[TCLUG] SMTP-AUTH TLS with exim.

Sun Dec 9 18:30:57 CST 2001

after a little tinkering I was able to get my SMTP-AUTH-TLS completely
working. Once getting exim rebuild with TLS support i had the problem
testing it. Turns out that evolution can't do TLS the way exim handles
it. Exim does the TLS buy spawning the daemon on port 25, then asking
the client on connect if it can speak TLS. If so, STARTTLS happens and
then AUTH over that as well as the data channel transactions.

So what I ended up doing was running stunnel on port 465 to spawn an
exim process inetd style like so.

 stunnel -d 465 -l /usr/sbin/exim -p /etc/ssl/certs/exim.pem -- exim -bs
-C /etc/exim/configure2

To test this I used netcat-ssl (available from sourceforge) and a perl
script to convert my username and passwd to base64 which is understood
by AUTH PLAIN mechanism.
#----snip bit of perl 
#!/usr/bin/perl -w
use MIME::Base64;
printf ("%s", encode_base64(eval "\"$ARGV[0]\""));
#----- end perl bit

call it like so
encode.pl '\0username\0password' # note the single quotes and \0 this is
important.
this will barf out a base64 version of your username and passwd

Then you can test your SSL connection via your stunnel on your mail
server from your local machine like this
#------snip SMTP SESSION
(blutgens at minime)(pts)(05:36pm:12/09/01)
(~)> nssl mail.sistina.com 465
220 hermes.sistina.com ESMTP Exim 3.32 #7 Sun, 09 Dec 2001 17:35:16
-0600
EHLO mail.mn-linux.org
250-hermes.sistina.com Hello localhost [127.0.0.1]
250-SIZE
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
AUTH PLAIN AGJsdXRnZW5zAHBhc3N3b3Jk
235 Authentication succeeded
MAIL FROM: blutgens at sistina.com
250 <blutgens at sistina.com> is syntactically correct
RCPT To: blutgens at mediaone.net
250 <blutgens at mediaone.net> is syntactically correct
DATA
354 Enter message, ending with "." on a line by itself
I am a mail, ph33r me
.
250 OK id=16DDWL-0000lx-00
#--- end SMTP session

I wasn't able to find telnet-ssl as easily as I did netcat-ssl so that's
what I went with. 

So now my windows users, and linux users who use mozilla|netscape mail
can relay via SMTP-AUTH over TLS on port 25 and the braindead SMTP
clients can use port 465. I also noticed that now that my server is
advertising it speaks TLS mail from other servers like
sprite.real-time.com exchange mail with my server over TLS too. Which is
nice.

Anyway, just thought someone might find this useful.
--
Ben Lutgens		
System Administrator
Sistina Software Inc.	

"If you love someone, set them free. If they come home, set them on
fire."
	- George Carlin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011209/dbb6e001/attachment.pgp