Mike Cardwell | 3 Aug 15:29 2015

TLS verify

I have an SMTP transport which looks like this:

remote_smtp:
    driver                  = smtp
    tls_verify_certificates = /etc/ssl/certs/
    tls_try_verify_hosts    = *
    tls_verify_hosts        = snake.grepular.com : flan.grepular.com
    hosts_require_tls       = snake.grepular.com : flan.grepular.com

When I send an email to an address that isn't hosted on
"snake.grepular.com" or "flan.grepular.com" and that host uses a self
signed certificate, it fails to verify and then falls back to using
a plain text connection. For example:

2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj SSL verify error: depth=0 error=self signed certificate
cert=/C=EU/ST=European Union/L=Europa/O=U226.com/OU=Network Operations/CN=m2.u226.com/emailAddress=www.query <at> gmail.com
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS error on connection to m2.u22.net [95.172.15.115]
(SSL_connect): error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2015-08-03 14:19:37 1ZMFeT-0007Bc-Fj TLS session failure: delivering unencrypted to m2.u22.net
[95.172.15.115] (not in hosts_require_tls)

Have I misunderstood something about how tls_try_verify_hosts is
supposed to work? I'm using Exim 4.84 with OpenSSL.

Regards,

Mike

--

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
(Continue reading)

Jim Pazarena | 1 Aug 19:06 2015

saving mails to a file

I have one email addy which saves emails to a file.

I think I have a race condition where multiple inbound messages clobber
and corrupt the save file (occasionally...not often).

I cannot specify "one delivery process only" as the server is too busy
for this.

Can I specify one delivery only to a specific internal email address?
Or other ideas?

Thanks!

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Fabián M Sales | 31 Jul 17:46 2015

[EXIM] GeoIP it's posible?


Hello List.

Exim exists the possibility of using GeoIP to countries that need can
not be connected?

Thanks.

Best regards.

Fabián.

Firma Institucional
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
3YSTech Services | 30 Jul 14:25 2015
Picon

Force TLSv1.2 on EXIM server (4.80.1)

Hello ,

I am trying to force TLS v1.2 on EXIM server. All Linux clients and Exim
servers have openssl-1.0.1e-42 rpm. I keep getting TLSv1 on logs.
"X=TLSv1:AES128-SHA:128"

** I tried adding tls_require_ciphers (below) on server but won't be able
to send email from clients .

openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

From Linux client: SSL/TLS handshake failed: Cannot communicate securely
with peer: no common encryption algorithm(s).

From EXIM server : TLS error on connection from Server.domain.com [IP
Address] (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher

** I tried to remove SSLv3 from ciphers and keep it in openssl_options and
I am back to TLSv1

openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

I am not sure what I need to do to get it to use TLSv1.2

Thanks
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
(Continue reading)

Duckbreath | 30 Jul 02:22 2015
Picon

Can I build both GnuTLS and OpenSSL into exim?


Right now I have GnuTLS built into exim and rudimentary tests are working.  I notice some e-mail clients
are happy with sending mail while others are not.
To increase compatibility, can I also include OpenSSL into the build to offer a larger suite of ciphers/support?
The option tls_require_ciphers (I'm referencing
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
) somewhat suggests you pick one and go with it.
Is there a way to do both?

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Ian Zimmerman | 28 Jul 21:45 2015

log_output on pipe transports

Hi, the manual for my version (4.80) says:

 log_output     Use: pipe      Type: boolean     Default: false

 If this option is set and the command returns any output, the first
 line of output is written to the main log, whatever the return code.

It is not clear from this if "any output" includes stderr.  Right below
this it says:

 max_output      Use: pipe    Type: integer         Default: 20K

 This specifies the maximum amount of output that the command may
 produce on its standard output and standard error file combined. If the
 limit is exceeded, the process running the command is killed. This is
 intended as a safety measure to catch runaway processes. The limit is
 applied independently of the settings of the options that control what
 is done with such output (for example, return_output).

so I'm guessing the answer is yes, but it's not perfectly clear and I'm
not taking chances.

-- 
Please *no* private copies of mailing list or newsgroup messages.
Rule 420: All persons more than eight miles high to leave the court.

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Gary Stainburn | 27 Jul 14:05 2015
Picon

Exim on one box, clam on another - not detecting virus

I'm experimenting a bit here and I have one box running Exim and another box 
running clamav.

On the clamav box (F21) I've installed 

exim-clamav-4.84-4.fc21.x86_64
clamav-lib-0.98.7-1.fc21.x86_64
clamav-server-0.98.7-1.fc21.x86_64
clamav-filesystem-0.98.7-1.fc21.noarch
clamav-0.98.7-1.fc21.x86_64
clamav-data-0.98.7-1.fc21.noarch
clamav-update-0.98.7-1.fc21.x86_64

I've updated the config files and everything runs fine. It found the test 
virus eicar.com (as well as another test virus I'd forgotten about)

I then changed my exim.conf line from:

av_scanner = clamd:/var/run/clamd.exim/clamd.sock

to

av_scanner = clamd:10.1.1.226 3310

and restarted exim.

On the clam server I then got log entries appearing (I had already turned on 
LogClean)

Mon Jul 27 12:30:46 2015 -> stream(10.5.1.3 <at> 1506): OK
(Continue reading)

Paul Stuffins | 26 Jul 21:15 2015

Migrate to Exim

Hello,

For about the last year or so I have been running my own mail server 
that has been based on the ISPmail tutorial for Debian Wheezy[1]. I 
currently also use spamtitan[2] and my spam filtering solution.

Over the last few months I have been growing a bit disillusioned with 
running my spam filter as SaaS, manly because my current provider 
requires me to whitelist the sender and so my white list is huge.

I have been looking for a few pointers in implementing a spam filter 
with my current setup, but most of the pages on the web deal with 
setting a spam filter up as part of the basic setup of the server.

I was also looking for a few pointers in setting an Exim based server 
up, but I want the datastore, SMTP relay and MX's to be on separate 
servers, and I came across this HowtoForge tutorial[3]. That looks like 
it is the kind of setup that I want to run, I am not too bothered about 
running LDAP for authentication, but it is based on Debian Lenny.

Would there be many changes that need to be made to port that to a 
Jessie or FreeBSD setup? I would prefer to run it on a FreeBSD setup though.

I am quite inexperienced at running a mail server, and am only running 
my personal emails on it at the moment, so if there are any other 
considerations that I have completely missed out then please point them out.

[1] https://workaround.org/ispmail/wheezy
[2] http://www.spamtitan.com
[3] 
(Continue reading)

Jeremy Harris | 26 Jul 16:30 2015

Exim 4.86 Released


I have uploaded Exim 4.86 to:
ftp://ftp.exim.org/pub/exim/exim4/

This release contains the following enhancements and bugfixes:
+ Support for using the system standard CA bundle
+ Support for the Avast and Rspamd malware scanners
+ Assorted options on malware= and spam= scanners
+ Timeout/retry options on dnsdb lookups
+ A commandline option to write a comment into the logfile
+ New Experimental support for outbound Socks5 proxies
+ New Experimental support for UTF-8 envelope addresses
+ A logging option for slow DNS lookups
+ Support for reading values from the environment
+ Support for authentication by client certificates
+ TLS support for Elliptic Curves
+ Certificate verification is done by default
+ Certificate name checks are done by default
* DNSSEC enhancements
+ Identd lookups are disabled by default
+ DSN messages are now MIME format
+ MIME attachment support for RFC2322 filenames
+ The PRDR ESMTP extension is used by default, if the
  server offers it
+ Cutthrough-routing now supports multi-recipient mails
+ If the interface is being logged for inbound connections
  it is also logged for outbound connections
+ The headers_add/remove options on routers and transports
  can now use an alternate list separator
+ build and portability fixes
(Continue reading)

Marco Gaiarin | 25 Jul 15:46 2015
Picon

SRS - solved!


Ok, many thanks to Andrey Melnikov that, offlist, helped me.

Finally i've solved my issue with SRS. Because could be useful to others, i
post my findings here.

1) the ''bounce'' router HAVE TO EXIST and HAVE NOT the 'no_verify' option
 set; Doing the rewrite, exim verify that the SRS-generated local address
exist, and refise to redirect to non-working addresses.

My bounce router currently is:

.ifdef SRS_SECRETFILE
srs_bounce:
  debug_print = "R: srs_bounce for $local_part <at> $domain"
  driver = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  local_part_prefix = srs0+ : srs0- : srs0= : srs1+ : srs1- : srs1=
  caseful_local_part
  address_data = ${run{/bin/sh -c "/usr/bin/srs --reverse --secretfile=SRS_SECRETFILE
--hashlength=SRS_HASHLENGTH ${local_part_prefix}${local_part} <at> ${domain} 2> /dev/null
  data = ${quote_local_part:${local_part:$address_data}} <at> ${domain:$address_data}
.endif

Because the hash may contain the '/' character, the local part character
restriction have to be relaxed:

 CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[ <at> %!|`#&?]
(Continue reading)

sol harvest | 23 Jul 15:06 2015
Picon

setting up out-of office message

Hello,
with the coming holidays my boss has been clamoring to set up automated
replies.

I have searched and written both a router and a transport, but it doesn't
work so far.
Here are the conf files, if anyone could point me toward my mistakes, I
would be quite grateful.

Router

05_exim4-config_vacation

uservacation:
driver = accept
domains = +local_domains
# user to put away message in a file called vacation.msg
require_files = $home/Maildir/vacation.msg
# do not reply to errors or bounces or lists
senders = ! ^.*-request <at> .*:\
            ! ^bounce-.* <at> .*:\
            ! ^.*-bounce <at> .*:\
            ! ^owner-.* <at> .*:\
            ! ^postmaster <at> .*:\
            ! ^webmaster <at> .*:\
            ! ^listmaster <at> .*:\
            ! ^mailer-daemon <at> .*:\
            ! ^root <at> .*
transport = uservacation_transport
unseen
(Continue reading)


Gmane