QuickTip use exim for normal mail but stop for secure smtp server

by jagbir on February 5, 2010

Isn’t this weird? most people ask how to configure a mail server for secure smtp but one of my friend told me that he has a server which running Exim mail server on both port 25 (normal) and port 465 (secure smtp) now he is facing difficulties because the SSL certificates which Exim uses are expired. He wanted to close port 465 without affecting port 25 used by their scripts.

Here’s what I did and worked but if you have better idea or something to add, I’ll be glad to hear.

1. Check that Exim is listening on which ports or which ports are open:

# netstat -ant | grep LIST
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::587                      :::*                        LISTEN      
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 :::465                      :::*                        LISTEN      
tcp        0      0 :::22                       :::*                        LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
tcp        0      0 :::443                      :::*                        LISTEN

here port 25, 465 and 587 are used by exim (mail server). how to know which ports are used by which program?

simple, use lsof command. like we want to know which program is listening on port 25:

# lsof -i :25
COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
exim    11290 exim    3u  IPv6 7144552       TCP *:smtp (LISTEN)
exim    11290 exim    4u  IPv4 7144553       TCP *:smtp (LISTEN)

so its Exim.

2. Open config file for exim (/etc/exim/exim.conf on redhat based distros) and search and comment out following lines:

$ vi /etc/exim/exim.conf
  tls_advertise_hosts = * ## comment this line to prevent clients connecting for tls
 
  tls_certificate = /etc/pki/tls/certs/exim.pem  ## comment, we dont need to specify ssl certificates
  tls_privatekey = /etc/pki/tls/private/exim.pem ## comment
 
  daemon_smtp_ports = 25 : 465 : 587  ## comment this line, copy and paste in next line but with only 25 as port number
  tls_on_connect_ports = 465  ## comment, we dont need tls on port 465

so after commenting/updating, the above lines should look line below in /etc/exim/exim.conf file:

 
  # tls_advertise_hosts = *
 
  # tls_certificate = /etc/pki/tls/certs/exim.pem  ## comment, we dont need to specify ssl certificates
  # tls_privatekey = /etc/pki/tls/private/exim.pem ## comment
 
  # daemon_smtp_ports = 25 : 465 : 587  ## comment this line, copy and paste in next line but with only 25 as port number
  # tls_on_connect_ports = 465  ## comment, we dont need tls on port 465
 
  daemon_smtp_ports = 25  ## dont comment this.

3. Restart exim server and check open ports again:

# /etc/init.d/exim restart
Shutting down exim:                                        [  OK  ]
Starting exim:                                             [  OK  ]
 
[root@ds-29142 ~]# netstat -ant | grep LIST
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 :::22                       :::*                        LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
tcp        0      0 :::443                      :::*                        LISTEN

Port 465 is not there now, so we have stopped secure stmp service in this host.

  • http://www.youtube.com/watch?v=w5OO_ASc1b0 Shad Jamar

    great post i have discovered some cool video @ youtube about it check it out here:

Previous post:

Next post: