How to test Outgoing mail from exim for proper tls configuration

eximgmailtls

Been using Exim a long time. Never setup TLS before however.

I think I have it configured, but need to test that it can SEND OUTBOUND only email using TLS to a mail server. The server does not receive inbound email.

As a test, as a mail server (not a client) how do I deliver email to gmail via a TLS connection so that messages bound to user@gmail.com are authenticated as a server, not as a user.

I have defined a router like:

GMAIL_ROUTER:
  driver = manualroute
  domains = gmail.com
  transport = TLS_SMTP
  route_list = * smtp.gmail.com::587
  no_more

And a transport like:

TLS_SMTP:
  driver = smtp
  hosts_require_tls = *

But when it connects, I get:

2016-04-05 09:52:28 1anU0O-0004S4-Op ** useraccount@gmail.com R=GMAIL_ROUTER T=TLS_SMTP: SMTP error from remote mail server after MAIL FROM:<root@mydomain.com> SIZE=1349: host gmail-smtp-msa.l.google.com [74.125.28.109]: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1  https://support.google.com/mail/answer/14257 w62sm48080410pfa.79 - gsmtp

The error seems to suggest that I need to authenticate as a user, but this is a mail server, just trying to delivery email to a gmail.com user.

Is there a configuration to allow the mail server to authenticate using TLS without a client account??

Main goal is that we will be smart hosting all email to O365 soon, but that is not setup yet for me to test.

Best Answer

Exim will use TLS for outgoing connections if it is available and you haven't disabled it. You don't need to configure certificates for outgoing connections. This works on port 25 as well as 587. You can configure hosts that you want to avoid TLS with. TLS on incoming traffic requires a certificate and some setup.

You are connecting on the Submission port (587) which is intended for client connections and usually requires authentication. It does allow use of the server as a relay (after authentication).

You likely won't run into this issue if you connect on the SMTP port (25). However, connecting on the SMTP port will result in other anti-spam issues, and you won't be able to use gmail as a relay.

You can configure a userid and password in Exim. There are two password files, one for incoming connections, and a separate one for outgoing connections. You will need a valid gmail account, and may have your outgoing traffic throttled. Configure the account in the passwd.client file for outgoing traffic. This is normally processed by the remote_smtp_smarthost transport. You will need to add the authentication portion to your transport, although it may be simpler just to use the normal smarthost configuration.

Related Topic