freebsd.munk.me.uk FreeBSD System Administration http://freebsd.munk.me.uk/templates/default/img/s9y_banner_small.png http://freebsd.munk.me.uk/ 2011-11-11T19:59:28Z Serendipity 1.6 - http://www.s9y.org/ en munk 2011-11-11T19:32:42Z 2011-11-11T19:59:28Z http://freebsd.munk.me.uk/wfwcomment.php?cid=227 0 http://freebsd.munk.me.uk/rss.php?version=atom1.0&type=comments&cid=227 http://freebsd.munk.me.uk/archives/227-guid.html Exim TLS Configuration On FreeBSD
Configured Exim to work with Transport Layer Security (TLS) a few days ago. Really I should have done this at the time I set up Exim, SASLauthd, ClamAV and SpamAssassin but hey ho. Instead I've endured years of bots trying to brute force passwords via SMTP (for which I ended up using various means to block them by detecting hits in the logfiles, another entry completely!).

Anyway yes finally got around to it so this is how I did it (this should work out of the box on a fresh installation of Exim on FreeBSD):

Create A Self Certified SSL Certificate
First of all I created a self signed ssl certificate using this command:
CODE:
openssl req -x509 -newkey rsa:1024 -keyout /etc/mail/exim.crt -out /etc/mail/exim.crt -days 9999 -nodes

After issuing that command you're prompted for a few details like company details, organizational role, etc etc, no big deal. Really if you're running a 'proper' email server (ie one used by a lot of people) then you need to get your certificate signed properly by a Certificate Authority (CA) - using a self certified certificate you will be prompted when you go to login to the server with a warning about how the certificate is not valid - but since there's only me using the server nowadays it doesn't really matter and I can just add an exception into my email client to allow the certificate even though it's not valid.

Modify Exim Configuration
Next go on to modify the exim config so it uses TLS. With each of the following items of config you probably want to check to see if they're already in teh default config but commented out, I know most of it is in there:

CODE:
tls_advertise_hosts = *
tls_certificate = /etc/mail/exim.crt
tls_privatekey = /etc/mail/exim.crt
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}


I think the last setting 'auth_advertise_hosts' is probably not in by default - that option basically says 'only advertise authentication if a connection is using TLS'. I must admit I don't fully understand the mechanics of it all but as I understand it, it's this that is key to cutting down on brute force attacks, because brute force attackers generally just blindly use the basic AUTH commands via SMTP and don't ever bother trying to use TLS.

With that added to the configuration file it's just left to restart the exim server and you should be good to go.

Notes
When you login via telnet now to test it out you should see that AUTH isn't available unless you've already started a TLS session (which you have to do with the STARTTLS command). You won't be able to test the authentication out after issuing STARTTLS via telnet because the conversation has to be encrypted after that point. I think I read somewhere you can use openssl to test it out though I didn't try.

Another thing to watch out for, briefly mentioned above, is that you must set up your email client to allow the invalid/self certified certificate that the server uses. If you don't do that then you won't be able to send email using authentication via the server. The first time you try and send an email using auth via the server from your email client, it should pop up a dialog box that allows you to allow the cert even though it's invalid.