6

I'm setting up a new server with Debian 8. Exim4 is preinstalled and I'm trying to get TLS working.

I have copied the snakeoil key and cert into the /etc/exim4 folder and set the correct permissions and ownership:

-r--r-----  1 root Debian-exim  1704 Sep 28 20:01 ssl-cert-snakeoil.key
-r--r-----  1 root Debian-exim  1257 Sep 28 20:01 ssl-cert-snakeoil.pem

I have configured these in Exim4

From a second server I then try and connect to SMTP and start TLS like this:

root@second: ~# telnet mynewserver.net.au 25
Trying xxx.xxx.xxx.xxx...
Connected to mynewserver.net.au.
Escape character is '^]'.
220 mynewserver.net.au ESMTP Exim 4.84_2 Wed, 28 Sep 2016 20:12:12 +1000
ehlo second
250-mynewserver.net.au Hello second [xxx.xxx.xxx.xxx]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
454 TLS currently unavailable

And the debug log from mynewserver looks like this:

  665 SMTP>> 250-mynewserver.net.au Hello second [xxx.xxx.xxx.xxx]
  665 250-SIZE 52428800
  665 250-8BITMIME
  665 250-PIPELINING
  665 250-STARTTLS
  665 250 HELP
  665 SMTP<< STARTTLS
  665 initialising GnuTLS as a server
  665 GnuTLS global init required.
  665 initialising GnuTLS server session
  665 Expanding various TLS configuration options for session credentials.
  665 certificate file = '/etc/exim4/ssl-cert-snakeoil.pem'
  665 key file = '/etc/exim4/ssl-cert-snakeoil.key'
  665 LOG: MAIN
  665   TLS error on connection from second (second) [xxx.xxx.xxx.xxx] (cert/key setup: cert='/etc/exim4/ssl-cert-snakeoil.pem' key='/etc/exim4/ssl-cert-snakeoil.key'): Error while reading file.
  665 SMTP>> 454 TLS currently unavailable

I have checked the certificates, that the key and the certificate match, as in the following test where the modulus is the same:

root@mynewserver: exim4# openssl x509 -noout -modulus -in ssl-cert-snakeoil.pem | openssl md5
(stdin)= 4d56fe03bcdc3103788344d0d7a2eb8d
root@mynewserver: exim4# openssl x509 -noopenssl rsa -noout -modulus -in ssl-cert-snakeoil.key | openssl md5
(stdin)= 4d56fe03bcdc3103788344d0d7a2eb8d

I also configured the new server to allow Debian-exim to login, logged in and was able to view the certificate files without problem.

All of my research has identified problems with the certificates being readable, having correct content, matching up, and having the correct permissions, or being specified in the exim4 configuration correctly. I've covered all of those areas yet still it fails.

Do you have any idea where I should check next?

muz the axe
  • 201
  • 2
  • 7
  • 1
    Double-check that exim itself is actually running as Debian-exim user? Double-check that you aren't using a jail that excludes `/etc/exim4/` (Debian actually puts the calculated configuration into `/var/lib/exim4/config.autogenerated` so you may not realize it)? The files you have are not labeled with a selinux context (no `.` after the mode bits) if you have selinux enabled that might be an issue. – DerfK Sep 28 '16 at 19:13
  • Exim definitely running as Debian-exim root@mynewserver # ps -u Debian-exim --context PID CONTEXT COMMAND 1584 - /usr/sbin/exim4 -bd -q30m – muz the axe Sep 29 '16 at 01:01
  • selinux is not found: root@mynewserver: exim4# cat /etc/sysconfig/selinux cat: /etc/sysconfig/selinux: No such file or directory – muz the axe Sep 29 '16 at 01:12
  • I did find the setting: tls_on_connect_port=465 However when connecting on port 25 you could type in the STARTTLS and all was fine. When I changed the setting to: tls_on_connect_port=25:465 In this mode the STARTTLS is implied (so you don't have to type it in) and the same error messages occurred. – muz the axe Sep 29 '16 at 01:16
  • tls_on_connect_port 25 will break all your communication with other systems. Unless you have two Debian-exim users or your Debian-exim user somehow does not have Debian-exim set as their group, that leaves a chroot jail that excludes `/etc/exim4` – DerfK Sep 29 '16 at 17:50
  • Yes - I understand. Changed back to tls_on_connect_port=465 – muz the axe Sep 29 '16 at 21:08
  • Weird - I'm building another server and I'm back here with exactly the same problem again. We really need better documentation... – muz the axe Oct 02 '17 at 00:43

3 Answers3

2

It is a literal meaning - it really can not read the [certificate] file. I tried adding various entries to my configuration file like:

tls_certificate=xxx.crt
tls_privatekey=xxx.key

and

MAIN_TLS_CERTIFICATE=xxx.crt
MAIN_TLS_PRIVATEKEY=xxx.key

But none of these appear to work. By default exim4 looks for CONFIGDIR/exim.crt and CONFIGDIR/exim.key (CONFIGDIR is for my /etc/exim4)

So, copy your certificate and key to these two file names. Remove all of the configuration entries you previously added, so that exim4 will look for the default entries without any distraction. Ensure you certificate and key are readable by exim4:

  1. Set the group to Debian-exim (chrgrp Debian-exim exim.*)
  2. Set the group read permission on (chmod g+r exim.*)
  3. Restart your exim4
  4. I then used checktls.com to ensure the TLS and certificate were working correctly.

HTH

muz the axe
  • 201
  • 2
  • 7
0

I think as a general rule is that the user any daemon runs with at start will require the same user to access the file - including its parent directory:

On Debian:

Debian-exim 28104  0.0  0.1 109736  2752  Ss   Jan24   0:09 /usr/sbin/exim4 -bd -q30m

set group to Debian-exim on /etc/letsencrypt/ files and directory

chgrp Debian-exim /etc/letsencrypt/ -R

I thought it was the certificate format or corrupt file but setting the group owner solved the issue

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Jason
  • 1
0

I ran into the same issue after upgrading my Let's Encrypt certificates. For the records, Thunderbird complained about being

Unable to establish a secure link with Outgoing server (SMTP) smtp.example.org using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.

It turned out the new certificate private key didn't have sufficient read permissions. Although it worked after chmod-ing a+r the private key and a+x its directory (no exim4 restart needed), as highlighted by user56452 this creates a security issue to have the private key readable. I tested the solution suggested by user56452 with success.

  • 2
    a+r makes your _privatekey_ world readable. That is a security hole. Don't do that. Take a look at https://serverfault.com/a/894161/56452 for using acl's to grant access to the key. – user56452 Feb 09 '20 at 21:59