After a week of installing and configuring my first Linux (mail)server (Debian 9, Exim 4, Dovecot) the TLS encrypted communication with my client works. Sending, receiving and DKIM signing also work.
Except for this problem I find in my logs when sending mails:
2017-07-22 20:56:08 1dYzZQ-0005fx-6J H=verifier.port25.com [38.95.177.125] TLS error on connection (cert/key setup: cert=REMOTE_SMTP_/etc/exim4/exim.crt key=REMOTE_SMTP_/etc/exim4/exim.crt): Error while reading file.
2017-07-22 20:56:08 1dYzZQ-0005fx-6J TLS session failure: delivering unencrypted to verifier.port25.com [38.95.177.125] (not in hosts_require_tls)
The REMOTE_SMTP_ part doesn't seem to belong there. Also key should point to a .key file I guess.
03_exim4-config_tlsoptions seems to be fine.
Editing 30_exim4-config_remote_smtp may solve the first issue ("REMOTE_SMTP_"), but it should be working anyway:
.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif
Where does the error come from and how to solve it?
Any advice or explanation would be highly appreciated.
Additional research, didn't find anything:
Full path to key and certificate hasn't been used in a wrong way by me:
root@example:/etc/exim4# grep -r exim4/exim /etc/exim4/
/etc/exim4/exim4.conf.template:# /etc/exim4/exim4.conf.template is only used with the non-split
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_PRIVATEKEY = /etc/exim4/exim.key
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:# /etc/exim4/exim4.conf.template is only used with the non-split
Exim may default to CONFDIR/exim.crt
root@example:~# grep -r exim.crt /etc/exim4/
/etc/exim4/exim4.conf.template:# CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:# CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
and CONFDIR/exim.key of course
root@example:~# grep -r CONFDIR/exim /etc/exim4/
/etc/exim4/exim4.conf.template:# CONFDIR/exim.crt if unset
/etc/exim4/exim4.conf.template:# CONFDIR/exim.key if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:# CONFDIR/exim.crt if unset
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:# CONFDIR/exim.key if unset
CONFDIR is here
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:CONFDIR = /etc/exim4
So much for the first issue. Regarding the second issue (use of .crt instead of .key) I can't find a misuse of MAIN_TLS_CERTIFICATE
root@example:~# grep -r MAIN_TLS_CERTIFICATE /etc/exim4/
/etc/exim4/exim4.conf.template:# MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/exim4.conf.template:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:MAIN_TLS_CERTIFICATE = /etc/letsencrypt/live/example.com/cert.pem
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:TLS_CERTIFICATE = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:# MAIN_TLS_CERTIFICATE - path to certificate file,
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:.ifndef MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:MAIN_TLS_CERTIFICATE = /etc/exim4/exim.crt
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE
Same for tls_certificate.
tls_certificate = MAIN_TLS_CERTKEY looks a bit off, but is the default value in a new installation.
root@example:~# grep -r tls_certificate /etc/exim4/
/etc/exim4/exim4.conf.template:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/exim4.conf.template:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTKEY
/etc/exim4/conf.d/main/03_exim4-config_tlsoptions:tls_certificate = MAIN_TLS_CERTIFICATE
/etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs:MAIN_LOG_SELECTOR = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost:tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
Search for REMOTE_SMTP_TLS_CERTIFICATE
root@example:/var/log/exim4# grep -r REMOTE_SMTP_TLS_CERTIFICATE /etc/exim4/
/etc/exim4/exim4.conf.template:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/exim4.conf.template:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:.ifdef REMOTE_SMTP_TLS_CERTIFICATE
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp:tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
Updated permissions
root@example:/etc/exim4# ls -l exim.crt exim.key
-rw-r----- 1 root Debian-exim 1066 Jul 21 2017 exim.crt
-rw-r----- 1 root Debian-exim 1708 Jul 21 2017 exim.key
