On Sun 16 Apr 2023 at 10:57:37 (-0700), pe...@easthope.ca wrote:
> From: David Wright <deb...@lionunicorn.co.uk>
> Date: Sat, 15 Apr 2023 22:20:55 -0500
> > And in turn, this reply doesn't contain any feedback to my suggestion
> > of installing the backported exim, which claims to support tls on
> > connect.
>
> Yes, sorry. Too wary of venturing beyond stable.
>
> Now installed backported exim. Unnecessary blanks removed for
> legibility here.
> $ dpkg -l | grep exim
> ii exim4 4.96-14~bpo11+1 all metapackage to ease Exim
> MTA (v4) installation
> ii exim4-base 4.96-14~bpo11+1 amd64 support files for all Exim
> MTA (v4) packages
> ii exim4-config 4.96-14~bpo11+1 all configuration for the Exim
> MTA (v4)
> ii exim4-daemon-light 4.96-14~bpo11+1 amd64 lightweight Exim MTA (v4)
> daemon
>
> No new question in "dpkg-reconfigure exim4-config". Shouldn't it ask
> to choose between STARTTLS and TLS-on-connect?
>
> /etc/exim4/update-exim4.conf.conf is unchanged by adding the backport.
I don't think you micromanage exim4 at that level. From browsing the
configuration file(s), I think you tell it things like Do I want
encryption, Do I want to force it, Do I want to check certificates,
or don't I care, and then it makes decisions on what the connecting
mail servers say and do.
"Exim supports TLS-on-connect by means of the tls_on_connect_ports
global option. Its value must be a list of port numbers; the most
common use is expected to be:
tls_on_connect_ports = 465
"The port numbers specified by this option apply to all SMTP
connections, both via the daemon and via inetd. You still need to
specify all the ports that the daemon uses (by setting
daemon_smtp_ports or local_interfaces or the -oX command line option)
because tls_on_connect_ports does not add an extra port – rather, it
specifies different behaviour on a port that is defined elsewhere."
That's what led me to think that that line might need to be in the
Transport section of /var/lib/exim4/config.autogenerated. (Bear in
mind that reconfiguring exim4 refreshes this file, so it's a good
place to conduct ephemeral experiments.)
But I don't have enough (any) experience of this connection method to
know why the list of ports has to be limited, or even whether the
setting is aimed at outward or inward connections. Impossible for me
to test without an instance to try it out on unless, I suppose, I sent
emails back and forth between two machines. (Hey, I do that already,
but without TLS at all.)
> > My only remaining advice is to try everything on every port.
> > Frequently, one particular method is advertised, but the software
> > may allow other protocols/methods too. For example, the SMTP
> > port and commands that mutt sends my posts with is quite different
> > from those used by my hand-crafted automated emails (same hosts).
>
> Certainly trying many combinations. Technical support from the
> smarthost
> also might recogize a detail I'm overlooking.
I don't know who runs it and how supportive they are. Mine tend
to be quite helpful.
> > I don't recall ever seeing a debug message with a heading.
>
> Not a heading for the file or a comment explaining one line.
> Headings for more abstract levels of progress.
> Eg.
> "Evaluating whether delivery is local."
> "Submitting password for user <me> to smarthost <there>."
There are debug options outlined in the man page, which you can
apply through /etc/default/exim4. Presumably, tls and transport
might give interesting information.
> Incidentally the debug text has formal syntax such as this.
> 08:29:51 3623 }{${if def:sender_ident {from
> ${quote_local_part:$sender_ident} }}${if def:sender_helo_name
> {(helo=$sender_helo_name)
> Does anyone recognize a language? Exim internal syntax?
IDK. With things like this, I just program by example.
Cheers,
David.
