Problems with exim4 configuration on my VPS

[liviutudor]

I have bought recently from eukhost a VPS hosting package and 3 domains (3b-software.co.uk, 3bsoft.co.uk and 3bsoft.net) which are hosted on the VPS package. I have requested that Debian Linux is installed on the VPS box which has been done for me at the time so I have carried on the configuration and installation of DNS, Apache etc on this box and it all worked well. I have however run into a small problem with configuring exim4 (more specifically exim4-daemon-heavy package) on this machine and I was wondering whether anyone could help me with it as I’m sure it’s just a small glitch but I somehow cannot seem to find the solution for it:
In brief, what happens is that I can receive emails (on any of the 3 domains mentioned above) and that works great (including the SSL authentication etc) however when it comes to sending emails it appears that I cannot get the server to send emails outside any of the 3 domains configured. Even though I have configured SMTP authentication and TLS enabled, when I send an email from liv@3bsoft.co.uk for instance to my Gmail account (this account I’m emailing you from) I get an email saying that relaying is not allowed – which should only be presented to un-authenticated users (so we don’t allow an open mail relay obviously), however my Outlook (2003) is configured for authentication for both sending and receiving emails and yet it seems somehow exim still doesn’t allow me to send emails to the outside.
Any help in this would be greatly appreciated! (I can of course provide copies of the configuration files of the exim4 server to assist you in this).

[Rock]

Hi,

What do the [exim_paniclog & exim_mainlog] logs on your VPS say? It may be an issue with your exim configuration, but more of a firewall issue too.

Did you try telnet'ing to port 25 of any remote server keeping the firewall offline? Try these Gmail servers with port 25: eg: telnet <server> 25

gmail-smtp-in.l.google.com
alt1.gmail-smtp-in.l.google.com
alt2.gmail-smtp-in.l.google.com

and you might try these Hotmail servers too:

mx1.hotmail.com
mx2.hotmail.com
mx3.hotmail.com
mx4.hotmail.com

Let us know how it goes..

[liviutudor]

I've sent an email to the VPS support team as well about this and as i understand they are investigating this.
It turns out it's not a problem with exim4 as it is with the combination exim4 + MS Outlook 2003 + SSL/TLS auth for outgoing emails:

I came to realize the problem is not with the actual exim4 configuration as exim4 configured with SSL works fine if I connect to it from Thunderbird -- which authenticates perfectly on both normal 25 port as it does on the configured SSL one (465). The problem stems though from throwing into the equation Microsoft Office 2003 and more specifically Outlook 2003 which in an uncustomary fashion for Microsoft (ahem) seems to have its own quirky TLS/SSL implementation that doesn't work with exim4 -- well not at the moment anyway :O
So what I need from you guys at this stage is some help in configuring exim4 or Outlook 2003 (or both) to work with each other when sending emails. Please note that the POP3S works fine and I can read emails over SSL using POP3 from MS Outlook; it is just the sending emails that is the problem -- more specifically I end up with one of the 2 scenarios regardless it seems of the config changes I make on both client (Outlook) or server (exim4) side:
- either Outlook sends the message through exim4 but it doesn't authenticate -- in which case exim4 will drop it due to the relaying being prohibited for non-authenticated users (which is fair enough!)
- or Outlook sends some gibberish for which exim4 reports a broken TLS protocol and stops the connection.
I have a few cpanel-based hosting packages with eukhost as well and I know your secure SMTP that you provide for those packages work very well with outlook so I was wondering whether there are any tips you could share with me in terms of getting this working together nicely possibly based on the configuration that you run on your cpanel hosts (and before you say it, unfortunately Thunderbird migration is not an option whatsoever for us right now).

[liviutudor]

OK I have received an email from your vps support which basically says that "errr... dude this s*&%t is broken" and it looks like they gave up on the basis that they don't know what to do anymore -- odd, I know, coming from a support person but it seems the support team is available 24x7 but it just isn't available for fixing things!
So this question is now open to anyone out there who might be able to help -- and here's a more in-depth description of the problem and the configuration:

I have bought 3 domain names and they all point to one Debian Linux (lenny) machine (which is in fact a VPS server with a hosting company). The 3 domains are pretty much "aliases" for one another and there are a few reasons why I bought 3 domains for my company rather than just one but I'm not going to go through them here as that's outside the scope of this discussion. The bottom line is that in terms of emails the 3 domains are equivalent -- so if someone sends an email to liv@domain1.com it should be the same as sending an email to liv@domain2.com or liv@domain3.com. Ultimately, all of these 3 domains deliver their mail locally to user liv in the above example.
I have configured therefor exim4 to accept emails for these 3 domains and I have managed at the end of it to read emails from any of these 3 domains using Microsoft Outlook 2003 with POP3+SSL. (The certificate used by the server currently is a self-signed one, however, once I finish configuring exim I will buy a proper certificate.) The problem however arrived when I tried to SEND an email using the same MS Outlook and the same exim4 server -- as I have configured exim to only allow relaying for authenticated users -- all the other emails will be rejected unless of course the email is intended for one of the domains hosted on this server. I have tested the exim4 configuration using the likes of thunderbird (well icedove in debian) and managed to send and receive emails successfully from another linux machine I have at home -- so I know that SMTP auth over SSL works because it worked with Thunderbird and I could send emails. However, when connecting MS Outlook 2k3 to the exim server I end up with one of the 2 cases: either outlook doesn't authenticate, in which case the email gets rejected, or there is a protocol error and outlook ends up reporting that my server doesn't support SSL connections.
I have looked on the net and this seems to be a problem with Outlook's TLS/SSL implementation however even using some authenticators given on other sites doesn't seem to fix the problem.
Here are the configuration files for exim4 (I use split configuration):

/etc/exim4/update-exim4.conf.conf

dc_eximconfig_configtype='internet'
dc_other_hostnames='domain1.com;domain2.com;domain 3.com'
dc_local_interfaces='127.0.0.1;213.175.212.100'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='mail.domain1.com;mail.domain2.com;m ail.domain3.com'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'


/etc/exim4/conf.d/main/000_localmacros:

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = 1
smtp_enforce_sync = false
MAIN_TLS_ENABLE = true

/etc/exim4/conf.d/auth/30_exim4-config_examples:

plain_login:
driver = plaintext
public_name = PLAIN_LIV
server_prompts = :
server_condition = ${lookup {$auth2} lsearch {/etc/exim/auth} {${if eq {$value}{$auth3} {yes}{no}}}{no}}
server_set_id = $auth2

fixed_login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = ${lookup {$auth1} lsearch {/etc/exim/auth} {${if eq {$value}{$auth2} {yes}{no}}}{no}}
server_set_id = $auth1

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}ls earch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

support_broken_outlook_express_4_server:
driver = plaintext
public_name = "\r\n250-AUTH=PLAIN LOGIN"
server_prompts = User Name : Password
server_condition = no
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
client_name = ${extract{1}{:}{${lookup{$host}nwildlsearch{CONFDI R/passwd.client}{$value}fail}}}
client_secret = ${extract{2}{:}{${lookup{$host}nwildlsearch{CONFDI R/passwd.client}{$value}fail}}}

# this returns the matching line from passwd.client and doubles all ^
PASSWDLINE=${sg{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$value}fail}\
}\
{\\N[\\^]\\N}\
{^^}\
}

plain:
driver = plaintext
public_name = PLAIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
client_send = "<; ${if !eq{$tls_cipher}{}\
{^${extract{1}{:}{PASSWDLINE}}\
^${sg{PASSWDLINE}{\\N([^:]+(.*)\\N}{\\$2}}\
}fail}"
.else
client_send = "<; ^${extract{1}{:}{PASSWDLINE}}\
^${sg{PASSWDLINE}{\\N([^:]+(.*)\\N}{\\$2}}"
.endif

login:
driver = plaintext
public_name = LOGIN
.ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS
# Return empty string if not non-TLS AND looking up $host in passwd-file
# yields a non-empty string; fail otherwise.
client_send = "<; ${if and{\
{!eq{$tls_cipher}{}}\
{!eq{PASSWDLINE}{}}\
}\
{}fail}\
; ${extract{1}{::}{PASSWDLINE}}\
; ${sg{PASSWDLINE}{\\N([^:]+(.*)\\N}{\\$2}}"
.else
# Return empty string if looking up $host in passwd-file yields a
# non-empty string; fail otherwise.
client_send = "<; ${if !eq{PASSWDLINE}{}\
{}fail}\
; ${extract{1}{::}{PASSWDLINE}}\
; ${sg{PASSWDLINE}{\\N([^:]+(.*)\\N}{\\$2}}"
.endif


(note that the above is a mixture of default exim config and other items I have found on the web as recommended (however, they didn't work!).

/etc/exim4/conf.d/router/350_exim4-config_vdom_aliases:

vdom_aliases:
driver = redirect
allow_defer
allow_fail
domains = dsearch;/etc/exim4/virtual
data = ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domain}}}
retry_use_local_part
pipe_transport = address_pipe
file_transport = address_file
no_more

and finally, the vhosts stuff:
/etc/exim4/virtual/ contains 3 files, each file named after the domain name -- so domain1.com, domain2.com and domain3.com and each file is identical to the other, so i'll give you just the contents of domain1.com

webmaster : local_user@localhost
office : local_user@localhost
administrator: local_user@localhost

(the idea being as i said that all the emails on these 3 domains arrive in one local mailbox).
Now, taking this into account, any idea on how to configure outlook to authenticate against exim4 using a secure connection TLS/SSL so mails can be sent from MS Outlook? Bear in mind I'm using Outlook 2003, part of the MS Office suite, not outlook express!
Thanks!