ich durchforste jetzt schon den ganzen Abend das Netz nach einer Lösung, werde aber nicht fündig...:
Wir haben für unseren Mailserver (exim4 auf debian9) ein GeoTrust "QuickSSL Premium"-Zertifikat besorgt.
Wenn ich dieses Zertifikat über /etc/exim4/conf.d/main/00_local_macros einbinde, funtioniert der verschlüsselte Zugriff aber nicht mehr...:
(unseren Domainnamen habe hier jetzt auf example.de umbenannt, das Zertifikat ist sozusagen auf unseren Mailserver mailsrv.example.de ausgestellt):
Code: Alles auswählen
DKIM_CANON = relaxed
DKIM_SELECTOR = 20160712
DKIM_DOMAIN = example.de
DKIM_FILE = /etc/exim4/dkim/example.de-private.pem
MAIN_TLS_ENABLE = yes
MAIN_TLS_CERTKEY = /etc/exim4/mailsrv.example.de_ssl_certificate.cer
MAIN_TLS_PRIVATEKEY = /etc/exim4/mailsrv.example.de_private_key.key
wenn ich dann versuche per openssl s_client auf den Mailserver zuzugreifen, dann kommt:
Code: Alles auswählen
openssl s_client -starttls smtp -crlf -connect mailsrv.example.de:587
CONNECTED(00000003)
140292243796032:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 266 bytes and written 209 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1576190089
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
Im Zertifikat habe ich noch die GeoTrust Intermediate-Zertifikate angehängt, aber kein Unterschied...
Ich habe gerade keinen Ansatzpunkt, wie ich da weiter komme - vielleicht kann mir jemand den entscheidenden Tipp geben...
Viele Grüße,
Christoph
hier noch die Ausgabe von exim -pB:
Code: Alles auswählen
accept_8bitmime
acl_not_smtp =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data = acl_check_data
acl_smtp_data_prdr = accept
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail = acl_check_mail
acl_smtp_mailauth =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_starttls =
acl_smtp_vrfy =
add_environment =
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
bi_command =
bounce_message_file =
bounce_message_text =
bounce_return_body
bounce_return_linesize_limit = 998
bounce_return_message
bounce_return_size_limit = 100K
bounce_sender_authentication =
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 100
check_log_space = 10M
check_rfc2047_length
check_spool_inodes = 100
check_spool_space = 10M
chunking_advertise_hosts =
daemon_smtp_ports = smtp
daemon_startup_retries = 9
daemon_startup_sleep = 30s
no_debug_store
delay_warning = 1d
delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ mat ch{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_again_means_nonexist =
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_dnssec_ok = -1
dns_ipv4_lookup =
dns_retrans = 0s
dns_retry = 0
dns_trust_aa =
dns_use_edns0 = -1
no_drop_cr
dsn_advertise_hosts =
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
errors_copy =
errors_reply_to =
event_action =
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extra_local_interfaces =
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell = postmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_accept_junk_hosts =
helo_allow_chars =
helo_lookup_domains = @ : @[]
helo_try_verify_hosts =
helo_verify_hosts =
hold_domains =
host_lookup = *
host_lookup_order = bydns:byaddr
host_reject_connection =
hosts_connection_nolog =
hosts_treat_as_local =
ignore_bounce_errors_after = 2d
ignore_fromline_hosts =
no_ignore_fromline_local
keep_environment =
keep_malformed = 4d
no_local_from_check
local_from_prefix =
local_from_suffix =
local_interfaces = <; ::0 ; 0.0.0.0
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
local_scan_timeout = 5m
local_sender_retain
localhost_number =
log_file_path = /var/log/exim4/%slog
log_selector = +smtp_protocol_error +smtp_syntax_error +tls_certificate_verified +tls_peerdn
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_id_header_domain =
message_id_header_text =
message_logs
message_size_limit = 50M
no_move_frozen_messages
no_mua_wrapper
never_users =
openssl_options =
percent_hack_domains =
pid_file_path = /run/exim4/exim.pid
pipelining_advertise_hosts = *
prdr_enable
no_preserve_message_logs
primary_hostname = mailsrv.example.de
no_print_topbitchars
process_log_path = /var/spool/exim4/exim-process.info
prod_requires_admin
qualify_domain = example.de
qualify_recipient = example.de
queue_domains =
queue_list_requires_admin
no_queue_only
queue_only_file =
queue_only_load =
queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains =
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n\t}{${if def:sender_ident {from ${quote_local_part:$sender _ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with $received_proto col}} ${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address {(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if def:received_for {\n\tfor $received_for}}
received_headers_max = 30
recipient_unqualified_hosts =
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
remote_sort_domains =
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = @[]
rfc1413_query_timeout = 0s
sender_unqualified_hosts =
slow_lookup_log = 0
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_max_per_host =
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_active_hostname =
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_command =
smtp_etrn_serialize
smtp_load_reserve =
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
smtp_ratelimit_hosts =
smtp_ratelimit_mail =
smtp_ratelimit_rcpt =
smtp_reserve_hosts =
no_smtp_return_error_details
no_split_spool_directory
spool_directory = /var/spool/exim4
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_facility =
syslog_pid
syslog_processname = exim
syslog_timestamp
system_filter =
system_filter_directory_transport =
system_filter_file_transport =
system_filter_group =
system_filter_pipe_transport =
system_filter_reply_transport =
system_filter_user =
tcp_nodelay
timeout_frozen_after = 1w
timezone =
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_crl =
tls_dh_max_bits = 2236
tls_dhparam = historic
tls_eccurve = auto
tls_ocsp_file =
tls_on_connect_ports =
tls_privatekey = /etc/exim4/exim.key
no_tls_remember_esmtp
tls_require_ciphers =
tls_try_verify_hosts =
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts =
trusted_groups =
trusted_users = uucp
unknown_login =
unknown_username =
untrusted_set_sender = *
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warn_message_file =
write_rejectlog
