exim4 with ssmtp on Debian : technovelty

Update: You need to be careful if you are updating to the latest Debian Exim (~4.67), since the Debian config file format has changed slightly. I'm pretty sure this whole thing could be easier, so I have filed #430057. Instructions below updated slightly.

Sending secure mail seems to have two possible implementations; firstly you can connect over an insecure channel and issue a command (STARTTLS) which tells the SMTP server to start a secure channel. The other option is where you use a secure channel to start with. Usually this happens with an SSL (TLS) connection on port 465 which you then probably have to authenticate over.

Exim doesn't support this second model, seemingly by design. Which is a little annoying if that's all your ISP offers! You may like this on your laptop, since by authenticating you should be able to send email from anywhere through the ISP mail server.

What you need is a wrapper that provides the SSL connection between your computer and the ISP. Then you have to fool exim into using it, and direct it to send passwords unencrypted (though the underlying channel is safely encrypted).

Firstly, install stunnel; I found stunnel4 didn't work that well. Then create a script to start it and make a tunnel to your ISP. Put the following a file /etc/init.d/ssmtp-tunnel (change to your ISP's secure email server) and then run update-rc.d ssmtp-tunnel defaults (and start it with /etc/init.d/ssmtp-tunnel start).

#! /bin/sh -e

case "$1" in
  start)
    echo -n "Starting ssmtp tunnel "
    start-stop-daemon --start --quiet --exec /usr/sbin/stunnel -- -c -d ssmtp -r securemail.internode.on.net:ssmtp
    echo "stunnel."
    ;;
  stop)
    echo -n "Stopping ssmtp tunnel "
    start-stop-daemon --stop --quiet --oknodo --retry 2 --exec /usr/sbin/stunnel
    echo "stunnel."
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    echo "Usage: /etc/init.d/ssmtp-tunnel {start|stop|restart|reload|force-reload}"
    exit 1
esac

exit 0

If you telnet localhost 465 and see a normal SMTP connection, which is running over SSL, you have things working correctly.

Now you need to configure exim to use this to firstly authenticate, then send the email onto the smarthost.

Make sure you're using the big config file option with dpkg-reconfigure exim4-config. When it asks you what the smarthost should be, tell it localhost.

Firstly create the file /etc/exim4/exim4.conf.localmacros (if it doesn't already exist) and add a line AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true. This forces using authentication even though it looks like an unencrypted channel.
Then in /etc/exim4/exim4.conf.template, under the smarthost router (i.e. the line that starts smarthost:) add self = send. This allows what exim thinks is a router to an external MTA to actually go back to the localhost.
In the same file change the remote_smtp_smarthost (i.e the line that starts remote_smtp_smarthost:) transport to have:
- hosts_avoid_tls = localhost
- hosts_require_auth = localhost
- port = 465
(all on separate lines).
Add a line to /etc/exim4/passwd.client for localhost with your ISP username/password (or just use * if this is the only entry).

Finally, update the config file with update-exim4.conf and restart exim /etc/init.d/exim4 restart. All going well, Exim will now get the mail out wherever you are!

posted at: Fri, 22 Jun 2007 12:50 | in /linux/tips | permalink | add comment (13 others)

Posted by Arnout at Tue Aug 22 02:50:00 2006

Initially this setup didn't work for me. I had to change localhost to localhost.localdomain in /etc/exim4/passwd.client

Posted by Bernhard Marx at Thu Oct 19 10:19:31 2006

Very good tip. Now I can send mail through my university's VPN.

Interestingly exim4 was very picky on where it accepted the statement AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true

It did not work towards the end of the file around the AUTHENTICATION CONFIGURATION section, now matter where I put it. It finally worked when I put it at the very beginning as the first statement in the file /etc/exim4/exim4.conf.template.

Posted by Frank at Wed Apr 18 11:19:04 2007

I love you! Just this evening, email just stopped working for me on two accounts (I started wondering what on earth is happening with email this evening):

* smtp.gmail.com just stopped working, apparently they have gone completely over to SSL, which my Thunderbird was not set up to use. I finally figured it out and my personal client works again on my laptop. Great, more security and easy fix.

* My ISPs smtp-server also stopped working properly, which is routing email for a volunteer organisation I am assisting with my IT knowledge. Strange coincidence. ISP smtp seems completely borked now though, so I figured I need to set up gmail on this server too. Trouble is, it is running Ubuntu and Exim4. I am not to change to postfix, or other solutions with mailman and a dozen other stuff already set up and relying on god knows what I have set up in the last 3 years, so what to do?

Then after 3-4 hours I finally found your gem! Everyone else was crying out that Exim4 does not support SSL and yadda yadda. This is brilliant, a decent solution and not much hassle. Maybe I could have figured it out, but MTAs are complex beasts and no way I can do all this by myself. Exim4 config is enough to send you screaming by itself..

Last coincidence: The Captcha I have to enter now is "like". So, I like you. This is great stuff that really helped me out! So easy with this recipe and exactly what I needed. Finally, some sleep ;-) You saved my night!

Have a nice day!

Posted by E at Wed May 16 09:19:43 2007

I'm sorry to rain on the preceding parade of good feelings, but I found this to be so poorly written at the end that I was unable to finish and now my exim config is completely messed up!The last two bullet points in particular depart so far from what was previously written that I found myself unable to make sense of what you were trying to say.

Posted by Tim Hardy at Sat Nov 24 13:29:21 2007

Ian, many, many thanks for these clear instructions. I had been tearing my hair out for several hours trying to get this to work and your post has solved the problem for me. Thanks for sharing! :)

Posted by bob at Sat Feb 2 11:12:33 2008

After following the instructions and double checking, I still cannot send mail to my att.net smtp server. I'm connecting to att DSL from a debian decktop. The error is:
2008-02-01 18:10:43 1JL5xz-0002Xu-Pw <= XXX@YYY.gateway.2wire.net U=XXX P=local S=348
2008-02-01 18:10:44 1JL5xz-0002Xu-Pw == vmsbob@yahoo.com R=smarthost defer (-36): host lookup for ssmtp.att.yahoo.com did not complete (DNS timeout?)

Posted by bob at Sat Feb 2 14:02:57 2008

Posted by bob at Sun Feb 3 10:38:41 2008

Posted by Dan at Thu Mar 6 16:06:02 2008

This is an extremely useful tutorial, I just wish I could get it to work. I'm using Kubuntu rather than Debian but I don't think that should be an issue. The problem I'm having is with persuading Exim to not use authentication:

Connecting to localhost [127.0.0.1]:465 ... connected
SMTP<< 220 mx.google.com ESMTP n22sm3445491pof.1
SMTP>> EHLO localhost
SMTP<< 250-mx.google.com at your service, [202.1.164.242]
250-SIZE 28311552
250-8BITMIME
250-AUTH LOGIN PLAIN
250 ENHANCEDSTATUSCODES
SMTP>> QUIT
LOG: MAIN
== [email-address] R=smarthost T=remote_smtp_smarthost defer (-42): authentication required but authentication attempt(s) failed
LOG: queue_run MAIN

I've tried adding AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = true to /etc/exim4/exim4.conf.localmacros and updating the config but it seems to have had no effect. Taking note of Bernhard Marx's comments I've also tried it at the very beginning of exim4.conf.template, but that's no different. If I put it in both of these places, then I get:

2008-03-06 15:47:59 Exim configuration error:
macro "AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS" is already defined (use "==" if you want to redefine it
Invalid new configfile /var/lib/exim4/config.autogenerated.tmp, not installing
/var/lib/exim4/config.autogenerated.tmp to /var/lib/exim4/config.autogenerated

which leads me to believe that it is being read, it's just being ignored/overridden for some reason. If anyone has any thoughts on this then I'd love to hear them.

Posted by Dan at Thu Mar 6 16:13:13 2008

Argh, I'm such an idiot. That isn't the problem, I just hadn't set up my /etc/exim4/passwd.client properly. ::Beats self over head with trout::

Posted by paypalhandbag at Fri Dec 4 02:51:45 2009

we are professional sell Handbags and wallet,the brand like LV,chanel,Gucci,Dior,etc.
our company website have each products prices,each products is top quality.
We have the following advantages:
1.Top quality and guaranteethe return problem goods. we only sell handbags and just offer top AAAAA quality!also we can guaranteethe products qualtiy,if have any quality problem then you can return the goods or money!
2.Free door to door ship goods.each products is free ship by EMS to you.when you made payment then will send out the goods without 24hours!!
3.feat prices. We can give you the feat price is 50% of market prices.
4.accept paypal payment.we also can accept western union payment and will down 5% total prices for use western union.
5.after service.if you have any problem about the goods or want need othe products we will glad serve for you!
Please visit our website and obtain more information!I believe you will find your need the products.
Thanks and best regards!
website:www.paypalhandbag.com
Mail:tophandbags@msn.com

Posted by Franky at Sun May 9 15:41:56 2010

Excellent tips! Works with Debian Lenny on my NSLU2 with Exim4 4.69. I had problem connecting to smtp.gmail.com:465 (connection time-out), and don't know how to make Exim4 use SSL. This work-around worked the first time I restarted Exim4. Thanks a lot.

Posted by Franky at Sun May 9 15:49:57 2010

Add a comment
*Name
*Email (not shown)
Website
*Comment:
Anti-spam:

	* denotes required field

technovelty

weblog of Ian Wienand

Categories

Archives

Feedback

exim4 with ssmtp on Debian