[exim-dev] [Bug 786] tls_verify_hosts not verifying X509 sig…

Top Page
Delete this message
Reply to this message
Author: 786
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 786] tls_verify_hosts not verifying X509 signed from Outlook 2007
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=786




--- Comment #5 from jwexler@??? 2008-12-12 05:16:55 ---
I'm not sure if this is expected behavior or not. Adding to bug report just in
case it helps.
Case: Send an email through exim on ServerA for delivery via exim on ServerB.
MAIN_TLS_VERIFY_HOSTS nor MAIN_TLS_TRY_VERIFY_HOSTS set in either server.
If TLS certificate that exim uses on ServerB is included in
/etc/ca-certificates of ServerA (and certificates in correct locations on
ServerA), when try to send email through ServerA, get the following error and
log entry in ServerA (there is no log entry in ServerB):

2008-12-12 13:45:59 [1589] SMTP connection from [client_ip]:1605
I=[ServerA_ip]:587 (TCP/IP connection count = 1)
2008-12-12 13:46:00 [1610] TLS error on connection from client.domain (client)
[client_ip]:1605 (gnutls_handshake): A TLS packet with unexpected length was
received.
2008-12-12 13:46:00 [1610] SMTP connection from client.domain (client)
[client_ip]:1605 I=[ServerA_ip]:587 closed by EOF
2008-12-12 13:46:00 [1610] no MAIL in SMTP connection from client.domain
(client) [client_ip]:1605 I=[ServerA_ip]:587 D=1s C=EHLO,STARTTLS

After removing ServerB's certificate from ServerA (and updating
/etc/ca-certificates, /etc/ssl/certs/ca-certificates, etc), the email goes
through ok.

Log entries:

ServerA:
2008-12-12 13:49:02 [4850] SMTP connection from [client_ip]:1606
I=[ServerA_ip]:587 (TCP/IP connection count = 1)
2008-12-12 13:49:10 [4876] 1LAzxX-0001Ge-E9 <= sender@domain H=client.domain
(client) [client_ip]:1606 I=[ServerA_ip]:587 P=smtps
X=TLS-1.0:RSA_ARCFOUR_MD5:16 CV=no DN="" S=8162
id=021301c95c14$f6e0f8d0$e4a2ea70$@com T="ServerA -> ServerB Signed Expect OK
19" from <sender@domain> for recipient@recipient_domain
2008-12-12 13:49:10 [4889] cwd=/var/spool/exim4 3 args: /usr/sbin/exim4 -Mc
1LAzxX-0001Ge-E9
2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 => recipient@recipient_domain
F=<sender@domain> P=<sender@domain> R=dnslookup_relay_to_domains T=remote_smtp
S=8361 H=recipient_domain [ServerB_ip]:25 X=TLS-1.0:RSA_AES_256_CBC_SHA1:32
CV=no DN="C=US,ST=State,L=City,O=Company LLC,OU=Information
Technology,CN=ServerB.domain,EMAIL=sysmail@domain" C="250 OK
id=1LAzxd-0001k5-8d" QT=7s DT=0s
2008-12-12 13:49:10 [4889] 1LAzxX-0001Ge-E9 Completed QT=7s
2008-12-12 13:49:13 [4876] SMTP connection from client.domain (client)
[client_ip]:1606 I=[ServerA_ip]:587 closed by QUIT

ServerB:
2008-12-12 13:49:09 1LAzxd-0001k5-8d <= sender@domain H=ServerA.domain
[ServerA_ip] P=esmtps X=TLS-1.0:RSA_AES_256_CBC_SHA1:32 DN="" S=8428
id=021301c95c14$f6e0f8d0$e4a2ea70$@com
2008-12-12 13:49:09 1LAzxd-0001k5-8d => rw-recipient <rw-recipient@domain>
R=local_user T=maildir_home
2008-12-12 13:49:09 1LAzxd-0001k5-8d Completed

This is repeatable. If add certificate back, it does not go through and same
log as before. If then remove again, goes through and same logs for this case
as before.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email