On 2017-10-14 at 22:34 +0800, Angelo Chen via Exim-users wrote: > I'm trying to set up a gmail relay:
This is modified from my setup, with the bit which relays mail from exim.org out through the exim.org server; so this isn't 100% known to work, I might have made typos. The file /etc/exim/auth/outbound-passwords would need to exist, have appropriate permissions, and look something like: ------------------------8< outbound-passwords >8------------------------ [email protected]: [email protected] password=12345678 clienttoken=my-short-persistent-id [email protected]: user=dhr.zyx password=geheim port=29 tls=yes ------------------------8< outbound-passwords >8------------------------ The default cipherspec looks awful to people who don't understand SMTP security and cargo-cult everything, but it's better than falling back to plaintext and is reliant upon TLS correctly picking a good ciphersuite. If the attribute 'tlshigh' is set then its value is used as a spec, or if it's set to just 'yes' then the other macro is used. Note that you should get an "App Specific Password" from Google <https://myaccount.google.com/apppasswords> and use that for the mail configs, instead of hard-coding in your regular password. This will also let you enable 2FA but still use SMTP mail. -----------------------------8< cut here >8----------------------------- # macros section RUNAUTHDIR=/etc/exim/auth TLS_CLIENT_DEFAULT_CIPHERSPEC=DEFAULT:!SSLv2:!LOW:aNULL:!eNULL TLS_CLIENT_HIGHSEC_CIPHERSPEC=ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!RC4:!aNULL:!ADH:!DES:!EXP:!NULL SSL_CERTS_DIR=/etc/ssl/certs # routers # nb: on main routers, avoid "same_domain_copy_routing" because it will # interfere with sender-based routing via_gmail: driver = manualroute senders = *@gmail.com domains = ! +local_domains route_data = smtp.gmail.com transport = secure_smtp address_data = ${lookup {$sender_address}lsearch{RUNAUTHDIR/outbound-passwords}} authreq=yes tls=yes tlshigh=yes port=587 # transports secure_smtp: driver = smtp port = ${extract{port}{$address_data}{$value}{25}} hosts_require_auth = ${extract{authreq}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}} hosts_require_tls = ${extract{tls}{$address_data}{${if eq{$value}{yes}{*}{$value}}}{}} tls_sni = ${extract{tlssni}{$address_data}{$value}{}} tls_require_ciphers = ${extract{tlshigh}{$address_data}{${if eq{$value}{yes}{TLS_CLIENT_HIGHSEC_CIPHERSPEC}{$value}}}{TLS_CLIENT_DEFAULT_CIPHERSPEC}} tls_verify_certificates = ${extract{tlsverify}{$address_data}{SSL_CERTS_DIR}fail} dnssec_request_domains = * hosts_try_dane = * no_multi_domain no_delay_after_cutoff # authenticators auth_plain: driver = plaintext public_name = PLAIN client_condition = ${if def:tls_out_cipher} client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail} auth_plain_clienttoken: driver = plaintext public_name = PLAIN-CLIENTTOKEN client_condition = ${if def:tls_out_cipher} client_send = ^${extract{user}{$address_data}{$value}fail}^${extract{password}{$address_data}{$value}fail}^${extract{clienttoken}{$address_data}{$value}fail} -----------------------------8< cut here >8----------------------------- This adds support for using PLAIN-CLIENTTOKEN for Gmail instead of PLAIN; I've added it here based on a description posted by one of Google's postmasters to another mailing-list recently. Untested by me, but it should work. If not, just remove that authenticator. The id should be something short and stable you pick but keep private, changing it on each machine which uses this, to let Google's security systems track moving devices and protest if the same token is being used on two different continents at the same time, etc. -Phil
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
