Re: [exim] TLS problem

Top Page
Delete this message
Reply to this message
Author: Giuliano Gavazzi
Date:  
To: Steffen Beyer, exim-users
CC: 
Subject: Re: [exim] TLS problem
At 6:17 am +0200 2004/10/25, Steffen Beyer wrote:
>Hi,
>
>my mail server, running Exim 4.34 on Debian, sometimes receives a reject
>when trying to set up a TLS connection. Most of the time there's no
>problem and Exim gets an encrypted connection, but one specific
>destination MX (running Sendmail 8.12.11) always returns:
>
>551 5.0.0 Fix your SSL problems first!

[...]
>The certificate uses 4096 bit RSA encryption and is signed by my own CA
>(which uses a self signed cert).
>
>What's wrong here? I have no idea and this X509/TLS stuff is not one of my
>strengths (yet). ,) Replacing the cert with a new one didn't make any
>difference.


I suppose this might be the problem. You should not let exim attempt
TLS with that server, or at least, force it to try again unencrypted.
Look at section:

37.6 Configuring an Exim client to use TLS

[...]
It is not necessary to set any options to have TLS work in the smtp transport.
If Exim is built with TLS support, and TLS is advertised by a server, the smtp
transport always tries to start a TLS session. However, this can be prevented
by setting "hosts_avoid_tls" (an option of the transport) to a list of server
hosts for which TLS should not be used.

[...]
When the server host is not in "hosts_require_tls", Exim may try to deliver
the message unencrypted. It always does this if the response to STARTTLS is a
5"xx" code. For a temporary error code, or for a failure to negotiate a TLS
session after a success response code, what happens is controlled by the
"tls_tempfail_tryclear" option of the smtp transport. If it is false, delivery
to this host is deferred, and other hosts (if available) are tried. If it is
true, Exim attempts to deliver unencrypted after a 4"xx" response to STARTTLS,
and if STARTTLS is accepted, but the subsequent TLS negotiation fails, Exim
closes the current connection (because it is in an unknown state), opens a new
one to the same host, and then tries the delivery unencrypted.



from the above I reckon your error is to the MAIL FROM or RCPT TO
commands, otherwise, as it says, exim would deliver unencrypted
(unless you have that host in hosts_require_tls).
Good that you have brought up this issue. Please let us know which
option fixed your problem as many of us run with their own CA...

Giuliano