-3

I have configured exim4 to send e-mails using TLS through smtp.gmail.com::465 , NOT STARTTLS through smtp.gmail.com::587. I used information provided to me that was pulled from various sources. The complete list of steps I performed can be seen at https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#configure-gmail-as-mta-with-implicit-tls.

This is for a server at home, behind a router. I don't have a domain name so I created a local server-side certificate using /usr/share/doc/exim4-base/examples/exim-gencert.

I am able to send e-mails. I assume it is actually encrypted TLS traffic through 465 but I am not sure how to check.

I did a system audit using Lynis and it showed a warning for exim4:

[+] Software: e-mail and messaging
------------------------------------
  - Exim status                                               [ RUNNING ]
    - Type                                                    [ SATELLITE ]
    - Certificate not set                                     [ WARNING ]
    - Private Key not set                                     [ WARNING ]

I went through Lynis' source and discovered it is checking for these to be set by checking for tls_certificate and tls_privatekey in the output of exim -bP transport remote_smtp_smarthost:

$ sudo exim -bP transport remote_smtp_smarthost | egrep 'tls_certificate|tls_privatekey'
tls_certificate =
tls_privatekey =

I don't know how to remediate/fix this.

Questions:

  1. Is it possible to verify exim4 is sending mail through encrypted TLS on port 465?
  2. What do I need to do to fix the WARNING -- basically get the certificate/key set. Keep in mind, this is for a home server without a domain name so I can't get a legit certificate since there is no domain name to verify against.
IMTheNachoMan
  • 245
  • 2
  • 15
  • Run the `exim -bP` command without the `transport remote_smtp_smarthost` part. – wurtel Mar 14 '19 at 11:02
  • That does show certificates for `tls_certificate` and `tls_privatekey`. But I assume Lynis is running that specific command because those are the settings that my exim4 would use based on my configuration? – IMTheNachoMan Mar 14 '19 at 11:41
  • Only if those parameters are specifically configured for the `remote_smtp_smarthost` entry for transports. That almost never happens and the tls stuff is configured in the main config part and inherited by the transports. It looks like Lynis is making assumptions about your configuration. I don't even have a `remote_smtp_smarthost` transports entry, only `remote_smtp` because I don't use a smarthost. – wurtel Mar 14 '19 at 13:09
  • so is there anyway to verify exim4 us using TLS to send mail? – IMTheNachoMan Mar 14 '19 at 13:10
  • Check the mainlog. If the `=>` line shows `X=TLS1.2:...` then it's using TLS. Logfiles exist for a reason... – wurtel Mar 14 '19 at 13:32
  • @wurtel OMG. I stared at that log for hours and didn't find anything. Now that you pointed it out I can't **not** see it. I didn't even think to grep the log. I'm a failure at debugging. Thank you so much! – IMTheNachoMan Mar 15 '19 at 02:12
  • @wurtel Could you put that TLS comment as an answer so I can mark it as an answer? Just so this question doesn't stay hangin. – IMTheNachoMan Mar 16 '19 at 15:00

1 Answers1

0

When running exim -bP transport remote_smtp_smarthost, only the settings for the remote_smtp_smarthost transport are shown. Chances are you're not even using that transport. It's best to use exim -bP without parameters, that shows the main settings. Lynis probably needs to be improved a bit regarding this.

You can check whether exim is using TLS when sending emails to other mail servers by checking the exim mainlog. Look for lines with => which indicate deliveries. If there is a part of those lines that start with X=TLS1.2:... when exim is indeed using TLS, that part describes the TLS parameters used.

wurtel
  • 3,806
  • 12
  • 15