Exim is a mail server which suports TLS for encrypted connections. This is supported for incoming connections as well as outgoing connections.
The support for outgoing connections is a bit useless in it's default setting, though:
- If the remote server offers TLS exim will negotiate an encrypted connection, but will not verify the certificate, rendering the encryption somewhat useless
- If the remote side does not offer TLS mail will be sent in plain text.
All in all this is pretty useless from a security point of view. Making exim do the right thing requires some additions to the SMTP transport (the following is sufficient for the default exim configuration on CentOS" systems):
remote_smtp:
driver = smtp
hosts_require_tls = *
tls_tempfail_tryclear = false
tls_verify_certificates = /etc/pki/tls/certs
This forces exim to use TLS for every outgoing connection (hostsrequiretls = *
), forbids fallback to clear text if TLS does not work, (tls_tempfail_tryclear = false
) and points to a directory containing a trusted certificates (tls_verify_certificates = /etc/pki/tls/certs
).
The last parameter is the main reason for this article, as it does not exactly do what it says on the tin. The exim in CentOS is built against OpenSSL, and the OpenSSL libraries are built with /etc/pki/tls/certs
as the default search path for certificates. The documentation for the parameter says:
The value of this option must be the absolute path to a file containing permitted server certificates, for use when setting up an encrypted connection. Alternatively, if you are using OpenSSL, you can set tlsverifycertificates to the name of a directory containing certificate files. This does not work with GnuTLS; the option must be set to the name of a single file if you are using GnuTLS. The values of $host and $host_address are set to the name and address of the server during the expansion of this option. See chapter 39 for details of TLS.
The part missing from this is that the path set with tlsverifycertificates
is searched in addition to the default certificate search path configured for OpenSSL. So if the OpenSSL default search path already contains all the certificates required, tlsverifycertificates
must be set to force exim to verify the certificates, but the value it is set to does not matter. For security reasons it ought to be set to the default OpenSSL search path, though, to prevent someone from maliciously adding more trusted certificates.
PS:
Doing this for a general purpose mail server is probably not a good idea, as many mail servers do not offer TLS, and even if they do, their certificate may not be signed by a trusted (by the client) certificate authority. The mail server in question here will only send mail to a single host.