On Thu, 05 Dec 2013 23:11:34 +0000 steve-ALUG@hst.me.uk allegedly wrote:
If you do get it working, or actually, if you find a step-by-step guide of what to do, could you share it with us (well me really!). I have got receiving with a certificate sorted, but I never got round to configuring sending from my phone due to various complexities: Dynamic DNS. Using Dynamic DNS address in cert, or domain used for email address. Access from inside house using WIFI, and outside via 3G.
Steve
Might need more info, but this is what I assume.... (and my assumptions may be wrong so bear with me).
I take it from the above (plus a perusal of your DNS, your email headers etc) that you are running your mail server on a machine at home at the end of your Virgin cable network (which does not give you a fixed IP address). Is that correct?
Your external DNS shows that hst.me.uk resolves to 81.21.76.62. That address is a webserver for "www.123-reg.co.uk" and I guess you use that to log in to manage DNS etc. Certainly I can't see an email server on that adddress.
You have two MX records, one pointing to your dynamic IP service (hst.no-ip.com currently pointing to 82.21.143.180). Your secondary MX points to straddle.cardolan.com on 212.159.47.228 (which seems to have a PTR record mapping to mikejevans.plus.com!).
I don't know what your internal network looks like, but your email headers suggest that you use a mail client on your machine called dell1.hst-net ([192.168.0.21]) to connect to your mailer on hst.me.uk which in turn relays outbound mail to your service provider's smarthost. Is that right?
I don't know what your internal DNS looks like either, but I suspect from what you say above though that you are having a problem because you have separate names for your mail server depending upon whether you are sending mail from inside your home (via hst.me.uk) or from outside your home (via hst.no-ip.com). Is that right?
Ideally, and to make things easier, you should have a single name for your mailer (say mail.hst.me.uk) which you can use in your mail client configs. Internally, your DNS (or hosts files or whatever you use) would then point mail.hst.me.uk to the correct IP address. Externally, your DNS should also point mail.hst.me.uk to the correct IP address but there you have a problem. You don't have a static address. Unfortunately, you cannot point an MX record at an alias (otherwise it would be a simple matter of pointing mail.hst.me.uk to hst.no-ip.com). So, given that you are stuck with the name hst.no-ip.com as the MX externally, I suggest that you use exactly the same name internally. (So set up a hosts file entry for that name pointing to the correct internal IP address, or frig the DNS by running your own internal version of the no-ip.com domain.) Your phone's email client could then be configured to always connect to hst.no-ip.com andit wouldn't matter whether you used the internal wifi or the 3G data connection.
Now to the certificate.
It doesn't matter if the CN, OU or other details in the certificate do not match the name or domain details of the mail server. At worst your email client will object on first connection, but once you have agreed and accepted the certificate, all future connections will proceed quite happily.
I build my certificates with openssl like this:
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout server.pem -out server.pem -days 1095
For discussion see http://baldric.net/2013/09/12/add-ssl-to-lighttpd-server/
Whilst that is about SSL for a webserver, the process is the same. I have also documented the use of postfix and TLS some time ago at:
http://baldric.net/upstream-authentication-with-tls-on-postfix/
and postfix with dovecot (and TLS) at http://baldric.net/using-postfix-and-dovecot-to-provide-mail-to-egroupware/
(that is now looking a bit dated, particularly since dovecot version 2.xx - see my problem documented at: http://baldric.net/2013/01/11/dovecot-failure/
I note, however, that you use Exim, and not postfix. I can't help you with the Exim configuration, but I'm sure that someone else on the list will be able to give you the Exim equivalents of the postfix configs I point to here.
(and mainly, not knowing how to do it and make certificates safely, securely, not wishing to allow any weak attack vectors onto my server)
The openssl command above will build a certificate and key file which excludes known weak ciphers. But bear in mind that the server gets to choose which cipher to offer the client depending upon the capability of the client (given to the server in the TLS handshake) and the server's own configuration directives (Note the ssl_cipher_list directive in dovecot for example).
I use:
ssl_cipher_list = TLSv1+HIGH !SSLv2 !RC4 !aNULL !eNULL !3DES @STRENGTH
in dovecot.
howtoforge (http://www.howtoforge.com/forums/showthread.php?t=50453 ) gives some advice on strong ciphers for postfix. I guess that there is a similar set of options available in Exim.
HTH
Mick
---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net
---------------------------------------------------------------------