Home > Solaris, exim > exim + TLS + solaris 10

exim + TLS + solaris 10

November 29th, 2005

Not long ago I decided to set up an authenicated email server so people off campus could send email through campus servers. The old way would have been an open relay, which is very bad. So I decided to start looking at TLS authenication. Well the default Sendmail that comes with Solaris 10 does not have TLS authenication. So I decided to disable sendmail and install exim..

To disable sendmail on Solaris 10:

svcadm disable sendmail

Then I installed Exim from the Blastwave Software library which is really as easy as :

/opt/csw/bin/pkg-get -i exim

(of course this assumes that you have the pkg-get package installed if not, download and install it. The wonders of pkg-get is that it will download all the dependencies as well.

The changes I made are as follows:

Under the Main Configuration block, I added:

tls_on_connect_ports = 465
daemon_smtp_ports = 25:465

Which allows exim to listen on both port 25 and port 465.

I then changed the

rfc1413_query_timeout = 30s

to

rfc1413_query_timeout = 0s

which disables ident lookups, (we don’t allow them).

The last change to the main config section is :

#SSL stuff
tls_certificate = /opt/csw/etc/exim/exim.cert
tls_privatekey = /opt/csw/etc/exim/exim.key
tls_advertise_hosts = *
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

Which defines the SSL cert/key and that it should always advertise auth/tls..

Next up is the ACL Configuration, I added this under the “begin acl”

acl_check_auth:
accept encrypted = *
accept condition = ${if($tls_cipher)}
deny message = TLS encryption ONLY

Which makes it so only encrypted authenicated connections will work.

The next change was in the routers section. I wanted the exim server to pass all mail to our spam/virus scanner and not to talk to any other mail server so I added this:

send_to_gateway:
driver = manualroute
transport = remote_smtp
route_list = * SMTP.somehost.edu

The next change I did was comment out the following:

#local_delivery:
#driver = appendfile
#file = /var/mail/$local_part
#delivery_date_add
#envelope_to_add
#return_path_add
# group = mail
# mode = 0660

#address_pipe:
#driver = pipe
#return_output

#address_file:
#driver = appendfile
#delivery_date_add
#envelope_to_add
#return_path_add

#address_reply:
#driver = autoreply

The final change I made was to use ldap authenication. So I added this to the Authenication Configuration section:

begin authenticators

BASEDN=ou=people,dc=someplace,dc=edu

login:
driver = plaintext
public_name = LOGIN
server_prompts = “Username:: : Password::”
server_condition = “${lookup ldap{user=uid=$1,BASEDN pass=$2 ldap://ldap.server.edu/BASEDN?uid?sub?(uid=$1)}{yes}fail}”
server_set_id = $1

One important note Make sure you leave Username:: : Password:: as that and that you do not change it. It seems that Microsoft has hardcoded those values in as the prompts for username and password in Microsoft Outlook and Outlook Express. So if you make those anything other than Username: and Password: those two clients will NOT work, and you will get some weird base64 error codes back. It took me a couple of hours to figure out why Thunderbird worked and Outbreak didn’t. That was it. What you have now is a SMTP server that only accepts mail from authenicated clients and which forwards all mail to a central hub. Hope this helps other people, it took me a while to get it setup. Another side note, if you use Symantec Antivirus on MS Windows (probably on OSX as well) and have the Email Auto-Protect enabled, you will never be able to send mail out on port 25 if it is encrypted (in this case it is) as Symantec blocks all encrypted mail as it can’t “scan” it.

One final note, to provide some “HA” to this setup I have two identical setups of Exim in 2 different buildings on 2 different networks. They both use the same SSL Cert/Key and are setup in a DNS RR to answer up to the same hostname.

Technorati Tags: , ,

Solaris, exim ,

Comments are closed.