Bug#482012: exim4: TLS incoming connections problems
Diego Guella
diego.guella at sircomtech.com
Tue May 20 10:56:07 UTC 2008
----- Original Message -----
From: "Marc Haber" <mh+debian-packages at zugschlus.de>
> When I last looked, OE was not able to do STARTTLS and required
> special configuration to allow smtp-over-tls on Port 465. Exim
> requires special configuration to support this. How did you enable
> smtp-over-tls?
I installed Debian, then followed these instructions:
http://pkg-exim4.alioth.debian.org/README/README.Debian.html#TLS
1. Generate the cert
2. set MAIN_TLS_ENABLE
3. edit /etc/exim4/exim4.conf.template to add a simple plaintext LOGIN authenticator with Outlook Express server prompt fix:
-----
fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = \
${if and {{eq{$auth1}{username}}{eq{$auth2}{password}}}}
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
-----
At this point (no SMTPLISTENEROPTIONS and tls_on_connect_ports)
Outlook Express clients from my network can connect and send messages over this server.
(If that matters, Outlook is on Windows XP SP2, outlook version 6.0.2900.2180.xpsp_sp2_gdr.070227-2254)
>> Since yesterday many packages went into lenny, I'm not sure if Exim is
>> the real cause of this problem, maybe it could be gnutls, or something
>> other.
>>
>> Where can I get exim 4.69-2 to test it again and see if it works?
>
> You can try pulling an older package from snapshot.debian.net.
Many thanks, I successfully reverted all the exim packages to 4.69-2, but I had no luck, it doesn't work.
I then reverted libgnutls26 from 2.2.3~rc-1 to 2.2.2-1, but no luck again.
> I would suggest a different debugging path though:
>
> (1) verify whether your OE does STARTTLS or smtp-over-ssl
> (2) try with a command line client (swaks, gnutls-cli, openssl s_client)
> whether your exim actually does what your OE expects it to do
> (3) try with a command line server (gnutls-serv, openssl s_server)
> whether your OE is able to connect to the server. This might be a
> challenge to do with STARTTLS.
>
> Disabling the client certificate request in exim configuration may be
> worth a try, too.
Maybe I haven't explained myself well, sorry for that.
I said that my Outlook Express was doing TLS until Friday, when I left the office.
On Monday, I upgraded this system (let's call this system "vmdeb"), along with other things such installing apache, squirrelmail
spamassassin, and now OE can't do TLS any more.
By the way:
To answer your (1), my OE _does_ STARTTLS (I snarfed it with Ethereal).
What's new is that I found another system, let's call it "realdeb", that was not upgraded.
I followed the 3 points above (gencert, MAIN_TLS_ENABLE, add plaintext login authenticator), and now OE/TLS works on "realdeb"!!!
What I would like to know is what is changed that now has broken the TLS setup.
If, for example, we find the package that is changed, looking at his changelog we can find out the problem
Do you know of any other possible package upgrade related to this issue between May 16 and May 19?
do you think that installing Apache, Squirrelmail and Spamassassin could have broken TLS?
Let me know if you need more informations/tests.
> Greetings
> Marc
Thanks,
Diego
More information about the Pkg-exim4-maintainers
mailing list