Encryption, Authenication and other SMTP Processing
Exim can use encryption and authenticated connections, you can also use Access Control Lists (ACL's). I have only just touched the surface of this subject so you might want to check out the full documentation at the official Exim web site.
RFC3207 defines how SMTP connections can use encryption between to hosts, once a connections is established the client issues a STARTTLS command. If the server accepts this request, the two hosts negotiate an encryption mechanism to be used for all subsequent data transfers. Exim uses the TLS protocol which is implemented by making use of the OpenSSL or GnuTLS library, so either of these must be installed. When using encryption you should have a good idea what public keys, private keys and certificates are, if not then I suggest you have a look on the web.
Once you have built Exim which included TLS support, you need to configure the following options in order to use TLS
tls options | tls_advertise_hosts = * tls_certificate = /etc/secure/exim/certs tls_privatekey = /etc/secure/exim/privkey |
Once the above have been set then the server will work as an encrypting server. You can request client certificates by using the two options below
request client certs | tls_verify_hosts = <host> ## if client matches and has no cert abort TLS connection Note: both of the above are host lists |
When a client does connect successfully you can use the variable $tls_cipher to name the cipher used during the connection, it is included in the Received: header line. The distinguished name in the clients cert is available via the variable $tls_peerdn this is not logged in any header lines by default.
You have a number of option if you wish to configure Exim to use TLS as a client
client TLS options | hosts_avoid_tls = <host list> ## do not use TLS on these SMTP servers tls_verify_certificates = <file name> ## check the servers cert |
Exim uses ACLs to control which incoming messages it accepts, both for relaying and for local delivery. One way of controlling relaying is by checking the sending host. When a server that supports authentication is sent a EHLO command it advertises a number of authentication mechanisms. When the client wants to authenticate it sends the SMTP command AUTH LOGIN (login is one of the many authentication methods, others include cram-mds, plain). ACLs are implemented to control what a client can and cannot do.
The are a number of authentication mechanisms, i list the common ones here
PLAIN | is described in RFC2595, it requires 3 concatenated data strings separated by binary zero. The second and third strings are a user/password pair, the first string in not need and is empty. It is efficient in that it requires only a single command and response. |
LOGIN | not described by any RFC but is used by Pine and Outlook, it is again based on username/password pair but prompted for separately, it is less efficient than PLAIN because it uses three interactions to obtain the data. |
CRAM-MD5 | is described in RFC2195 and avoids transmitting unencrypted passwords over the network. the server sends a challenge string and the client sends back a username, followed by a space and the MD5 digest of the challenge string concatenated with a a password. The server computes the MD5 digest of the same string and compares this with what it has received. This method only requires two interactions. |
You can advertise which hosts can use authentication using the option auth_advertise_hosts and supply a list of hosts. You can find out what is available on server by using telnet.
what authentications are available | $ telnet some.server.example 25 |
There is a section in the configuration file that sets up the authenticators, it starts at begin authenticators, the configuration options can be a server or a client option which will be defined as either server_ or client_, so you may see both in a authenticator.
You can use Exim's-bh option to test authentication but the data must be in encoded in base64 (you can use mimencode).
There are a number of options that all authenticators use, all the options are unset by default
driver | This option must be set and can be either plaintext or cram_md5 |
public_name | This options specifies the name of the authentication mechanism that the driver implements and by which it is known to the outside world for example PLAIN, LOGIN, CRAM-MD5. |
server_condition | you can use this option as an additional authentication or authorization mechanism that is applied after the other authenticator has succeeded |
server_set_id | used to populate the variable $authenticated _id |
SMTP over TCP/IP is the only way of transferring messages to and from other hosts. There a number of SMTP commands that you may want to know
VRFY | verifies an email address |
EXPN | lists the expansion of an alias or mailing list |
TURN | this has now been deprecated due to security reasons, but it was used to switch the roles of the client and server |
ETRN | this has replaced the turn command by overcoming the security issues. ACLs are used to control this command. |
Messages that are in batched SMTP format can be passed to Exim by using the -bS command-line option, this causes exim to accept one or more messages by reading SMTP on the standard input but to generate no SMTP responses.