Re: [exim] www.rellits.com ssl tutorial worked for courier, butnot exim

Author: Tommy Butler
Date:
To: exim-users
CC: hbrueckner
Subject: Re: [exim] www.rellits.com ssl tutorial worked for courier, butnot exim

hbrueckner@??? wrote:

>On Tue, Dec 14, 2004 at 02:52:05PM -0600, Tommy Butler wrote:
>
>
>>hbrueckner@??? wrote:
>>
>>>an you paste the appropriate log entries (mainlog/paniclog) for this
>>>error.
>>>
>>>
>>ERROR:
>>2004-12-14 14:49:54 TLS error on connection from (tommy) [69.15.114.65]
>>(cert/key setup): Error while reading file.
>>
>>>ry to to start exim with TLS debugging: exim4 -d+tls. (you can add this
>>>parameter in /etc/default/exim4)
>>>
>>>

I made the suggested edits. But I'm still getting that error. I even
set the perms on my ssl key and cert to 777 to make sure it wasn't a
perms problem.

    tls_certificate = /etc/ssl/certs/smtp.pem
    tls_privatekey = /etc/ssl/private/mail.cityairlines.net.key.nopass.pem

On my server I start up exim4...

    $ /etc/init.d/exim4 start
    Starting MTA: Exim version 4.34 uid=0 gid=0 pid=21925 D=fbb95cfd
    Berkeley DB: Sleepycat Software: Berkeley DB 3.2.9: (May 26, 2004)
    Support for: iconv() IPv6 PAM Perl GnuTLS
    Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
    dnsdb dsearch
    ldap ldapdn ldapm mysql nis nis0 passwd pgsql
    Authenticators: cram_md5 plaintext spa
    Routers: accept dnslookup ipliteral iplookup manualroute
    queryprogram redirect
    Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
    Fixed never_users: 0
    changed uid/gid: forcing real = effective
      uid=0 gid=0 pid=21925
      auxiliary group list: <none>
    configuration file is /var/lib/exim4/config.autogenerated
    log selectors = 00000ffc 00030400
    trusted user
    admin user
    user name "root" extracted from gecos field "root"
    originator: uid=0 gid=0 login=root name=root
    21925 listening on 127.0.0.1 port 25
    21925 listening on 206.123.72.157 port 25
    21925 pid written to /var/run/exim4/exim.pid
    21925 changed uid/gid: running as a daemon
    21925   uid=102 gid=102 pid=21925
    21925   auxiliary group list: 102
    21925 LOG: MAIN
    21925   exim 4.34 daemon started: pid=21925, -q30m, listening for
    SMTP on [127.0
    .0.1]:25 [206.123.72.157]:25
    21925 set_process_info: 21925 daemon: -q30m, listening for SMTP on
    [127.0.0.1]:2
    5 [206.123.72.157]:25
    21925 daemon running with uid=102 gid=102 euid=102 egid=102
    21925 SIGALRM received
    21926 Starting queue-runner: pid 21926
    21926 exec /usr/sbin/exim4 -q
    21925 1 queue-runner process running
    21925 Listening...

Then here at home I telnet into the exim server process:

    Tommy@sneeker ~
    $ telnet mail.cityairlines.net 25
    Trying 206.123.72.157...
    Connected to mail.cityairlines.net.
    Escape character is '^]'.
    220 noot.cityairlines.net ESMTP Exim 4.34 Tue, 14 Dec 2004 23:42:03
    -0600
    ehlo tommy
    250-noot.cityairlines.net Hello
    ppp-70-243-209-238.dsl.rcsntx.swbell.net [70.243
    .209.238]
    250-SIZE 52428800
    250-PIPELINING
    250-STARTTLS
    250 HELP
    starttls
    454 TLS currently unavailable
    QUIT
    221 noot.cityairlines.net closing connection
    Connection closed by foreign host.

I go back to the server shell and the debug messages are thus:

    21925 Connection request from 70.243.209.238 port 3999
    21925 search_tidyup called
    22040 host in rfc1413_hosts? yes (matched "*")
    22040 doing ident callback
    21925 1 SMTP accept process running
    21925 Listening...
    22040 ident connection to 70.243.209.238 failed: Connection refused
    22040 sender_fullhost = [70.243.209.238]
    22040 sender_rcvhost = [70.243.209.238]
    22040 Process 22040 is handling incoming connection from
    [70.243.209.238]
    22040 host in host_lookup? yes (matched "*")
    22040 looking up host name for 70.243.209.238
    22040 DNS lookup of 238.209.243.70.in-addr.arpa (PTR) succeeded
    22040 IP address lookup yielded ppp-70-243-209-238.dsl.rcsntx.swbell.net
    22040 gethostbyname2(af=inet6) returned 4 (NO_DATA)
    22040 gethostbyname2 looked up these IP addresses:
    22040   name=ppp-70-243-209-238.dsl.rcsntx.swbell.net
    address=70.243.209.238
    22040 checking addresses for ppp-70-243-209-238.dsl.rcsntx.swbell.net
    22040   70.243.209.238 OK
    22040 sender_fullhost = ppp-70-243-209-238.dsl.rcsntx.swbell.net
    [70.243.209.238]
    22040 sender_rcvhost = ppp-70-243-209-238.dsl.rcsntx.swbell.net
    ([70.243.209.238])
    22040 set_process_info: 22040 handling incoming connection from
    ppp-70-243-209-238.dsl.rcsntx.swbell.net [70.243.209.238]
    22040 host in host_reject_connection? no (option unset)
    22040 host in sender_unqualified_hosts? no (option unset)
    22040 host in recipient_unqualified_hosts? no (option unset)
    22040 host in helo_verify_hosts? no (option unset)
    22040 host in helo_try_verify_hosts? no (option unset)
    22040 host in helo_accept_junk_hosts? no (option unset)
    22040 SMTP>> 220 noot.cityairlines.net ESMTP Exim 4.34 Tue, 14 Dec
    2004 23:42:03 -0600
    22040 Process 22040 is ready for new message
    22040 smtp_setup_msg entered
    22040 SMTP<< ehlo tommy
    22040 sender_fullhost = ppp-70-243-209-238.dsl.rcsntx.swbell.net
    (tommy) [70.243.209.238]
    22040 sender_rcvhost = ppp-70-243-209-238.dsl.rcsntx.swbell.net
    ([70.243.209.238] helo=tommy)
    22040 set_process_info: 22040 handling incoming connection from
    ppp-70-243-209-238.dsl.rcsntx.swbell.net (tommy) [70.243.209.238]
    22040 host in pipelining_advertise_hosts? yes (matched "*")
    22040 host in auth_advertise_hosts? yes (matched "*")
    22040 host in tls_advertise_hosts? yes (matched "*")
    22040 SMTP>> 250-noot.cityairlines.net Hello
    ppp-70-243-209-238.dsl.rcsntx.swbell.net [70.243.209.238]
    22040 250-SIZE 52428800
    22040 250-PIPELINING
    22040 250-STARTTLS
    22040 250 HELP
    22040 SMTP<< starttls
    22040 initializing GnuTLS as a server
    22040 read RSA and D-H parameters from file
    22040 initialized RSA and D-H parameters
    22040 certificate file = /etc/ssl/certs/smtp.pem
    22040 key file = /etc/ssl/private/mail.cityairlines.net.key.nopass.pem
    22040 LOG: MAIN
    22040   TLS error on connection from
    ppp-70-243-209-238.dsl.rcsntx.swbell.net (tommy) [70.243.209.238]
    (cert/key setup): Error while reading file.
    22040 SMTP>> 454 TLS currently unavailable
    22040 SMTP<< QUIT
    22040 SMTP>> 221 noot.cityairlines.net closing connection
    22040 LOG: smtp_connection MAIN
    22040   SMTP connection from
    ppp-70-243-209-238.dsl.rcsntx.swbell.net (tommy) [70.243.209.238]
    closed by QUIT
    22040 search_tidyup called
    21925 child 22040 ended: status=0x0
    21925 0 SMTP accept processes now running
    21925 Listening...

Does this tell me anything useful? Is there anywhere to go from here?
I am completely exasperated.

Now as stated earlier I already am using the same cert and key for
IMAP+SSL and POP3+SSL, so I can't see how there could be a permissions
problem with the ssl cert and key, neither can I see how the cert or key
could be "corrupt" or in an unusable format.

I really am coming to the end of my rope, as the saying goes. Again,
can anyone tell me why I should keep trying to get exim to work instead
of just scrapping the idea and going back to sendmail? I've spent more
time on this than I care to admit, and spending more time just seems
ridiculous. Why would I want to keep trying with exim? Is there a
really good reason I should? Please, tell me what is so great about
exim that it is better than sendmail?

--
Tommy Butler
tommy@??? <mailto:tommy@atrixnet.com>

This message is part of the following thread:
	the complete thread tree sorted by date
	hbrueckner at
	hblists at

Re: [exim] www.rellits.com ssl tutorial worked for courier, …