Mailing List Archive

On 14/05/2022 21:53, Martin McCormick via Exim-users wrote:
> Then I did dpkg-reconfigure exim4-config

What ended up in your actual running config after this stage?
Us non-Deb users don't know what Deb does for you at this stage.
Also, does it tell the daemon to reload the config just changed?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users <exim-users@exim.org> writes:
> What ended up in your actual running config after this stage?
> Us non-Deb users don't know what Deb does for you at this stage.
> Also, does it tell the daemon to reload the config just changed?

It stops the daemon and then starts the newly-configured daemon.
That's when I see the first cert warning.

This is from exim4.conf.template:

#as originally set:
#tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
#I modified it to read
tls_advertise_hosts =

This should have nulled out where tls_advertise_hosts points.



This next part appears to be set as intended.

# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
# Normally, exim4 looks for certificate and key in different files:
# MAIN_TLS_CERTIFICATE - path to certificate file,
# CONFDIR/exim.crt if unset

and that's where it is.

# MAIN_TLS_PRIVATEKEY - path to private key file
# CONFDIR/exim.key if unset

Martin McCormick

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-05-14 Martin McCormick via Exim-users <exim-users@exim.org> wrote:
> After reconfiguring exim4 to correct for an unannounced change
> courtesy of my ISP, I got outbound mail humming along once again
> but also revived an old issue which several people may recognize:

> 2022-05-14 00:22:37 Warning: No server certificate defined; will use a selfsigned one.
> Suggested action: either install a certificate or change tls_advertise_hosts option
[...]

Please take a look at file:///usr/share/doc/exim4-base/README.Debian.html#TLS

cu Andreas


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andreas Metzler via Exim-users <exim-users@exim.org> writes:
> Please take a look at
> file:///usr/share/doc/exim4-base/README.Debian.html#TLS

Thank you. After figuring out that the smarthost
requires connect on port 25, never uses 465 anymore but can use
587, I had to be careful what gets set here or I kill outbound
mail again.
Here's what I have ended up doing so far. I read
the article and realized that I probably need split configuration
instead of one monolithic file because that is the only way that
/etc/exim4/localmacros is picked up so I set localmacros as
follows:

MAIN_TLS_ENABLE = 1
TLS_ON_CONNECT_PORTS = 587
then dhcp-reconfigure.

Cert warning still lives.

Set a new localmacros as follows and reconfigure.

MAIN_TLS_ENABLE = 1
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
TLS_ON_CONNECT_PORTS = 587

dpkg-reconfigure exim4-config and cert warning is still kicking.
Set all possible options on in localmacros and reconfigure.
Localmacros now reads:

MAIN_TLS_ENABLE = 1
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
TLS_ON_CONNECT_PORTS = 587
REQUIRE_PROTOCOL = smtps

Cert message never fails to appear. I even took away the
localmacros file and did a dpkg-reconfigure exim4-config without
and Wait for it. Cert message was the first indication that exim
was starting.

All delivery attempts including the one without
localmacros were successful so for now, I have switched back to a
non-split configuration and cert message just keeps filling up
the log.

Any other ideas are greatly appreciated. After all this
pummeling, exim4 is now delivering successfully every time to the
smarthost so that's good that it still works after the ISP's "no
changes" changes.

I was telling my wife yesterday that all that time I
spent talking to call centers in Heaven knows where on and off
for the last 2 months was totally wasted in that I never learned
one true factor from them that made any difference at all.
Welcome to service in the 21ST century from big corporations.

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2022-05-14 Martin McCormick via Exim-users <exim-users@exim.org> wrote:
[...]
> I created
> -rw-r----- 1 root Debian-exim 1245 May 8 21:43 /etc/exim4/exim.crt
> with no change in behavior.

Where is the key?
file:///usr/share/doc/exim4-base/README.Debian.html#TLS says
"install the key in /etc/exim4/exim.key and the certificate in
/etc/exim4/exim.crt."

Stop exim, as root start exim with
/usr/sbin/exim4 -bd -d+all 2>&1 | tee ~/exim.debug
connect to this daemon with
swaks -s localhost -tls -q ehlo

And then look at ~/exim.debug.

cu Andreas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andreas Metzler via Exim-users <exim-users@exim.org> writes:
> Where is the key?

/etc./exim4/exim.key
> file:///usr/share/doc/exim4-base/README.Debian.html#TLS says
> "install the key in /etc/exim4/exim.key and the certificate in
> /etc/exim4/exim.crt."
>

The certificate is in
/etc/exim4/exim.crt so the key and the certificate appear to be
in their correct locations.

> Stop exim, as root start exim with
> /usr/sbin/exim4 -bd -d+all 2>&1 | tee ~/exim.debug
> connect to this daemon with
> swaks -s localhost -tls -q ehlo
>
> And then look at ~/exim.debug.

11:38:57 5940 Exim version 4.92 uid=0 gid=0 pid=5940 D=fff9ffff
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DANE DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [8.3.0]
Library version: Glibc: Compile: 2.28
Runtime: 2.28
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.6.7
Runtime: 3.6.7
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
11:38:57 5940 Total 13 lookups
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
11:38:57 5940 changed uid/gid: forcing real = effective
11:38:57 5940 uid=0 gid=0 pid=5940
11:38:57 5940 auxiliary group list: <none>
11:38:57 5940 seeking password data for user "uucp": cache not available
11:38:57 5940 getpwnam() succeeded uid=10 gid=10
11:38:57 5940 LOG: MAIN
11:38:57 5940 Warning: No server certificate defined; will use a selfsigned one.
11:38:57 5940 Suggested action: either install a certificate or change tls_advertise_hosts option
11:38:57 5942 changed uid/gid: calling tls_validate_require_cipher
11:38:57 5942 uid=105 gid=109 pid=5942
11:38:57 5942 auxiliary group list: <none>
11:38:57 5940 tls_validate_require_cipher child 5942 ended: status=0x0
11:38:57.352 5940 configuration file is /var/lib/exim4/config.autogenerated
11:38:57.352 5940 log selectors = ffffffff dffffffb ffffffff
11:38:57.352 5940 cwd=/home/martin/tmp 3 args: /usr/sbin/exim4 -bd -d+all
11:38:57.352 5940 trusted user
11:38:57.352 5940 admin user
11:38:57.353 5940 seeking password data for user "mail": cache not available
11:38:57.353 5940 getpwnam() succeeded uid=8 gid=8
11:38:57.355 5940 ?considering: $1
11:38:57.355 5940 ???expanding: $1
11:38:57.356 5940 ??????result: root
11:38:57.356 5940 user name "root" extracted from gecos field "root"
11:38:57.356 5940 originator: uid=0 gid=0 login=root name=root
11:38:57.357 5940 listening on 127.0.0.1 port 25
11:38:57.358 5940 pid written to /run/exim4/exim.pid
11:38:57.366 5940 changed uid/gid: running as a daemon
11:38:57.366 5940 uid=105 gid=109 pid=5940
11:38:57.366 5940 auxiliary group list: 109
11:38:57.367 5940 LOG: MAIN
11:38:57.367 5940 exim 4.92 daemon started: pid=5940, no queue runs, listening for SMTP on [127.0.0.1]:25
11:38:57.367 5940 set_process_info: 5940 daemon(4.92): no queue runs, listening for SMTP on [127.0.0.1]:25
11:38:57.367 5940 daemon running with uid=105 gid=109 euid=105 egid=109
11:38:57.368 5940 Listening...

Shouldn't TLS be in the list of Authenticators?

I also could not connect with

swaks -s localhost -tls -q ehlo

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andreas Metzler via Exim-users <exim-users@exim.org> writes:
> Where is the key?

/etc./exim4/exim.key
> file:///usr/share/doc/exim4-base/README.Debian.html#TLS says
> "install the key in /etc/exim4/exim.key and the certificate in
> /etc/exim4/exim.crt."
>

The certificate is in
/etc/exim4/exim.crt so the key and the certificate appear to be
in their correct locations.

> Stop exim, as root start exim with
> /usr/sbin/exim4 -bd -d+all 2>&1 | tee ~/exim.debug
> connect to this daemon with
> swaks -s localhost -tls -q ehlo
>
> And then look at ~/exim.debug.

11:38:57 5940 Exim version 4.92 uid=0 gid=0 pid=5940 D=fff9ffff
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DANE DKIM DNSSEC Event OCSP PRDR SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [8.3.0]
Library version: Glibc: Compile: 2.28
Runtime: 2.28
Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013)
Runtime: Berkeley DB 5.3.28: (September 9, 2013)
Library version: GnuTLS: Compile: 3.6.7
Runtime: 3.6.7
Library version: PCRE: Compile: 8.39
Runtime: 8.39 2016-06-14
11:38:57 5940 Total 13 lookups
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
11:38:57 5940 changed uid/gid: forcing real = effective
11:38:57 5940 uid=0 gid=0 pid=5940
11:38:57 5940 auxiliary group list: <none>
11:38:57 5940 seeking password data for user "uucp": cache not available
11:38:57 5940 getpwnam() succeeded uid=10 gid=10
11:38:57 5940 LOG: MAIN
11:38:57 5940 Warning: No server certificate defined; will use a selfsigned one.
11:38:57 5940 Suggested action: either install a certificate or change tls_advertise_hosts option
11:38:57 5942 changed uid/gid: calling tls_validate_require_cipher
11:38:57 5942 uid=105 gid=109 pid=5942
11:38:57 5942 auxiliary group list: <none>
11:38:57 5940 tls_validate_require_cipher child 5942 ended: status=0x0
11:38:57.352 5940 configuration file is /var/lib/exim4/config.autogenerated
11:38:57.352 5940 log selectors = ffffffff dffffffb ffffffff
11:38:57.352 5940 cwd=/home/martin/tmp 3 args: /usr/sbin/exim4 -bd -d+all
11:38:57.352 5940 trusted user
11:38:57.352 5940 admin user
11:38:57.353 5940 seeking password data for user "mail": cache not available
11:38:57.353 5940 getpwnam() succeeded uid=8 gid=8
11:38:57.355 5940 ?considering: $1
11:38:57.355 5940 ???expanding: $1
11:38:57.356 5940 ??????result: root
11:38:57.356 5940 user name "root" extracted from gecos field "root"
11:38:57.356 5940 originator: uid=0 gid=0 login=root name=root
11:38:57.357 5940 listening on 127.0.0.1 port 25
11:38:57.358 5940 pid written to /run/exim4/exim.pid
11:38:57.366 5940 changed uid/gid: running as a daemon
11:38:57.366 5940 uid=105 gid=109 pid=5940
11:38:57.366 5940 auxiliary group list: 109
11:38:57.367 5940 LOG: MAIN
11:38:57.367 5940 exim 4.92 daemon started: pid=5940, no queue runs, listening for SMTP on [127.0.0.1]:25
11:38:57.367 5940 set_process_info: 5940 daemon(4.92): no queue runs, listening for SMTP on [127.0.0.1]:25
11:38:57.367 5940 daemon running with uid=105 gid=109 euid=105 egid=109
11:38:57.368 5940 Listening...

Shouldn't TLS be in the list of Authenticators?

I also could not connect with

swaks -s localhost -tls -q ehlo

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 15/05/2022 18:03, Martin McCormick via Exim-users wrote:
> Andreas Metzler via Exim-users <exim-users@exim.org> writes:
>> Where is the key?
>
> /etc./exim4/exim.key

^

That doesn't look quite right...

What is the output of "exim4 -bP tls_certificate tls_privatekey" ?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users <exim-users@exim.org> writes:
> That doesn't look quite right...
>
> What is the output of "exim4 -bP tls_certificate tls_privatekey" ?
tls_certificate =
tls_privatekey =

That looks like they aren't being read at all. or that I
am confused about the generated files and have failed to generate
the ones I thought I was generating. This would be a perfect
explanation for why the certificate warning takes a licking and
keeps on ticking to steal an advertising slogan about a watch
from the late 1950's.

In all honesty, I have never dug in to exim4 with this
much intensity in all the years I have been using Linux so I
truly appreciate all this feedback. One would think that command
should either print the contents of those variables or some other
indication about them since there is a file for each in
/etc/exim4.
-rw-r----- 1 root Debian-exim 1245 May 8 21:43 exim.crt
-rw-r----- 1 root Debian-exim 1704 May 8 21:41 exim.key

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users <exim-users@exim.org> writes:
> What is the output of "exim4 -bP tls_certificate tls_privatekey" ?

This is a followup to that question. As I previously reported,
neither of those variables are set even though I went through the
motions of making those files. Since exim4 is not a mail server,
itself, we may have some mechanized confusion at work. The cert
message appears because the loopback instance of exim4 runs on
localhost's address of 127.0.0.1 which is fine as it goes but
here's what I notice.

exim -bP tls_advertise_hosts
tls_advertise_hosts = *

This is always true no matter what I do to any of the settings so
far.

I went as far as going to /etc/exim4/conf.d/main and
modifying the line in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
from tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
to tls_advertise_hosts =

followed by a dpkg-reconfigure exim4-config.

No need to check much because the cert nag pops up
meaning the new instance of exim4 is up and running.

Trying split and non-split configuration has the same
results with
exim -bP tls_advertise_hosts
tls_advertise_hosts = *

which never changes.

If this was a fully-internet connected host as far as
mail goes, I would be much more worried about the lack of a
certificate but I think that if one runs that type of host, there
may be another module one must install via debian's apt-get and
or aptitude installation methods.

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Mon, 16 May 2022, Martin McCormick via Exim-users wrote:

> Jeremy Harris via Exim-users <exim-users@exim.org> writes:
>> What is the output of "exim4 -bP tls_certificate tls_privatekey" ?
>
> This is a followup to that question. As I previously reported,
> neither of those variables are set even though I went through the
> motions of making those files. Since exim4 is not a mail server,

If your exim is not running as a mail server,
do you want it to listen on any of the SMTP ports at all ?
If not, turning off listening is your solution,
since the No Certificate Warning
only appears if you listen for SMTP with TLS.

> itself, we may have some mechanized confusion at work. The cert
> message appears because the loopback instance of exim4 runs on
> localhost's address of 127.0.0.1 which is fine as it goes but
> here's what I notice.
>
> exim -bP tls_advertise_hosts
> tls_advertise_hosts = *
>
> This is always true no matter what I do to any of the settings so
> far.
>
> I went as far as going to /etc/exim4/conf.d/main and
> modifying the line in /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
> from tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS
> to tls_advertise_hosts =
>
> followed by a dpkg-reconfigure exim4-config.
>
> No need to check much because the cert nag pops up
> meaning the new instance of exim4 is up and running.
>
> Trying split and non-split configuration has the same
> results with
> exim -bP tls_advertise_hosts
> tls_advertise_hosts = *
>
> which never changes.
>
> If this was a fully-internet connected host as far as
> mail goes, I would be much more worried about the lack of a
> certificate but I think that if one runs that type of host, there
> may be another module one must install via debian's apt-get and
> or aptitude installation methods.

I think you control that with your answer to the
dpkg-reconfigure exim4-config
question "General type of mail configuration:"
For those not on Debian or Ubuntu, the options are:
internet site; mail is sent and received directly using ...
mail sent by smarthost; received via SMTP or fetchmail
mail sent by smarthost; no local mail
local delivery only; not on a network
no configuration at this time
Which are you using ?

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Andrew C Aitchison via Exim-users <exim-users@exim.org> writes:
> I think you control that with your answer to the
> dpkg-reconfigure exim4-config
> question "General type of mail configuration:"

>Which are you using ?
> mail sent by smarthost; received via SMTP or fetchmail

As for listeneing:


Package configuration

Please enter a semicolon-separated list of IP addresses. The Exim SMTP
listener daemon will listen on all IP addresses listed here.
An empty value will cause Exim to listen for connections on all
available network interfaces.
If this system only receives mail directly from local services (and not
from other hosts), it is suggested to prohibit external connections to
the local Exim daemon. Such services include e-mail programs (MUAs)
which talk to localhost only as well as fetchmail. External connections
are impossible when 127.0.0.1 is entered here, as this will disable
listening on public network interfaces.
IP-addresses to listen on for incoming SMTP connections:
127.0.0.1________________________________________________________________

That has been the setup since 2015 when I began using the
ISP's mailer.

Martin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/