Been using Exim a long time. Never setup TLS before however.
I think I have it configured, but need to test that it can SEND OUTBOUND only email using TLS to a mail server. The server does not receive inbound email.
As a test, as a mail server (not a client) how do I deliver email to gmail via a TLS connection so that messages bound to user@gmail.com are authenticated as a server, not as a user.
I have defined a router like:
GMAIL_ROUTER:
driver = manualroute
domains = gmail.com
transport = TLS_SMTP
route_list = * smtp.gmail.com::587
no_more
And a transport like:
TLS_SMTP:
driver = smtp
hosts_require_tls = *
But when it connects, I get:
2016-04-05 09:52:28 1anU0O-0004S4-Op ** useraccount@gmail.com R=GMAIL_ROUTER T=TLS_SMTP: SMTP error from remote mail server after MAIL FROM:<root@mydomain.com> SIZE=1349: host gmail-smtp-msa.l.google.com [74.125.28.109]: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1 https://support.google.com/mail/answer/14257 w62sm48080410pfa.79 - gsmtp
The error seems to suggest that I need to authenticate as a user, but this is a mail server, just trying to delivery email to a gmail.com user.
Is there a configuration to allow the mail server to authenticate using TLS without a client account??
Main goal is that we will be smart hosting all email to O365 soon, but that is not setup yet for me to test.
Best Answer
Exim will use TLS for outgoing connections if it is available and you haven't disabled it. You don't need to configure certificates for outgoing connections. This works on port 25 as well as 587. You can configure hosts that you want to avoid TLS with. TLS on incoming traffic requires a certificate and some setup.
You are connecting on the Submission port (587) which is intended for client connections and usually requires authentication. It does allow use of the server as a relay (after authentication).
You likely won't run into this issue if you connect on the SMTP port (25). However, connecting on the SMTP port will result in other anti-spam issues, and you won't be able to use gmail as a relay.
You can configure a userid and password in Exim. There are two password files, one for incoming connections, and a separate one for outgoing connections. You will need a valid gmail account, and may have your outgoing traffic throttled. Configure the account in the
passwd.client
file for outgoing traffic. This is normally processed by theremote_smtp_smarthost
transport. You will need to add the authentication portion to your transport, although it may be simpler just to use the normal smarthost configuration.