Ssl verify error certificate name mismatch exim

Configure Exim for outbound remote mail problem

Mr. Jinx

Verified User

I have configured Exim to use a remote outbound mail server. As mail service, I make use of mxroute.com.

Followed this very nice tutorial:

Configuring and customizing Exim | Directadmin Docs

The problem is something goes wrong when the remote smtp server is resolved to an IPv6 address.

In /etc/exim.routers.pre.conf I have this line:

The weird part is «no IP address found for host 2a01» and after that it fails authentication.
It seems the first octet of the IPv6 address is being used instead of the complete IPv6 address?

If I replace the FQDN in /etc/exim.routers.pre.conf with an IPv4 address like this:

. then it works fine!

So any idea’s how to make the route_list accept FQDN’s that resolve to a proper IPv6 address?

ikkeben

Verified User

Square brackets because of the colons in ipv6. ?

• When IPv6 addresses are involved, it gets worse, because they contain colons of their own. To make this case easier, it is permitted to enclose an IP address (either v4 or v6) in square brackets if a port number follows. For example:
  route_list = * » www.exim.org

Mr. Jinx

Verified User

I tried the square brackets, but it does not seem to work when using FQDN:

Error: no IP address found for host [smtp.example.com]

With double colons:

Error: no IP address found for host 2a01

ikkeben

Verified User

I tried the square brackets, but it does not seem to work when using FQDN:

Error: no IP address found for host [smtp.example.com]

With double colons:

Error: no IP address found for host 2a01

In above example exim.org the square brackets for IPv6 adress itself.

the smtp. is no fqdn the hostname itself should be FQDN but there i can be very wrong.

Do first some dns / ns test online for those hostname / servers you need there

and did you connect the ipv6 in admin with the ipv4 pointing or so i don’t know exactly now.

Источник

SSL verify error: certificate name mismatch

Legendary

Member

I have a couple of cPanel servers and today I noticed an SSL issue when sending/receiving emails.

Log from the sending server:

Take note of the following:

Legendary

Member

cPanelMichael

Administrator

You will notice this with Exim 4.86 based on the following changes:

What hostname is the user entering for outbound email in their email client?

Legendary

Member

You will notice this with Exim 4.86 based on the following changes:

What hostname is the user entering for outbound email in their email client?

Thanks for responding.

I’m not sure if the sender’s outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server’s mail SSL setup.

1. Send mail from [email protected] (on server some.hostname1.com) to [email protected] (on server some.hostname2.com)
2. Email is received by the server some.hostname2.com and is delivered to [email protected]
3. All seems fine but an error is logged in some.hostname1.com‘s /var/log/exim_mainlog:

As mentioned above, a workaround to this issue is by changing cPanel’s default MX entry for the recipient (in this case, example2.com) to the server’s hostname. Then again what is the whole point of having mail SNI if we’re required to do this?

This isn’t an urgent issue as emails are being sent and received — I just happened to come across this issue and figured I’d ask if this behavior is 100% intentional or if it’s a bug. Hope this makes sense and thanks for your time!

Источник

Тема: Ошибка склейки цепочки сертификатов Exim

Опции темы

Поиск по теме

Ошибка склейки цепочки сертификатов Exim

При замене сертификата Exim (через панель — Почтовые домены — SSL сертификат) получил глюк в виде ошибки отправки почты.
После недолгих разбирательств выяснилось что панель неправильно склеивает сертификат.
Лог exim пестрил ошибкой:

В файле /etc/exim/ssl/exim.crt мы получаем сертификат склеенный таким образом:

А сертификат и ca сертификат нужно склеивать, вот так:

Когда вы уже научитесь качественно тестировать функционал, перед выпуском в продакшен.
Задолбался ваши косяки выискивать и руками исправлять.
___________________

CentOS 7
ISPmanager Lite 5.90.0

Последний раз редактировалось Pegas-x; 15.03.2017 в 21:54 .

Здравствуйте. Да, действительно, об этой проблеме известно разработчикам, исправим. Приносим свои извинения за доставленные неудобства.

К слову если кому понадобится, набросал скрипт замены сертификата по всем службам панели.
Только пути свои пропишите, если у вас они отличные от моих.

По крайней мере этот способ быстрее и надежнее, чем доверять панели
Только внимательно проверьте пути к файлам и их названия у вас на сервере.

P.S. Предложение разработчикам, сделайте замену сертификатов для всех служб одной кнопкой. К примеру в списке сертификатов сделать кнопку, при нажатии на которую, выбранный администратором сертификат, будет установлен в качестве основного для: Exim, Dovecot, Proftpd, ihttpd и они будут автоматом перезапущены. Сделать это не сложно, а жизнь облегчит.

Последний раз редактировалось Pegas-x; 16.03.2017 в 22:27 .

Источник

SSL Certificate Name Mismatch Error

«The security certificate presented by this website was issued for a different website’s address.»

The name mismatch error indicates that the common name (domain name) in the SSL certificate doesn’t match the address that is in the address bar of the browser. For example, if the certificate is for www.paypal.com and you access the site without the «www» (https://paypal.com), you will get this SSL certificate name error. If you aren’t the website administrator you will want to always access the site with the full name (usually include the «www.» before the domain name) or ask the website owner to fix the problem.

If you are the website administrator, you will usually want to forward all traffic without the «www» to an address with the «www» and get an SSL certificate with the «www» in the common name. That way you will completely avoid the name mismatch error. Some certificate authorities get around this problem by issuing a certificate with SANs. So you can get a certificate for paypal.com and include a SAN of www.paypal.com so you don’t get a name mismatch error. Another common reason for this error is if you are accessing a server using an internal name when the SSL certificate on it just has the public name on it. In this situation you can get a UC certificate that has both the external public name and the internal server name in the certificate. You can verify whether you will get a name mismatch error by using our SSL Checker.

Most web browsers make it clear that you shouldn’t just continue when you receive this error. This is because, while most of the time it doesn’t, it could indicate that a phisher is trying to pass a website off as a legitimate site. You shouldn’t have to continue through this error message on legitimate web sites.

This error is often phrased differently depending on the web browser. These are some common ways the name mismatch error is stated in other browsers:

Different name mismatch errors in different web browsers

«The security certificate presented by this website was issued for a different website’s address.»

«You have attempted to establish a connection with «www.paypal.com». However, the security certificate presented belongs to «paypal.com.phishingsite.com». It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.

If you suspect the certificate shown does not belong to «www.paypal.com», please cancel the connection and notify the site administrator.»

Originally posted on Thu Nov 6, 2008

if we have 2 profiles on WAS server with the same sub domain can we use the same SSL for both? would it still show this issue?

I am facing issue while accessing one site getting the certificate of different site where as both the site are binded with different IPs on same server. i.e — If I am accessing www.xyz.com I am getting the certificate of www.pqr.com.

I am recieving this error after dns records were pointed to a new server where the site would be hosted the current server uses a certificate that can be used more than once is there a way of fixing this at all?

Your certificate is *.myherbalife.com therefore when the web site has two or more «.» (periods) to left of myherbalife then you will get the mismatch error. The * portion of your URL refers to a wildcard however with SSL if you have a «.» as part of wildcard portion you will get this error. Suggest changing your DNS to use «-» instead of a «.»

Internet Explorer 7 «The security certificate presented by this website was issued for a different website’s address.»

I’m not getting the SECURITY ALERT Screen, prev i use to get it an when i click yes, it will go to the secured page.
Now my prob with the ceritifacte error is originally the certifacte was issue to «*.myherbalife.com» ( equifax) and now i tried to connect «dlm.myherbalife.com» that time i get this error.
help me to clear this error.

As Robert says, if you have a wildcard certificate for one domain, yo won’t have the error if the website is like

But if you use it for a websike like

you will get it, because the wildcard certificate it’s only for the services in «dominio.com», not for the subdomain «city.dominio.com».

Anyway it’s a valid certificate, as for «city.dominio.com» like for «dominio.com», the problem is the message (it doesn’t look nice). Internet Explorer have the option to disable it, but you need to do that in each IE client, so it’s not very effective. This otion is in Internet tools/Advanced Options/security/, it’s something like «Notify abaut the not mattching in the adress of the certificates» (I have it in spanish, so it’s not exatly this, but something like this).

CA are offering wildcard services which allows an organisation to release SSL fast but this results in a cert error. Does anyone know the best set-up for a wildcard entry to avoid the error message to the end user?

Ive got this issue using a watchguard firebox with single sign on. nightmare.

it tells me domain name mismatch when i open a particular website, pls what do i do to solve this problem. thanks

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website’s address

I have a Mac and use Macmail, I haven’t made any changes to our email or site logins or certificates however I’m getting the dialog «Mail can’t verify the identity of «gives our mail server #» (which is the correct #). You might be connecting to a server that is pretending to be «number» .
I clicked «Show Certificate» and it gave me GeoTurst Global CA > .securesites.com. «This certificate is not valid (host name mismatch). I called our web host, Verio, and they said for now just Connect each time, don’t click «Always trust». this happens every time I open my email client. Could it be pisching or is this authentic? Can I click «Always Trust»?

Ander, thank you for your tip, it worked fine. Muchas gracias! 🙂

i can’t uploade from my wibe sit to server
tise error
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

Line 210: ‘File.Copy(img_path.PostedFile.FileName, «c:»)

It sounds like your host is just using a shared certificate on your site. It would be more secure to use a separate certificate for your site, but you should be fairly safe to click through the warnings in this case.

Your certificate is *.myherbalife.com therefore when the web site has two or more «.» (periods) to left of myherbalife then you will get the mismatch error. The * portion of your URL refers to a wildcard however with SSL if you have a «.» as part of wildcard portion you will get this error. Suggest changing your DNS to use «-» instead of a «.»

I setup cname for a domain. Both are different domains like xyz.com, zxy.com and both are wildcard SSL enabled.

I am getting this below error in my browser.

You attempted to reach xyz.com, but instead you actually reached a server identifying itself as *.zxy.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of xyz.com.

Is there a way by which we can allow web application access with multiple URLS viz., using IP address (say 151.34.25.190), hostname (say 01hm45678) and complete hostname (say 01hm45678.india.com). The user should be able to access the we app using either of the URLs without giving any certificate error.

Yes, using Subject Alternative Name extensions.

Thinakaran, you’ll need to have both names included in the certificate to avoid the name mismatch error.

When i use the SSL checker with my Domain of www.limosa.com.au it comes up with someone elses domain name. what does this mean? i have no affiliation with this other domain and i am getting annoyed that i cannot read emails on my devices because they dont match up.

I need help this has been problem has been coming up for awhile it will not let me in to aol mail on uk side only usa side using .com. and also other sites i use a lot says the certificate is not right but these will not work by changing to .com as they uk sites any help would be appreciated. google chrome is browser.

i need help, In my magento ecommerce website i have activate the ssl certificate but it is not redirect to https://www.mixrack.com from mixrack.com

i have installed ssl certificate for a website runing on iis 8, certificate had been working fine until 15 days back, and on the same server Macfee EPO server is also runing. now when i accessing my website, certificate is not showing, i used ssl checker to check the appropriate certificate for the website, but it showing the MCAfee EPO server certificate , can some help me out to resolve this certificate problem,

When I check a site with a cPanel auto ssl cert https://www.sslshopper.com/. you report a possible problem in that «None of the names in the cert . . .»

and report this about the cert — Common name: li1265-51.members.linode.com

When every browser I check the cert in has the common name whm.topline.cloud, and viewing the cert has the following.
—
X509v3 Subject Alternative Name:
DNS:whm.topline.cloud, DNS:mail.whm.topline.cloud, DNS:www.whm.topline.cloud
—

I think the report is wrong in this instance.

Thanks for posting about this. I fixed the SSL Checker so that it grabs the correct certificate (the server seems to be sending a different certificate if you connect with the IPv6 address)

Nice, thanks for the quick fix, and a valuable tool.

You should not have to continue through this error message on legitimate website. This error is often phrased differently depending on the web browser.

www.Cricketlivehd.com had the same problem. the better way it to just call your hosting guys and get the common name changed on their servers to solve it all for you.

Has anyone been able to find a way to check hostname mismatch with OpenSSL

Horizon Hobby thinks it is my browser(s). Gawd!

They are missing a SAN in their cert to make it work. dummies!

SSL Wizard
Cheap SSL Certificates
Code Signing Certificates Wildcard Certificates
SSL Tools

Источник

Adblock
detector

Robert (2014-12-13)

It looks like you have a certificate for *.dlm.myherbalife.com. That is why you get an error when you access it with dlm.myherbalife.com. You will need to change the common name in the certificate to *.myherbalife.com to get rid of the error. Talk to your certificate provider (GeoTrust) about how to do this.

Sandeep (2014-12-13)

Vinayak (2014-12-13)

Megini (2014-12-13)

John (2014-12-13)

Mary Sylvia.S (2014-12-13)

Ander (2014-12-13)

Paul (2014-12-13)

Sonic Bass (2014-12-13)

ikye (2014-12-13)

taje (2014-12-13)

AR (2014-12-13)

Andjelko (2014-12-13)

marwan (2014-12-13)

Robert (2014-12-13)

sagar (2014-12-13)

Thinakaran (2014-12-13)

Niti (2014-12-13)

RickP (2015-01-31)

Default Admin User (2014-12-13)

Nick (2014-12-13)

Russ Hill (2015-01-20)

Pankaj Patil (2016-06-09)

vinay (2016-08-09)

jimlongo (2018-06-04)

SSL Shopper (2018-06-05)

jimlongo (2018-06-05)

Gaurav Maniar (2018-06-13)

Faheem iqbal (2019-06-10)

Roberto Cortes (2020-09-08)

CP (2020-11-13)

Exim is a versatile mail transfer agent. This article builds upon Mail server. While the Exim wiki provides some helpful how-tos on certain specific use cases, a detailed description of all configuration options is available as well.

Installation

Install the exim package.

Basic configuration

Exim comes with a bulky default configuration file which is located in /etc/mail/exim.conf. Many options in there are not necessary in a regular use case. By default configuration is done in a single file containing several chapters. Below is a very basic configuration, which provides: local delivers to system users (Maildir format) and authorized relaying to MX hosts. The description is based on a domain «mydomain.tld» served on a host «hostname.mydomain.tld». It is highly recommended to consult the official documentation before using the given documentation below.

Warning: The default permissions of the default configuration file is 0644. Which allows reading by any user. Change this as appropriate, perhaps to 0640, if you are keeping sensitive information (LDAP credentials et. al.) in there.

Main parameters

Main parameters contain some basic options. Using solely those options would open ports for connections but still no mail would be accepted nor relayed anywhere.

# be the responsible mail host for hostname.mydomain.tld (@) & mydomain.tld
domainlist local_domains = @ : mydomain.tld

# we don't relay. Not for foreign domains nor for a single host
domainlist relay_to_domains =
hostlist relay_from_hosts = 

# serve the on all used ports
daemon_smtp_ports = 25 : 465 : 587

# do a reverse name lookup for all incoming connections
host_lookup = *

# Logging: log all events, add syslog to logging path & avoid double entries
log_selector = +all
log_file_path = : syslog
syslog_duplication = false

# undeliverables: discard bounce messages after 2d and all others after 7 d
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

TLS, security & authentication

Warning: If you deploy TLS, be sure to follow Server-side TLS to prevent vulnerabilities.

To obtain a certificate, see OpenSSL#Usage.

The first part of the following options are still part of the first configuration section in Exim. Starting with «begin authenticators» the first special section in Exim configuration begins. There will be more such sections later.
Below some very basic security related options are defined, TLS is set up & a plain text authenticator using a user password lookup is introduced.

Warning: This example of an authenticator should not be used in production environment!

# actually not required: it's hard coded - anyway: no mail delivery to root
never_users = root

# don't show the exim version to everyone. Actually not even show the name.
smtp_banner = $smtp_active_hostname ESMTP $tod_full

# STARTTLS is offered to everyone
tls_advertise_hosts	= *
tls_certificate = /path/to/exim/only/fullchain.pem
tls_privatekey = /path/to/exim/only/privkey.pem

# use all ciphers on port 25, use only good ciphers on port 587
tls_require_ciphers = ${if =={$received_port}{25} 
				{DEFAULT} {HIGH:!MD5:!SHA1:!SHA2}}

# traffic on port 465 always uses TLS
tls_on_connect_ports = 465

# special sections always start with a "begin"
begin authenticators

	PLAIN:
		# authentication protocol is plain text
		driver = plaintext
		# authentication is offered as plain text
		public_name = PLAIN
		server_prompts = :
		# authentication is successful, if the password provided ($auth3) 
		# equals the password found in a lookup file for user ($auth2)
		server_condition = ${if eq{$auth3}{${lookup{$auth2}dbm{/etc/authpwd}}}}
		server_set_id = $auth2
		# only offer plain text authentication after TLS is been negotiated
		server_advertise_condition = ${if def:tls_in_cipher}

Note: Exim loads certificate files during mail processing with the low privilege user exim. While it is good to run an internet facing process with such a user, it is somewhat strange to give access to a private key to such user. If your server serves multiple purposes (e.g. HTTP, IMAP, SMTP) with multiple DNS aliases (CNAME or several names pointing to a single IP) it may be wise to request multiple certificates. If the Exim private key gets lost, damage is limited to SMTP.

Routing, transport & retry

For each recipient of a message routing is performed as follows: routers are tested in their order given in the routing section. For each router, conditions may apply (e.g. domains = ! +local_domains). Only if all conditions apply, the message will be handed over to the defined transport (e.g. transport = smtp). If transport fails or not all conditions of a router are fulfilled, the next router is tested.

begin routers

	# that's the relay router
	dnslookup:
		# the router type
		driver = dnslookup
		# the domains served on this router: not the local domain
		domains = ! +local_domains
		# the transport to be used (see transport section below)
		transport = remote_delivery
		# localhost is to be ignored if dns gives such result
		ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
		# a router list is processed until matched and successful transported.
		# if transport fails, we don't want the next router to be used
		no_more

	# local delivery
	localuser:
		# the transport type - we accept the mail locally
		driver = accept
		# this router serves only our domains
		domains	= +local_domains
		# use transport named local_delivery
		transport = local_delivery
		# in case local delivery fails
		cannot_route_message = Unknown local user

begin transports

	remote_delivery:
	 	driver = smtp

	local_delivery:
		#deliver to a local mailbox
		driver = appendfile
		file = /var/mail/$local_part

# if routing or transport fails, try again after this (default) ruleset
begin retry

	# Address or Domain    Error       Retries
	# -----------------    -----       -------
	*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

Use manualroute

If you want to use manualroute instead, comment out the dnslookup block and add the smarthost block.

#dnslookup:
    # the router type
    # driver = dnslookup
    # the domains served on this router: not the local domain
    # domains = ! +local_domains
    # the transport to be used (see transport section below)
    # transport = remote_delivery
    # localhost is to be ignored if dns gives such result
    # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
    # a router list is processed until matched and successful transported.
    # if transport fails, we don't want the next router to be used
    # no_more

smarthost:
  driver = manualroute
  domains = !+local_domains
  transport = remote_delivery
  route_list = * smtp.myisp.com        # change to the desired smtp server
  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1

ACL: Access Control Lists

Access Control Lists are at the heart of Exim. They are required for basic checks and may be used for sophisticated message processing. In general the overall message processing in Exim is:

connection > (authentication >) ACL > routing > transport

With this it is important to note that messages coming from authenticated clients are treated (by default) by the same ACL as messages coming from other mail servers.
Exim know a full set of different ACL. Good knowledge of the SMTP protocol is required to choose the correct set of ACL.

acl_smtp_connect > acl_smtp_helo > ... > acl_smtp_rcpt > ... > acl_smtp_data > ...

For a basic setup two ACL are mandatory: acl_smtp_rcpt and acl_smtp_data. These are default to deny while all other default to accept.
The example below just prevents being an open relay. This setup has multiple security flaws (e.g. all authenticated users may use any mail address). If added to an existing configuration, it must be added before any other special section (i.e. before any existing «begin»).

Warning: Do not use the following example in a production example! It lacks several required checks!

# use this ACL after SMTP RCPT TO: is received
acl_smtp_rcpt = basic_acl_rcpt
# use this ACL after SMTP DATA is finished, i.e. all data has been received
acl_smtp_data = basic_acl_data

begin acl

	basic_acl_rcpt:
		
		# accept all messages for which I am the receiving mail host
		accept 	domains = +local_domains

		# accept all messages from authenticated clients
		accept	authenticated = *
		
		# deny all other messages (i.e. messages to be relayed from unauthorized
		# clients)
		deny	message = "we are not an open relay"
		
	basic_acl_data:

		# we have done all checks after RCPT already
		accept

Hide machine name

If you have a laptop, or a machine in a smarthost configuration, where you do not want the name of the machine to appear in the outgoing email then you must enable exim’s rewriting facilities.

In the Rewriting section you should have something like:

*@machine.mydomain $1@mydomain

where machine is the hostname of your laptop or PC and mydomain is the domain name of the machine and the outgoing mail. To rewrite only sender domain, add special flag (F) in the line end. See upstream document for detail

Startup

Start/enable the exim.service.

Dovecot LMTP delivery & SASL authentication

In this section the integration of Dovecot is described. It is assumed that Dovecot & Exim are already setup and configured. Dovecot will serve as SASL authenticator and local transport mechanism. For this purpose the Dovecot services will be setup as follows.

/etc/dovecot/conf.d/10-master.conf

service auth {
	unix_listener exim-auth {
		mode = 0600
		user = exim
		group = exim        
	}
	# Auth process is run as this user.
	user = $default_internal_user
}

service lmtp {
	# a unix socket is preferred of a local port communication
	unix_listener exim-lmtp {
		mode = 0600
		group = exim
		user = exim
	}
}

To use the Dovecot SASL in a TLS protected environment, add the following authenticator to Exim.

/etc/mail/exim.conf - authenticators section

	PLAIN:
		driver = dovecot
		public_name = PLAIN
		server_socket = /var/run/dovecot/exim-auth
		server_set_id = $auth1
		server_advertise_condition = ${if def:tls_in_cipher}

The existing router for local delivery can be reused. You may want to consider add a dsn_lasthop to the router definition. If DSN is used, Exim will assume final delivery of the message at this point. In the transport section the transport for local delivery must be replaced by the following transport definition.

/etc/mail/exim.conf - transports section

	local_delivery:
		driver = lmtp
		socket = /var/run/dovecot/exim-lmtp
		batch_max = 200

driver = smtp
protocol = lmtp
port = 2525

lmtp_router:
  driver = manualroute
  domains = +local_domains
  transport = local_delivery
  route_list = * 127.0.0.1 byname

Since Dovecot is configured to provide a unix socket for the exim user, you may harden your security by adding the following line to the main configuration section.

/etc/mail/exim.conf - main section

# don't deliver being root, drop privileges to exim user
deliver_drop_privilege = true

Using Gmail as smarthost

In the beginning of the exim conf file, you must enable TLS using

tls_advertise_hosts = +local_network : *.gmail.com

or to advertise tls to all hosts

tls_advertise_hosts = *

More information about TLS can be found in the exim documentation.

Note: The following must be put in the appropriate sections of the configuration file, eg, after begin authenticators.

Add a router before or instead of the dnslookup router:

gmail_route:
  driver = manualroute
  transport = gmail_relay
  route_list = * smtp.gmail.com

Add a transport:

gmail_relay:
  driver = smtp
  port = 587
  tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
  # this forces host verification.
  tls_verify_hosts = smtp.gmail.com
  hosts_require_auth = <; $host_address
  hosts_require_tls = <; $host_address

Because of host verification, your exim log might contain

SSL verify error: certificate name mismatch: "/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com"

But this has no effect on mail-delivery and can be ignored.
Add an authenticator (replacing myaccount@gmail.com and mypassword with your own account details):

gmail_login:
  driver = plaintext
  public_name = LOGIN
  hide client_send = : myaccount@gmail.com : mypassword

$host_address is used for hosts_require_auth and hosts_require_tls instead of smtp.gmail.com to avoid occasional 530 5.5.1 Authentication Required errors. These are caused by the changing IP addresses in DNS queries for smtp.gmail.com. $host_address will expand to the particular IP address that was resolved by the gmail_route router.

For added security, use a per-application password. This works with Google Apps accounts as well.

Hardening

Rate limits

Security breaches happen. In case you do not have any service that submits local mail (receiving mail from localhost on a port is not considered local submission), completely disable local submission. Do so by adding acl_not_smtp = acl_local to the main section and add the following simple ACL to the acl section.

/etc/mail/exim.conf - acl section

	acl_local:

		deny	log_message = AL01: Local submission denied.

If local submission is required, consider imposing a rate limit to it. Do so by adding acl_not_smtp = acl_local to the main section and adding the following ACL to the acl section. It imposes 2 rate limits: 20 mails in a single minute and 30 mails in 10 minutes. With this a burst of local submitted alerts are possible while

/etc/mail/exim.conf - acl section

	acl_local:

		# apply a limit of 30 mails to the administrator for alerts submitted
		# by local services
		deny	ratelimit	= 30 / 1m / strict 
			recipients 	= admin@mydomain.tld : root@hostname.mydomain.tld
			log_message	= AL01: Sender rate limit for local submission 
					  exceeded: $sender_rate / $sender_rate_period.

		# apply a burst limit of 3 mails per minute to everyone else
		deny	ratelimit	= 3 / 1m / strict 
			!recipients 	= admin@mydomain.tld : root@hostname.mydomain.tld
			log_message 	= AL02: Sender rate limit for local submission 
					  exceeded: $sender_rate / $sender_rate_period.

		# apply a regular limit of 10 mails per 30 minutes to everyone else
		deny	ratelimit	= 10 / 30m / strict 
			!recipients 	= admin@mydomain.tld : root@hostname.mydomain.tld
			log_message 	= AL03: Sender rate limit for local submission 
					  exceeded: $sender_rate / $sender_rate_period.

		accept

Troubleshooting

451 Temporary local problem

If you are getting a «451 Temporary Local Problem» when testing SMTP, you are probably sending as root. By default Exim will not allow you to send as root.

See also

• Official website

Модератор: xM

2014-12-22 02:42:55 TLS error on connection from mail-la0-f52.google.com [209.85.215.52] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): The provided X.509 certificate list is
 not sorted (in subject to issuer order)

root@mail:/etc/exim4/ssl# openssl verify star_domain-full.crt
star_domain-full.crt: OK

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=my.host
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root