The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exim config and tls

Discussion in 'General Discussion' started by rsutc, Sep 12, 2006.

  1. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I had a client complain that a friend's ISP mail program was attempting to contact my box and getting the answer:

    TLS connect failed: error:24064064:random number
    generator:SSLEAY_RAND_BYTES:PRNG not seeded; connected to 69.50.220.235.

    This is caused by other mail programs (esp qmail) failing to negotiate a proper TLS connection with the subject box. Articles on the web claimed it was a certificate problem and/or a firewall problem.

    Because I had Mailscanner and csf installed by Chirpy's ConfigServer folk, I contacted them to find out if there was a firewall problem or if their MailScanner config had anything to do with it. The answer, which I could have found elsewhere if I had known more exactly what to look for, was to disable Exim from offering to negotiate tls in the first place by putting in the first (override) box of the CPanel Exim config editor the line

    tls_advertise_hosts =

    When the remote server checks mine, it should not see an offer to talk tls and fall back to a regular conversation. Many thanks to the ConfigServer folk for an answer above and beyond the call of duty--it wasn't their product at fault. [Unsolicited testimonial--everyone should use the ConfigServer products and services. They and their creators are amazing.]

    OK, I entered this workaround to jumpstart the proper flow of mail from such servers, but then had a closer look, expecting to find that the tls options had not been properly set up and the initial Exim configuration setting of

    tls_advertise_hosts = *

    was, somehow, a lie, perhaps not correctly installed on some recent Exim upgrade. However, the Exim config file does correctly contain the lines

    tls_certificate = /etc/exim.crt
    tls_privatekey = /etc/exim.key

    and both of these files are indeed present in the expected places. So, on the face of it, Exim was indeed properly set up for tls.

    So, why didn't it work, and does anyone have an actual fix, as opposed to a workaround?

    Rick
     
  2. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    We had some issues with this too, and this is what we came up with. This is slightly different than http://www.exim.org/exim-html-3.20/doc/html/spec_38.html and is based on a how to we found on the web.

    1. Compile or install Exim with SSL/TLS support.

    2. Generate your keys.

    first switch to cd /etc

    2a. generate a 1024-bit RSA key

    openssl req -x509 -newkey rsa:1024 -keyout eximrsa.key -out eximrsa.cert -days 9999 -nodes

    2b. Then generate a 1024-bit Diffie-Hellman key

    openssl dhparam -out eximdeffie.key 1024

    3. Edit your Exim's configuration file, adding the following lines:

    tls_dhparam = /etc/eximdeffie.key
    tls_certificate = /etc/eximrsa.cert
    tls_privatekey = /etc/eximrsa.key
    tls_advertise_hosts = *

    If you wanted only to advertise that TLS is available for a particular domain, then you need so specify it in the tls_advertise_hosts above. Otherwise, this adviertises it to all.

    4. Restart Exim.

    Then test...
     
  3. rsutc

    rsutc Well-Known Member

    Joined:
    Oct 8, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hmmm. It appears that the only difference between this and what presumably was done in an automatic Exim setup somewhere along the upgrade path is the 1024-bit Diffie-Hellman key generation and attachment. I assume I could simply add that, and put the associated exim config line in the override (top) box of the Exim config editor in cPanel. (Don't want it changed thee next time Exim is upgraded. Seems odd though that yet another key is needed, one not mentioned in any docs I've seen.

    Rick
     
  4. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    The DH key is not required, but this worked for us.
     
Loading...

Share This Page