT
    .endif
    .ifdef DKIM_SIGN_HEADERS
    dkim_sign_headers = DKIM_SIGN_HEADERS
    .endif
  .endif

address_file:
  debug_print = "T: address_file for $local_part@$domain"
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_pipe:
  debug_print = "T: address_pipe for $local_part@$domain"
  driver = pipe
  return_fail_output

address_reply:
  debug_print = "T: autoreply for $local_part@$domain"
  driver = autoreply



begin retry
*                      *          F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite

begin authenticators

login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = Username:: : Password::
  server_condition = ${extract {address} {${readsocket{COURIERSOCKET} \
      {AUTH ${strlen:exim\nlogin\n$1\n$2\n}\nexim\nlogin\n$1\n$2\n} }} {yes} fail}
  server_set_id = $1

plain:
  driver = plaintext
  public_name = PLAIN
  server_prompts = :
  server_condition = ${extract {address} {${readsocket{COURIERSOCKET} \
      {AUTH ${strlen:exim\nlogin\n$2\n$3\n}\nexim\nlogin\n$2\n$3\n} }} {yes} fail}
  server_set_id = $2
  server_advertise_condition = ${if eq{$tls_cipher}{} {no} {yes}}

allnex 07-04-2016 01:59 PM
Bump.


All times are GMT -5. The time now is 03:33 AM.