January 19, 2003

Secure Mail Relaying with Exim and OpenSSL

I finally got around to setting up something I've wanted for a long, long time. You see, I have a few co-located machines runnning Debian GNU/Linux that handle e-mail, DNS, web, MySQL, and other services for roughly 30 domains including zawodny.com. But the e-mail has always been a bit of a pain.

Why? Because I send roughly half of my mail using mutt while logged directly into one of those machines. That's fine. However, the other half of the time I'm using something like Apple's Mail.app on the TiBook. When that happens, I have to worry about relaying issues.

Traditionally, I've just used Exim's host_accept_relay option, setting it to a list of hosts that I'll be using:

host_accept_relay = 192.168.1.2

The problem with doing that is dynamic addresses. My cable modem address changes now and then. And sometimes I'll plug the TiBook into a foreign network. Then I need to figure out what the address is, if there's NAT involved, and so on. It's a pain. There's a better way.

Fortunately, Exim (my preferred mail server) has two features which combine to solve the problem. First, you have SMTP AUTH (RFC 2554), which is the standard way of mail clients authenticating with a mail server for sending messages. The second piece of the puzzle is SSL support, so the entire session can be encrypted--including the authentication (username and password).

My goal was to configure Exim so that it would allow any authenticated user to use the server as a mail relay no matter where they connect from. Then I'd require all autentication to happen over an encrypted channel so that I'd never have to worry about passwords being sniffed. It turns out that this is surprisingly easy to do.

By reading chapters 35, 36, and 38 in the Exim manual, it was quite easy.

First, I made sure to install the Debian exim-tls package as a replacement for the normal exim package. (TLS stands for "transport layer security. In this case, OpenSSL is providing the TLS.)

shell$ sudo apt-get install exim-tls

To setup the SMTP authentication, I added this bit to the end of my /etc/exim/exim.conf file:

# AUTH stuff here

fixed_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if and {{eq{$2}{user}}{eq{$3}{pass}}}{yes}{no}}
  server_set_id = $2

Where "user" is the username I'm going to use and "pass" is the password. It's possible to use PAM, MySQL, text files, LDAP, or any number of other ways to do this so you can support many users. Right now this is for just me, so this works. Someday I'll improve it and allow others to make use of it.

Then I followed the example instructions for creating an SSL certificate and key. I installed them as /etc/exim/exim.key and /etc/exim/exim.cert.

Lastly, I updated a few more settings in my Exim configuration and then restarted Exim:

# Only localhost can relay by default
host_accept_relay = localhost
  
# Anyone can relay if they auth first.  And auth must happen over SSL.
host_auth_accept_relay = *

# SSL/TLS cert and key
tls_certificate = /etc/exim/exim.cert
tls_privatekey = /etc/exim/exim.key

# Advertise TLS to anyone
tls_advertise_hosts = *

# Require auth over SSL only.
auth_over_tls_hosts = *

Then I told Mail.app to use password authentication and to use SSL for outgoing mail. That's it. It just works. The same should work for Netscape, Outlook, Eudora, etc.

Posted by jzawodn at 10:50 PM

SBC doesn't get the Web

I'm getting sick of Pac Bell (or SBC, as they're now called). Back in 2001, I had phone problems that required a visit. Their web site wasn't terribly helpful.

Guess what. Nothing has changed. Nothing at all. I went to their web site, hoping that I could report my phone problem (since I obviously can't call them). Once I got to the right place, I saw this.

WTF?! Why is it that I can inquire about a previously reported problem on their site, but I cannot report a new problem? This makes absolutely no sense to me. This feels soooo 1999.

It's a good thing I have a cell phone. I called them. I have to stay home from work tomorrow morning and wait for the repair tech to visit.

Screw SBC. Again.

Oh, I have a feeling that when they shut off my DirectTV DSL service last week, they killed my phone line too. Based on what people have told me ("your phone has just been ringing when I call--since the middle of last week.") it's been dead since last Tuesday. That's the day the DSL disconnect happened. I suppose I could just wait until this Tuesday when they're scheduled to hook me up to the new DSL service, but screw that. I'll make the tech come out on Monday to fix the phone and then again on Tuesday to fix the DSL. They screwed up... not me.

Posted by jzawodn at 10:18 PM

No, the *other* knob!

I had some unexpected "excitement" during my last flight this morning. Not the good kind. The kind that makes you really happy your flight instructor is in the back seat.

Note to cockpit designers: Different controls should look and feel different.

Note to self: Pay attention and remember what your instructor has been telling you. People are less likely to die this way.

Anyway, read all about it in my flying blog if you're into that kind of thing or just want the details on what went wrong.

Posted by jzawodn at 06:48 PM

My stuff is where?

From 0xDECAFBAD:

Years ago, when I first started using email, I did indeed do this with procmail and other arcane beasties. Then, I found myself cursing that I couldn't do cross-folder searches very easily. Also, the filters and folders started making less sense as their structure represented only one possible scheme for finding what I was looking for, and I was needing many possible kinds of schemes over time. So, eventually it all ended up in one pile, and searches became my way of finding things.
I abandoned bookmarks for Google by the same principle. Now, my bookmarks consist completely of bookmarklets and a few stray links to local on-disk pages like Python documentation. In fact, I wishing that I could create bookmark folders that are fed by Google API powered persistent searches.
So, now I'm looking balefully upon my filesystem.

<AOL>Me too!</AOL> I really, really suck at organizing. I'd rather just search based on content, attributes, etc.

Posted by jzawodn at 02:13 PM