Michael R. Head (suppressingfire) wrote,
Michael R. Head
suppressingfire

Using comcast business class's SMTP server as a smarthost for Exim4 in Debian

I recently moved which triggered a recreation of my comcast business class account (for whatever reason, I had to cancel the account at the old location and create a fresh one at the new location rather than just transferring the account).

I used to be able to use smtp.comcast.net as my SMTP server (by setting dc_smarthost='smtp.comcast.net' in /etc/exim4/update-exim4.conf.conf and running sudo update-exim4.conf), but this is no longer possible. I now have to use the SMTP server specified in for my account in the comcast business site (followed by ::587) along with authentication and TLS encryption (by adding my comcast credentials to /etc/exim4/passwd.client and MAIN_TLS_ENABLE = true
to /etc/exim4/exim4.conf.localmacros). All this is well and good, and I consider it in an upgrade, but for some reason, Exim4+GnuTLS simply could not get along with comcast's TLS implementation.


I didn't get much help from the logs, just a fairly cryptic:

2014-09-04 16:18:21 AAAAAAAAAAAAAAAA TLS error on connection to smtp.XXX.comcast.net [NNN.NNN.NNN.NNN] (gnutls_handshake): The TLS connection was non-properly terminated.
2014-09-04 16:18:21 AAAAAAAAAAAAAAAA TLS session failure: delivering unencrypted to smtp.XXX.comcast.net [NNN.NNN.NNN.NNN] (not in hosts_require_tls)
2014-09-04 16:18:22 AAAAAAAAAAAAAAAA ** YYY@EXAMPLE.COM R=smarthost T=remote_smtp_smarthost: SMTP error from remote mail server after MAIL FROM:<zzz@example.com> SIZE=36765: host smtp.XXX.comcast.net [NNN.NNN.NNN.NNN]: 530 5.7.0 authentication required


Eventually I found debbug 674990 which suggests setting tls_require_ciphers = NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 in the exim config. After some trial and error, I found that the right place to put it is in /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost: after the "driver = smtp" line:


### transport/30_exim4-config_remote_smtp_smarthost
#################################

# This transport is used for delivering messages over SMTP connections
# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.

remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
tls_require_ciphers = NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
.endif
Tags: debian, linux
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments