Package: exim4-config
Version: 4.77-1
Severity: wishlist
Tags: patch
In light of new SMTPS client support by Exim 4.77 and raising popularity
of DKIM/SPF, I proposed to update package as attached patch.
This patch allows user to use SMTPS without making intrusive changes to
the Debian defaults just like AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro
did for enabling nonencrypted plaintext password.
This patch also updates README.
== FYI: Some facts on smarthost services by ISPs ==
I have tested smarthost services with:
* gmail.com STARTTLS 587 (Free email)
* yahoo.co.jp SMTPS 469 (Free email)
* nifty.com STARTTLS 587 (SMTP ISP for my OFC service)
Gmail accepts any envelope From_ address and header From: address but
overwrite such information automatically with the Gmail email account
you used to connect to their SMTP service. Then they sign your mail
with DKIM.
Yahoo (you can get a free account in their Asian ISPs such as Japan and
India by opting in for their advertisement mail while their US service
seems to be only for payed customers.) I tested with Japanese service.
As I understand, since Yahoo did not offer STARTTLS service nor CRAM5,
people were using Yahoo with plaintext password over unencrypted
connection using AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro. This is not a
good idea for security.
Since Exim 4.77 supports SMTPS, I tested it for Yahoo without setting
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro but adding "protocol = smtps" to
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost .
I confirmed that it works fine. Unlike Gmail, it does not rewrite email
address. If envelope From_ is not resolvable address, it rejects such
mails. So use of /etc/email-addresses is essential for using them as the
smarthost. Also, I noticed that if the header From: address is not the
email address of theirs, it does not sign DKIM. If only the header From:
address is the email address of their, Yahoo signs such mail with DKIM.
Nifty seems to do nothing on DKIM and does not enforce anything on the
From: header and send mail with the original non-Nifty From: address.
When Gmail receives such tweaked mail with my debian.org address, having
envelope address pointing to my Nifty's email account by using proper
entry in the /etc/email-addresses improved spam filter position on SPF
to "pass".
-- Package-specific info:
Exim version 4.77 #3 built 14-Nov-2011 22:30:32
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 5.1.25: (January 28, 2011)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='localhost'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
#dc_smarthost='smtp.nifty.com::587'
#dc_smarthost='smtp.gmail.com::587'
dc_smarthost='smtp.mail.yahoo.co.jp::465'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:localhost
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages exim4-config depends on:
ii adduser 3.113
ii debconf [debconf-2.0] 1.5.41
exim4-config recommends no packages.
exim4-config suggests no packages.
-- Configuration Files:
/etc/email-addresses changed [not included]
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost changed [not
included]
(I had protocol=smtps mod.)
/etc/exim4/passwd.client [Errno 13] Permission denied:
u'/etc/exim4/passwd.client'
-- debconf information:
* exim4/dc_smarthost: smtp.gmail.com::587 ... changed among different servers
exim4/dc_relay_domains:
* exim4/dc_relay_nets:
* exim4/mailname: localhost
* exim4/dc_localdelivery: mbox format in /var/mail/
* exim4/dc_local_interfaces: 127.0.0.1
* exim4/dc_minimaldns: false
* exim4/dc_other_hostnames:
* exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or
fetchmail
* exim4/no_config: true
* exim4/hide_mailname: false
exim4/dc_postmaster: osamu
* exim4/dc_readhost: localhost
* exim4/use_split_config: true
exim4/exim4-config-title:
diff -Nru exim4-4.77-orig/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.77/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
--- exim4-4.77-orig/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2009-03-15 23:57:04.000000000 +0900
+++ exim4-4.77/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2012-01-22 12:48:20.714200160 +0900
@@ -15,6 +15,13 @@
}\
{} \
}
+.ifdef USE_SMTPS_PROTOCOL_FOR_SMARTHOST
+# Some ISPs offer SMTP service using deprecated SMTPS (SSL on port 465)
+# protocol instead of using STARTTLS (usually on submission port 587).
+# Exim 4.77 supports SMTPS protocol as SMTP client.
+ protocol = smtps
+# This automatically sets port=465
+.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
diff -Nru exim4-4.77-orig/debian/README.Debian.xml exim4-4.77/debian/README.Debian.xml
--- exim4-4.77-orig/debian/README.Debian.xml 2010-11-08 03:36:46.000000000 +0900
+++ exim4-4.77/debian/README.Debian.xml 2012-01-22 14:31:36.072921242 +0900
@@ -1233,9 +1233,21 @@
required format.
</para>
<para>
+ Many ISPs offer such a smarthost SMTP service with TLS
+ encryption using the modern STARTTLS method on the port 587
+ (submission). But some ISPs offer such a smarthost SMTP
+ service by using now deprecated SMTPS protocol which starts
+ SSL immediately after connection to the port 465. Exim 4.77
+ supports SMTPS as client. If you need to enable SMTPS, you can
+ do so by setting the USE_SMTPS_PROTOCOL_FOR_SMARTHOST macro.
+ Please refer to <xref linkend="macros"/> for an explanation of
+ how best to do this.
+ </para>
+ <para>
If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted
connections because your service provider does support neither
- TLS encryption nor the CRAM MD5 authentication method, you can
+ TLS encryption with STARTTLS nor the SMTPS protocol with SSL
+ nor the CRAM MD5 authentication method, you can
do so by setting the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro.
Please refer to <xref linkend="macros"/> for an explanation of
how best to do this.
@@ -1246,6 +1258,19 @@
Debian-exim). It is suggested that you keep the default
permissions root:Debian-exim 0640.
</para>
+ <para>
+ You need to pay attentions to avoid interfarence with the SPAM
+ prevention system. The header From: address and envelope From_
+ address of your outgoing mails can be configured using
+ <filename>/etc/email-addresses</filename>. For some ISPs,
+ mails with the unresolvable SMTP envelope address are rejected.
+ Your header From: address may need to match your mail accout at
+ the smarthost ISP to get DKIM signiture on your mail. Your
+ envelope From_ address may need to match your mail accout at
+ the smarthost ISP to get better SPF score on your mail.
+ Some smarthost ISPs may automatically replace some of these
+ addresses to match your mail accout there.
+ </para>
</section>
<section> <title>Using Exim as SMTP-AUTH server</title>
<para>
