Bug#656841: exim4-config: Support SMTPS via macro and update README
January 22nd, 2012 - 01:10 am ET by Osamu Aoki | Report spam
In light of new SMTPS client support by Exim 4.77 and raising popularity
of DKIM/SPF, I proposed to update package as attached patch.
This patch allows user to use SMTPS without making intrusive changes to
the Debian defaults just like AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro
did for enabling nonencrypted plaintext password.
This patch also updates README.
== FYI: Some facts on smarthost services by ISPs =
I have tested smarthost services with:
* gmail.com STARTTLS 587 (Free email)
* yahoo.co.jp SMTPS 469 (Free email)
* nifty.com STARTTLS 587 (SMTP ISP for my OFC service)
Gmail accepts any envelope From_ address and header From: address but
overwrite such information automatically with the Gmail email account
you used to connect to their SMTP service. Then they sign your mail
Yahoo (you can get a free account in their Asian ISPs such as Japan and
India by opting in for their advertisement mail while their US service
seems to be only for payed customers.) I tested with Japanese service.
As I understand, since Yahoo did not offer STARTTLS service nor CRAM5,
people were using Yahoo with plaintext password over unencrypted
connection using AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro. This is not a
good idea for security.
Since Exim 4.77 supports SMTPS, I tested it for Yahoo without setting
AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro but adding "protocol = smtps" to
I confirmed that it works fine. Unlike Gmail, it does not rewrite email
address. If envelope From_ is not resolvable address, it rejects such
mails. So use of /etc/email-addresses is essential for using them as the
smarthost. Also, I noticed that if the header From: address is not the
email address of theirs, it does not sign DKIM. If only the header From:
address is the email address of their, Yahoo signs such mail with DKIM.
Nifty seems to do nothing on DKIM and does not enforce anything on the
From: header and send mail with the original non-Nifty From: address.
When Gmail receives such tweaked mail with my debian.org address, having
envelope address pointing to my Nifty's email account by using proper
entry in the /etc/email-addresses improved spam filter position on SPF
Exim version 4.77 #3 built 14-Nov-2011 22:30:32
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 5.1.25: (January 28, 2011)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
# This is a Debian specific file
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages exim4-config depends on:
ii adduser 3.113
ii debconf [debconf-2.0] 1.5.41
exim4-config recommends no packages.
exim4-config suggests no packages.
/etc/email-addresses changed [not included]
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost changed [not included]
(I had protocol=smtps mod.)
/etc/exim4/passwd.client [Errno 13] Permission denied: u'/etc/exim4/passwd.client'
* exim4/dc_smarthost: smtp.gmail.com::587 ... changed among different servers
* exim4/mailname: localhost
* exim4/dc_localdelivery: mbox format in /var/mail/
* exim4/dc_local_interfaces: 127.0.0.1
* exim4/dc_minimaldns: false
* exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail
* exim4/no_config: true
* exim4/hide_mailname: false
* exim4/dc_readhost: localhost
* exim4/use_split_config: true
diff -Nru exim4-4.77-orig/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.77/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost
exim4-4.77-orig/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2009-03-15 23:57:04.000000000 +0900
+++ exim4-4.77/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2012-01-22 12:48:20.714200160 +0900
@@ -15,6 +15,13 @@
+# Some ISPs offer SMTP service using deprecated SMTPS (SSL on port 465)
+# protocol instead of using STARTTLS (usually on submission port 587).
+# Exim 4.77 supports SMTPS protocol as SMTP client.
+ protocol = smtps
+# This automatically sets portF5
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
diff -Nru exim4-4.77-orig/debian/README.Debian.xml exim4-4.77/debian/README.Debian.xml
exim4-4.77-orig/debian/README.Debian.xml 2010-11-08 03:36:46.000000000 +0900
+++ exim4-4.77/debian/README.Debian.xml 2012-01-22 14:31:36.072921242 +0900
@@ -1233,9 +1233,21 @@
+ Many ISPs offer such a smarthost SMTP service with TLS
+ encryption using the modern STARTTLS method on the port 587
+ (submission). But some ISPs offer such a smarthost SMTP
+ service by using now deprecated SMTPS protocol which starts
+ SSL immediately after connection to the port 465. Exim 4.77
+ supports SMTPS as client. If you need to enable SMTPS, you can
+ do so by setting the USE_SMTPS_PROTOCOL_FOR_SMARTHOST macro.
+ Please refer to <xref linkend="macros"/> for an explanation of
+ how best to do this.
If you need to enable AUTH PLAIN or AUTH LOGIN for unencrypted
connections because your service provider does support neither
- TLS encryption nor the CRAM MD5 authentication method, you can
+ TLS encryption with STARTTLS nor the SMTPS protocol with SSL
+ nor the CRAM MD5 authentication method, you can
do so by setting the AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS macro.
Please refer to <xref linkend="macros"/> for an explanation of
how best to do this.
@@ -1246,6 +1258,19 @@
Debian-exim). It is suggested that you keep the default
permissions root:Debian-exim 0640.
+ You need to pay attentions to avoid interfarence with the SPAM
+ prevention system. The header From: address and envelope From_
+ address of your outgoing mails can be configured using
+ <filename>/etc/email-addresses</filename>. For some ISPs,
+ mails with the unresolvable SMTP envelope address are rejected.
+ Your header From: address may need to match your mail accout at
+ the smarthost ISP to get DKIM signiture on your mail. Your
+ envelope From_ address may need to match your mail accout at
+ the smarthost ISP to get better SPF score on your mail.
+ Some smarthost ISPs may automatically replace some of these
+ addresses to match your mail accout there.
<section> <title>Using Exim as SMTP-AUTH server</title>
To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Follow the discussion 1 reply Make a reply
- Bug#690014: lintian: please encourage updating to config.guess and config.sub that support arm64
- Bug#693672: config-package-dev: please support using debhelper dh instead of cdbs
- Bug#701831: im-config: Please add Mallit input method framework support to im-config
- Bug#693590: FTBFS on ppc64: Please add powerpc64 support to config/config.sub
Make your own search :