0

Been using Exim a long time. Never setup TLS before however.

I think I have it configured, but need to test that it can SEND OUTBOUND only email using TLS to a mail server. The server does not receive inbound email.

As a test, as a mail server (not a client) how do I deliver email to gmail via a TLS connection so that messages bound to user@gmail.com are authenticated as a server, not as a user.

I have defined a router like:

GMAIL_ROUTER:
  driver = manualroute
  domains = gmail.com
  transport = TLS_SMTP
  route_list = * smtp.gmail.com::587
  no_more

And a transport like:

TLS_SMTP:
  driver = smtp
  hosts_require_tls = *

But when it connects, I get:

2016-04-05 09:52:28 1anU0O-0004S4-Op ** useraccount@gmail.com R=GMAIL_ROUTER T=TLS_SMTP: SMTP error from remote mail server after MAIL FROM:<root@mydomain.com> SIZE=1349: host gmail-smtp-msa.l.google.com [74.125.28.109]: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1  https://support.google.com/mail/answer/14257 w62sm48080410pfa.79 - gsmtp

The error seems to suggest that I need to authenticate as a user, but this is a mail server, just trying to delivery email to a gmail.com user.

Is there a configuration to allow the mail server to authenticate using TLS without a client account??

Main goal is that we will be smart hosting all email to O365 soon, but that is not setup yet for me to test.

KrelvinAZ
  • 1
  • 1
  • I was able to successfully test this. As BillThor mentioned, I was attempting to connect on port 587. It worked when I used port 25 instead. I also successfully tested with O365 where they setup a connector to allow us to forward any message to them for delivery. – KrelvinAZ Apr 07 '16 at 20:50
  • GMail offers multiple MXs with different behaviors—aspmx.l.google.com:25 which will allow dynamic IPs and will deliver only to GMail users, but does not require authentication; smtp.gmail.com:587 (or 465) which requires TLS/SSL and also allows dynamic IPs, but requires authentication; and finally smtp-relay.gmail.com on 25, 465, and 587 which doesn't seem to enforce TLS/SSL but requires either a static IP or authentication. See https://support.google.com/a/answer/176600 . – Andrew Siplas Mar 03 '19 at 18:08

1 Answers1

0

Exim will use TLS for outgoing connections if it is available and you haven't disabled it. You don't need to configure certificates for outgoing connections. This works on port 25 as well as 587. You can configure hosts that you want to avoid TLS with. TLS on incoming traffic requires a certificate and some setup.

You are connecting on the Submission port (587) which is intended for client connections and usually requires authentication. It does allow use of the server as a relay (after authentication).

You likely won't run into this issue if you connect on the SMTP port (25). However, connecting on the SMTP port will result in other anti-spam issues, and you won't be able to use gmail as a relay.

You can configure a userid and password in Exim. There are two password files, one for incoming connections, and a separate one for outgoing connections. You will need a valid gmail account, and may have your outgoing traffic throttled. Configure the account in the passwd.client file for outgoing traffic. This is normally processed by the remote_smtp_smarthost transport. You will need to add the authentication portion to your transport, although it may be simpler just to use the normal smarthost configuration.

BillThor
  • 27,737
  • 3
  • 37
  • 69