Exim config and tls

rsutc

Well-Known Member
Oct 8, 2002
84
0
156
I had a client complain that a friend's ISP mail program was attempting to contact my box and getting the answer:

TLS connect failed: error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded; connected to 69.50.220.235.

This is caused by other mail programs (esp qmail) failing to negotiate a proper TLS connection with the subject box. Articles on the web claimed it was a certificate problem and/or a firewall problem.

Because I had Mailscanner and csf installed by Chirpy's ConfigServer folk, I contacted them to find out if there was a firewall problem or if their MailScanner config had anything to do with it. The answer, which I could have found elsewhere if I had known more exactly what to look for, was to disable Exim from offering to negotiate tls in the first place by putting in the first (override) box of the CPanel Exim config editor the line

tls_advertise_hosts =

When the remote server checks mine, it should not see an offer to talk tls and fall back to a regular conversation. Many thanks to the ConfigServer folk for an answer above and beyond the call of duty--it wasn't their product at fault. [Unsolicited testimonial--everyone should use the ConfigServer products and services. They and their creators are amazing.]

OK, I entered this workaround to jumpstart the proper flow of mail from such servers, but then had a closer look, expecting to find that the tls options had not been properly set up and the initial Exim configuration setting of

tls_advertise_hosts = *

was, somehow, a lie, perhaps not correctly installed on some recent Exim upgrade. However, the Exim config file does correctly contain the lines

tls_certificate = /etc/exim.crt
tls_privatekey = /etc/exim.key

and both of these files are indeed present in the expected places. So, on the face of it, Exim was indeed properly set up for tls.

So, why didn't it work, and does anyone have an actual fix, as opposed to a workaround?

Rick
 

ujr

Well-Known Member
Mar 19, 2004
290
0
166
We had some issues with this too, and this is what we came up with. This is slightly different than http://www.exim.org/exim-html-3.20/doc/html/spec_38.html and is based on a how to we found on the web.

1. Compile or install Exim with SSL/TLS support.

2. Generate your keys.

first switch to cd /etc

2a. generate a 1024-bit RSA key

openssl req -x509 -newkey rsa:1024 -keyout eximrsa.key -out eximrsa.cert -days 9999 -nodes

2b. Then generate a 1024-bit Diffie-Hellman key

openssl dhparam -out eximdeffie.key 1024

3. Edit your Exim's configuration file, adding the following lines:

tls_dhparam = /etc/eximdeffie.key
tls_certificate = /etc/eximrsa.cert
tls_privatekey = /etc/eximrsa.key
tls_advertise_hosts = *

If you wanted only to advertise that TLS is available for a particular domain, then you need so specify it in the tls_advertise_hosts above. Otherwise, this adviertises it to all.

4. Restart Exim.

Then test...
 

rsutc

Well-Known Member
Oct 8, 2002
84
0
156
Hmmm. It appears that the only difference between this and what presumably was done in an automatic Exim setup somewhere along the upgrade path is the 1024-bit Diffie-Hellman key generation and attachment. I assume I could simply add that, and put the associated exim config line in the override (top) box of the Exim config editor in cPanel. (Don't want it changed thee next time Exim is upgraded. Seems odd though that yet another key is needed, one not mentioned in any docs I've seen.

Rick