Hi,

i'm trying to get Exim up and running with TLS.

The idea behind it is that users will use TLS, auth against the server then be able to send mail.

unfortunately i can't seem to get the TLS working ...at all!

i've put this in my exim config:

tls_certificate = /etc/exim4/exim.crt
tls_privatekey = /etc/exim4/exim.key
tls_advertise_hosts = *

and generated the certificate and key like so:

bash /usr/share/doc/exim4-base/examples/exim-gencert

Now when i do a test it gives the the follwing:

Connected to 127.0.0.1.
Escape character is '^]'.
220 <server> ESMTP Exim 4.69 Fri, 21 Jan 2011 15:33:15 +0000
ehlo test
250-<server> Hello localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
454 TLS currently unavailable
quit
221 <server> closing connection

when i check in the logs i get this:

2011-01-21 15:33:20 TLS error on connection from localhost (test) [127.0.0.1] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.

however for the life of me i cannot find why its saying this.

i've tried exim with tls debug on like so: exim -d+tls
i've tried stracing the process, changing the file permissions so they are workd readable, changing the ownership.

all to no avail and a very hurty head.

does anyone have any idea as to why its saying this or any other ideas i can try to get this working ?

Have you confirmed that the key and cert are valid? "openssl x509 -in exim.crt -nooout -text" should print out the valid cert and "openssl rsa -in exim.key -noout -text" should do the same for the key. Outside of the basic file system / user rights issues that's the only level that really seems to make sense. You might also try removing that key / cert to ensure a problem about finding the files themselves, and check a different error is received etc.

1 members found this post helpful.

acid_kewpie sir, you are are star

the openssl stuff you gave seemed to indicate that the certificate and keys were fine, so i tried your second suggestion, i renamed the files to something else and it still threw the error, so i was thinking permission problems.

so i did a little more digging...
i altered the Debian-exim user so it had a valid shell then su'ed to that user. i then cd'd in to the /etc/exim4 directory and was given a permission denied message. i checked the permissons on the directory and discovered that the permissions were set wrong. i had:

U: rw-
g: r--
o: ---

i chmodded the dir like so: chmod ug+x ./.
re-tested the user again and i was then let in to the directory ( hazarr! ) after re-naming key and the cert back to what exim was expecting i re-tried telnet and got this:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 <servername> ESMTP Exim 4.69 Sun, 23 Jan 2011 15:01:36 +0000
ehlo localhost
250-<servername> Hello localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead

acid_kewpie, Thank you!