Bug#985243: Workaround

Jö Fahlke jorrit at jorrit.de
Tue Mar 16 12:16:25 GMT 2021 

Hi,

If forgot to mention the workaround I've been using.  This workaround should
only apply if you cannot apply the upstream patch for some reason.

Regards,
Jö.

# Workaround

One workaround to get fully verified SSL is to tell Exim to use a local port
(e.g. 127.0.0.1:26) as the smarthost without requiring SSL.  Connections to
that port can then be forwarded via SSL to the real smarthost.

It is easiest to set up a tunnel to the `submissions` port, or any other smtp
port offered by the smarthost with SSL-on-connect (as opposed to STARTTLS).
This worked for me:

Install `/etc/systemd/system/ssltunnel.socket` with content
```
[Socket]
ListenStream=127.0.0.1:26
BindToDevice=lo
Accept=yes

[Unit]
Before=exim4.service

[Install]
WantedBy=exim4.service
```
and `/etc/systemd/system/ssltunnel at .service` with content (obviously replacing
the name of the smarthost)
```
[Service]
Type=simple
ExecStart=/usr/bin/socat - OPENSSL:smarthost.example.com:submissions
StandardInput=socket
StandardOutput=inherit
StandardError=journal
```

In `/etc/exim4/update-exim4.conf.conf` set
```
dc_smarthost='127.0.0.1::26'
```
and in `/etc/exim4/conf.d/router/200_exim4-config_primary` add the setting
```
  self = send
```
in the `smarthost:` section, otherwise Exim will refuse to connect to
localhost, assuming a configuration error.  Ensure that you use `*` as the
hostname in `/etc/exim4/passwd.client` (or make sure the correct credentials
will be selected through other means).  Then invoke
```
systemctl enable ssltunnel.socket
systemctl restart exim4
```
and you should be set.

If your smarthost only offers STARTTLS and no SSL-on-connect, you can use
`openssl s_client` as the tunneling program.  However, that program is meant
as a debugging tool, and will by default not abort the connection when
certificate verification fails, and it also won't verify the hostname by
default.  It's also noisy and will print messages to stdout, interfering with
the tunneled connection content, unless quieted.  You'll have to figure out
the options to ensure correct certificate verification yourself.

There is also gnutls-cli, but there seems to be no way to prevent it from
printing messages to stdout, so it is not really an option for tunneling.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-exim4-maintainers/attachments/20210316/4005810b/attachment.sig>

More information about the Pkg-exim4-maintainers mailing list