Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#674990: exim breaks (again?) with TLS packet with unexpected length
571 views
Skip to first unread message
Norbert PREINING
May 29, 2012, 2:00:01 AM5/29/12
to
Package: exim4-daemon-light
Version: 4.77-1+b1
Severity: serious
Submitter: Norbert Preining <prei...@logic.at>
Hi all,
I have searched the bug database and the web for information, and I cannot
get it to work, exim *always* dies with
TLS error on connection to xxx.yyy.zzz.www [NN.NN.NN.NN] (gnutls_handshake): A TLS packet with unexpected length was received.
I have found various suggestions, like adding the Debian-exim user
to the group shadow, but none of it helped.
I am just trying to deliver mail to an smtp server here
at work.
Furthermore, I cannot run swaks, it segfaults in libcrypto
(all messed up, really).
When I do
$ openssl s_client -connect xxx.yyy.zzz.www:587
CONNECTED(00000003)
139642052535976:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$
So also this does not help really.
The remote server is not under my control, but is advertised as
smtp server in my university.
Thanks for any suggestion
Norbert
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Marc Haber
May 29, 2012, 4:30:02 AM5/29/12
to
On Tue, May 29, 2012 at 02:40:35PM +0900, Norbert PREINING wrote:
> I have found various suggestions, like adding the Debian-exim user
> to the group shadow,
Where is this dangerous suggestion written?
> I have found various suggestions, like adding the Debian-exim user
> to the group shadow,
How many CAs do you have enabled to trust?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
Norbert Preining
May 29, 2012, 5:20:02 AM5/29/12
to
Hi Marc,
>> I have found various suggestions, like adding the Debian-exim user
>> to the group shadow,
>
> Where is this dangerous suggestion written?
Will search for it again.
> How many CAs do you have enabled to trust?
First all as shipped with debian, then I removed all and restarted exim, same effect and same error.
I checked with gnutls-cli (or so) that no certificate is loaded.
Is there a way to verify what certificates are loaded by exim?
Norbert
>> I have found various suggestions, like adding the Debian-exim user
>> to the group shadow,
>
> Where is this dangerous suggestion written?
> How many CAs do you have enabled to trust?
I checked with gnutls-cli (or so) that no certificate is loaded.
Is there a way to verify what certificates are loaded by exim?
Norbert
Marc Haber
May 29, 2012, 5:20:03 AM5/29/12
to
On Tue, May 29, 2012 at 05:59:04PM +0900, Norbert Preining wrote:
> > How many CAs do you have enabled to trust?
>
> First all as shipped with debian, then I removed all and restarted
> exim, same effect and same error.
Interesting. Generally, Gnutls will error out with the TLS packet with
> > How many CAs do you have enabled to trust?
>
> First all as shipped with debian, then I removed all and restarted
> exim, same effect and same error.
unexpected length as a quite generic case.
> I checked with gnutls-cli (or so) that no certificate is loaded.
>
> Is there a way to verify what certificates are loaded by exim?
GnuTLS. In exim 4.80, the GnuTLS code was greatly overhauled, so I
guess that upstream would be less than willing to invest time into the
old GnuTLS code.
Can you give a transcript of a gnutls-cli session from your server to
the smarthost, if you wish in private mail to andreas and me.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
Norbert Preining
May 29, 2012, 5:50:02 AM5/29/12
to
On Di, 29 Mai 2012, Marc Haber wrote:
> > I have found various suggestions, like adding the Debian-exim user
> > to the group shadow,
>
> Where is this dangerous suggestion written?
http://vk6hgr.echidna.id.au/blog/?p=184
> > I have found various suggestions, like adding the Debian-exim user
> > to the group shadow,
>
> Where is this dangerous suggestion written?
> Can you give a transcript of a gnutls-cli session from your server to
> the smarthost, if you wish in private mail to andreas and me.
Ok here is what I have:
* swaks:
$ swaks --tls --server smtp.jaist.ac.jp -p 587 --to prei...@logic.at
=== Trying smtp.jaist.ac.jp:587...
=== Connected to smtp.jaist.ac.jp.
<- 220 jaist.ac.jp ESMTP mail service ready
-> EHLO mithrandir
<- 250-mailrelayi.jaist.ac.jp
<- 250-8BITMIME
<- 250-SIZE 104857600
<- 250-AUTH PLAIN LOGIN
<- 250-STARTTLS
<- 250 AUTH=PLAIN LOGIN
-> STARTTLS
<- 220 Go ahead
Segmentation fault
$ dmesg | tail -1
[ 4963.125646] swaks[21719]: segfault at 0 ip 00007f0bfd596e10 sp 00007fff363daa38 error 4 in libcrypto.so.1.0.0[7f0bfd46e000+1b7000]
* openssl
$ openssl s_client -connect smtp.jaist.ac.jp:587CONNECTED(00000003)
140240510559912:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$
* gnutls-cli
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$
$ gnutls-cli -s -p 587 smtp.jaist.ac.jp
Processed 0 CA certificate(s).
Resolving 'smtp.jaist.ac.jp'...
Connecting to '150.65.19.12:587'...
- Simple Client Mode:
220 jaist.ac.jp ESMTP mail service ready
EHLO mithrandir
(nothing ... pressing Ctrl-D)
*** Starting TLS handshake
(nothing ... until I Ctrl-C out)
Does this help you? Anything else? (Sorry, no I don't speak
SMTP protocol fluently)
Norbert
Marc Haber
May 29, 2012, 6:10:02 AM5/29/12
to
On Tue, May 29, 2012 at 06:45:52PM +0900, Norbert Preining wrote:
> On Di, 29 Mai 2012, Marc Haber wrote:
> > > I have found various suggestions, like adding the Debian-exim user
> > > to the group shadow,
> >
> > Where is this dangerous suggestion written?
>
> http://vk6hgr.echidna.id.au/blog/?p=184
The author of this blog entry has not read the documentation. Adding
> On Di, 29 Mai 2012, Marc Haber wrote:
> > > I have found various suggestions, like adding the Debian-exim user
> > > to the group shadow,
> >
> > Where is this dangerous suggestion written?
>
> http://vk6hgr.echidna.id.au/blog/?p=184
Debian-exim to the shadow group is the most insecure way to get
authentication (as a server) to work. It has nothing to do with TLS at
all. You might want to revert that change on your system as you are
exposing all your password hashes to an attacker.
> * openssl
> $ openssl s_client -connect smtp.jaist.ac.jp:587CONNECTED(00000003)
> $ gnutls-cli -s -p 587 smtp.jaist.ac.jp
> Processed 0 CA certificate(s).
> Resolving 'smtp.jaist.ac.jp'...
> Connecting to '150.65.19.12:587'...
>
> - Simple Client Mode:
>
> 220 jaist.ac.jp ESMTP mail service ready
> EHLO mithrandir
> (nothing ... pressing Ctrl-D)
a problem of the remote side that I can see from here as well. You
should report this to the operators of the server, it is broken.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 31958062
Norbert Preining
May 29, 2012, 7:30:03 PM5/29/12
to
Hi Andreas,
thanks for your help.
On Di, 29 Mai 2012, Andreas Metzler wrote:
> 587 uses starttls, you'll need to talk to 465 to give abovementioned
> openssl test a chance to succeed.
Ok, after adding the necessary GLobalSign to the accepted CA certificates
I can talk to the server via openssl and gnutls-cli on port 465.
I could even send an actual email by typing in all the commands
including authentication etc using gnutl-cli:
> gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> smtp.jaist.ac.jp -p 465
Here is a transcript:
$ gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 smtp.jaist.ac.jp -p 465
Processed 7 CA certificate(s).
Resolving 'smtp.jaist.ac.jp'...
Connecting to '150.65.19.12:465'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'smtp.jaist.ac.jp'.
....
220 mailrelayi.jaist.ac.jp ESMTP
EHLO mithrandir
250-mailrelayi.jaist.ac.jp
250-8BITMIME
250-SIZE 104857600
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
AUTH LOGIN
334 VXNlcm5hbWU6
.....some....string
334 UGFzc3dvcmQ6
.....some...string
235 #2.0.0 OK Authenticated
MAIL FROM:<prei...@logic.at>
250 sender <prei...@logic.at> ok
RCPT TO:<prei...@debian.org>
250 recipient <prei...@debian.org> ok
DATA
354 go ahead
From: "Norbert Preining" <prei...@logic.at>
To: "Norbert Preining" <prei...@debian.org>
Subject: Hello WOrld
See you soon
.
250 ok: Message 117646959 accepted
QUIT
221 mailrelayi.jaist.ac.jp
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
$
But interestingly the mail was properly delivered, so no problem on
this side.
The only hickup was that at then end
> connect if the SSL/settings are modified (for 4.77
> gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> experimental) simply set tls_require_ciphers to the abovementioned
> priority string.)
Now I tried to convince exim to do the same, but without success.
According to your remarks I set the foillowing variables in
/etc/exim4/conf.d/main/000_localmacros
DCsmarthost=smtp.jaist.ac.jp::465
gnutls_compat_mode=true
gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
called update-exim4.conf and restarted exim. Unfortunately it did
not work out, I got:
2012-05-30 08:08:15 [11828] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-30 08:08:15 [11825] 1SZVOZ-0007rj-8Q == prei...@logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection
which is at least a step forward ...
Any further ideas?
-----------------------------
One more thing: I want to complain to the tech staff here: can you
tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
supported, I can tell them?
Thanks a lot and all the best
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
VOBSTER (n.)
A strain of perfectly healthy rodent which develops cancer the moment
it enter a laboratory.
--- Douglas Adams, The Meaning of Liff
thanks for your help.
On Di, 29 Mai 2012, Andreas Metzler wrote:
> 587 uses starttls, you'll need to talk to 465 to give abovementioned
> openssl test a chance to succeed.
Ok, after adding the necessary GLobalSign to the accepted CA certificates
I can talk to the server via openssl and gnutls-cli on port 465.
I could even send an actual email by typing in all the commands
including authentication etc using gnutl-cli:
> gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> smtp.jaist.ac.jp -p 465
Here is a transcript:
$ gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 smtp.jaist.ac.jp -p 465
Processed 7 CA certificate(s).
Resolving 'smtp.jaist.ac.jp'...
Connecting to '150.65.19.12:465'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'smtp.jaist.ac.jp'.
....
220 mailrelayi.jaist.ac.jp ESMTP
EHLO mithrandir
250-mailrelayi.jaist.ac.jp
250-8BITMIME
250-SIZE 104857600
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
AUTH LOGIN
334 VXNlcm5hbWU6
.....some....string
334 UGFzc3dvcmQ6
.....some...string
235 #2.0.0 OK Authenticated
MAIL FROM:<prei...@logic.at>
250 sender <prei...@logic.at> ok
RCPT TO:<prei...@debian.org>
250 recipient <prei...@debian.org> ok
DATA
354 go ahead
From: "Norbert Preining" <prei...@logic.at>
To: "Norbert Preining" <prei...@debian.org>
Subject: Hello WOrld
See you soon
.
250 ok: Message 117646959 accepted
QUIT
221 mailrelayi.jaist.ac.jp
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
$
But interestingly the mail was properly delivered, so no problem on
this side.
The only hickup was that at then end
> connect if the SSL/settings are modified (for 4.77
> gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> experimental) simply set tls_require_ciphers to the abovementioned
> priority string.)
Now I tried to convince exim to do the same, but without success.
According to your remarks I set the foillowing variables in
/etc/exim4/conf.d/main/000_localmacros
DCsmarthost=smtp.jaist.ac.jp::465
gnutls_compat_mode=true
gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
called update-exim4.conf and restarted exim. Unfortunately it did
not work out, I got:
2012-05-30 08:08:15 [11828] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-30 08:08:15 [11825] 1SZVOZ-0007rj-8Q == prei...@logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection
which is at least a step forward ...
Any further ideas?
-----------------------------
One more thing: I want to complain to the tech staff here: can you
tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
supported, I can tell them?
Thanks a lot and all the best
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
VOBSTER (n.)
A strain of perfectly healthy rodent which develops cancer the moment
it enter a laboratory.
--- Douglas Adams, The Meaning of Liff
Andreas Metzler
May 30, 2012, 1:40:02 PM5/30/12
to
On 2012-05-30 Norbert Preining <prei...@logic.at> wrote:
> On Di, 29 Mai 2012, Andreas Metzler wrote:
[...]
> On Di, 29 Mai 2012, Andreas Metzler wrote:
[...]
> The only hickup was that at then end
> > connect if the SSL/settings are modified (for 4.77
> > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > experimental) simply set tls_require_ciphers to the abovementioned
> > priority string.)
> Now I tried to convince exim to do the same, but without success.
> According to your remarks I set the foillowing variables in
> /etc/exim4/conf.d/main/000_localmacros
> DCsmarthost=smtp.jaist.ac.jp::465
> gnutls_compat_mode=true
> gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
Two things:
> > connect if the SSL/settings are modified (for 4.77
> > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > experimental) simply set tls_require_ciphers to the abovementioned
> > priority string.)
> Now I tried to convince exim to do the same, but without success.
> According to your remarks I set the foillowing variables in
> /etc/exim4/conf.d/main/000_localmacros
> DCsmarthost=smtp.jaist.ac.jp::465
> gnutls_compat_mode=true
> gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
* gnutls_require_protocols does not accept a GnuTLS string, it is a
different syntax. "TLS1.0:SSL3
* The respective setting needs to be on the transport. (The
corresponding main configuration settings apply when exim is
accepting mail on the SMTP port.)
http://www.exim.org/exim-html-current/doc/html/spec_html/ch39.html#SECTreqciphgnu
[...]
> -----------------------------
> One more thing: I want to complain to the tech staff here: can you
> tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
> supported, I can tell them?
[...]
> One more thing: I want to complain to the tech staff here: can you
> tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
> supported, I can tell them?
Nothing specific. I wozuld just hit them with the fact that
openssl s_client -connect smtp.jaist.ac.jp:465
fails. This should give more incentive than bringing in GnuTLS, which
is far less used. There are broken servers around (see e.g.
<http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>).
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Norbert Preining
May 30, 2012, 9:40:02 PM5/30/12
to
Hi Andreas,
thanks for your support, very helpful, unfortunately ... it still
does not wokr out, no reason why...
On Mi, 30 Mai 2012, Andreas Metzler wrote:
> On 2012-05-30 Norbert Preining <prei...@logic.at> wrote:
> > On Di, 29 Mai 2012, Andreas Metzler wrote:
> [...]
> > > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> > > smtp.jaist.ac.jp -p 465
> [...]
> > The only hickup was that at then end
> > > connect if the SSL/settings are modified (for 4.77
> > > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > > experimental) simply set tls_require_ciphers to the abovementioned
> > > priority string.)
>
> > Now I tried to convince exim to do the same, but without success.
> > According to your remarks I set the foillowing variables in
> > /etc/exim4/conf.d/main/000_localmacros
>
> > DCsmarthost=smtp.jaist.ac.jp::465
> > gnutls_compat_mode=true
> > gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
>
> Two things:
> * gnutls_require_protocols does not accept a GnuTLS string, it is a
> different syntax. "TLS1.0:SSL3
> * The respective setting needs to be on the transport. (The
> corresponding main configuration settings apply when exim is
> accepting mail on the SMTP port.)
Ok, I have now
gnutls_require_protocols="TLS1.0:SSL3"
and also tried
gnutls_require_protocols=TLS1.0:SSL3
added to the
conf.d/transport/30_exim4-config_remote_smtp_smarthost
as in:
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
gnutls_require_protocols=TLS1.0:SSL3
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
...
Furthermore, in the main section I have added the
gnutls_compat_mode=true
(conf.d/main/000_localmacros)
update-exim4.conf (no warning)
exim restart (no warning)
delivering the message ends with:
2012-05-31 10:26:53 [5012] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-31 10:26:53 [5009] 1SZVOZ-0007rj-8Q == prei...@logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection
> Nothing specific. I wozuld just hit them with the fact that
>
> openssl s_client -connect smtp.jaist.ac.jp:465
Ok, thanks.
> is far less used. There are broken servers around (see e.g.
> <http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>).
Thanks for the link.
Best wishes
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
ELY (n.)
The first, tiniest inkling you get that something, somewhere, has gone
terribly wrong.
thanks for your support, very helpful, unfortunately ... it still
does not wokr out, no reason why...
On Mi, 30 Mai 2012, Andreas Metzler wrote:
> On 2012-05-30 Norbert Preining <prei...@logic.at> wrote:
> > On Di, 29 Mai 2012, Andreas Metzler wrote:
> [...]
> > > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> > > smtp.jaist.ac.jp -p 465
> [...]
> > The only hickup was that at then end
> > > connect if the SSL/settings are modified (for 4.77
> > > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > > experimental) simply set tls_require_ciphers to the abovementioned
> > > priority string.)
>
> > Now I tried to convince exim to do the same, but without success.
> > According to your remarks I set the foillowing variables in
> > /etc/exim4/conf.d/main/000_localmacros
>
> > DCsmarthost=smtp.jaist.ac.jp::465
> > gnutls_compat_mode=true
> > gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
>
> Two things:
> * gnutls_require_protocols does not accept a GnuTLS string, it is a
> different syntax. "TLS1.0:SSL3
> * The respective setting needs to be on the transport. (The
> corresponding main configuration settings apply when exim is
> accepting mail on the SMTP port.)
gnutls_require_protocols="TLS1.0:SSL3"
and also tried
gnutls_require_protocols=TLS1.0:SSL3
added to the
conf.d/transport/30_exim4-config_remote_smtp_smarthost
as in:
remote_smtp_smarthost:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
}\
{} \
}
gnutls_require_protocols=TLS1.0:SSL3
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
...
Furthermore, in the main section I have added the
gnutls_compat_mode=true
(conf.d/main/000_localmacros)
update-exim4.conf (no warning)
exim restart (no warning)
delivering the message ends with:
2012-05-31 10:26:53 [5012] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-31 10:26:53 [5009] 1SZVOZ-0007rj-8Q == prei...@logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection
> Nothing specific. I wozuld just hit them with the fact that
>
> openssl s_client -connect smtp.jaist.ac.jp:465
> is far less used. There are broken servers around (see e.g.
> <http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>).
Best wishes
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
The first, tiniest inkling you get that something, somewhere, has gone
terribly wrong.
--- Douglas Adams, The Meaning of Liff
Andreas Metzler
May 31, 2012, 1:40:02 PM5/31/12
to
On 2012-05-31 Norbert Preining <prei...@logic.at> wrote:
> thanks for your support, very helpful, unfortunately ... it still
> does not wokr out, no reason why...
[...]
> thanks for your support, very helpful, unfortunately ... it still
> does not wokr out, no reason why...
> Furthermore, in the main section I have added the
> gnutls_compat_mode=true
This setting should also be on the transprt. - I actually wanted to
> gnutls_compat_mode=true
explicitely state thais but somehow forgot anyway. sorry.
cu andreas
Norbert Preining
May 31, 2012, 2:00:02 PM5/31/12
to
On Do, 31 Mai 2012, Andreas Metzler wrote:
> > Furthermore, in the main section I have added the
> > gnutls_compat_mode=true
>
> This setting should also be on the transprt. - I actually wanted to
I think I tried that, and update-exim4.conf gave me an error...
> > Furthermore, in the main section I have added the
> > gnutls_compat_mode=true
>
> This setting should also be on the transprt. - I actually wanted to
no time to do more testing now, being on an airport between 3 worlds.
Will report later on...
Best wishes
Norbert
------------------------------------------------------------------------
Norbert Preining preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan TeX Live & Debian Developer
DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
One who is employed to stand about all day browsing through the
magazine racks in the newsagent.
--- Douglas Adams, The Meaning of Liff
Andreas Metzler
May 31, 2012, 2:50:01 PM5/31/12
to
On 2012-05-31 Norbert Preining <prei...@logic.at> wrote:
> On Do, 31 Mai 2012, Andreas Metzler wrote:
> > > Furthermore, in the main section I have added the
> > > gnutls_compat_mode=true
> >
> > This setting should also be on the transprt. - I actually wanted to
> I think I tried that, and update-exim4.conf gave me an error...
You are right. The documentation is not correct in that respect,
> > > Furthermore, in the main section I have added the
> > > gnutls_compat_mode=true
> >
> > This setting should also be on the transprt. - I actually wanted to
> I think I tried that, and update-exim4.conf gave me an error...
gnutls_compat_mode=true is only accepted as a main configuration
option.
[...]
However, I have just installed exim4 4.77-1+b1 in my local sid chroot,
configured to use jaist.ac.jp::587 as smarthost. Of course I cannot
actually deliver, but can test connectivity.
Without hand-tuning I get this
~: echo foo | exim -f '<>' -d+all x...@example.com
[...]
20:17:04 6076 150.65.19.12 in hosts_avoid_tls? no (option unset)
20:17:04 6076 SMTP>> STARTTLS
20:17:04 6076 waiting for data on socket
20:17:04 6076 read response data: size=14
20:17:04 6076 SMTP<< 220 Go ahead
20:17:04 6076 initializing GnuTLS as a client
20:17:04 6076 read D-H parameters from file
20:17:04 6076 initialized D-H parameters
20:17:04 6076 no TLS client certificate is specified
20:17:04 6076 initialized certificate stuff
20:17:04 6076 initialized GnuTLS session
20:17:05 6076 LOG: MAIN
20:17:05 6076 TLS error on connection to smtp.jaist.ac.jp [150.65.19.12] (gnutls_handshake): A TLS packet with unexpected length was received.
20:17:05 6076 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
[...]
I have now set gnutls_compat_mode=true as main option and
gnutls_require_protocols=TLS1.0:SSL3 on the remote_smtp_smarthost
transport (exactly as you did, except for using non-split config):
(SID)root@argenau:/# exim4 -bP transport remote_smtp_smarthost | grep gnutls_require_pro ; exim4 -bP | grep gnutls_compat
gnutls_require_protocols = TLS1.0:SSL3
gnutls_compat_mode
Works for me. ;-O
~: echo foo | exim -f '<>' -d+all x...@example.com
[...]
20:25:47 6862 150.65.19.12 in hosts_avoid_tls? no (option unset)
20:25:47 6862 SMTP>> STARTTLS
20:25:47 6862 waiting for data on socket
20:25:47 6862 read response data: size=14
20:25:47 6862 SMTP<< 220 Go ahead
20:25:47 6862 initializing GnuTLS as a client
20:25:47 6862 read D-H parameters from file
20:25:47 6862 initialized D-H parameters
20:25:47 6862 no TLS client certificate is specified
20:25:47 6862 initialized certificate stuff
20:25:47 6862 adjusted protocol priorities: 2 2 1
20:25:47 6862 lowering GnuTLS security, compatibility mode
20:25:47 6862 initialized GnuTLS session
20:25:48 6862 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
20:25:48 6862 SMTP>> EHLO argenau
20:25:48 6862 tls_do_write(ff9a673b, 14)
20:25:48 6862 gnutls_record_send(SSL, ff9a673b, 14)
20:25:48 6862 outbytes=14
20:25:48 6862 waiting for data on socket
20:25:48 6862 Calling gnutls_record_recv(f8d58f40, ff9a473b, 4096)
20:25:48 6862 read response data: size=106
20:25:48 6862 SMTP<< 250-mailrelayi.jaist.ac.jp
20:25:48 6862 250-8BITMIME
20:25:48 6862 250-SIZE 104857600
20:25:48 6862 250-AUTH PLAIN LOGIN
20:25:48 6862 250 AUTH=PLAIN LOGIN
cu andreas
0 new messages