Phil,
Thank you very kindly for your help.
I will look into the ciphers and gnutls_compat_mode per your direction.
Additionally, I found a work around. I had originally (in 8.04 LTS) assigned
tls_try_verify_hosts to * thereby enabling it.
However, I had never been able to get it to do what I had been trying to do
at that time which had been to require that only Outlook clients that had an
approved certificate installed be able to send email via the exim server. I
found that I may have misunderstood the purpose of tls_try_verify_hosts at
that time any way. However, although that had not worked, leaving
tls_try_verify_hosts enabled had not seemed to do anything and therefore I
had just left it enabled.
When trying to find the cause in this recent 9.10 install, I disabled
tls_try_verify_hosts and found that after doing so I am able to receive the
certificate from the server and can send encrypted email again. After
finding that worked, I searched on gnutls and tls_try_verify_hosts and found
that some other folks have also been having trouble with this. In fact, I
see that you contributed to that thread.
http://www.mail-archive.com/exim-users@exim.org/msg33756.html It appears to
me that something was done with tls_try_verify_hosts from between the exim4
version in 8.04 LTS and 9.10. Thus for now I have it disabled.
Thank you again
-----Original Message-----
From: exim-users-bounces@??? [
mailto:exim-users-bounces@exim.org] On
Behalf Of Phil Pennock
Sent: Sunday, May 02, 2010 2:32 PM
To: jwexler@???
Cc: Exim-users@???
Subject: Re: [exim] Outlook failing gnutls_handshake after resetting up on
ubuntu 9.10
On 2010-05-01 at 11:10 +0900, jwexler@??? wrote:
> Outlook 2007 produces the following error (not exact wording):
>
> Sending of test email message: does not support the encryption type
supplied
> by the server. Please change the encryption method. Contact your
> administrator...
The encryption type is not connected directly to the certificate.
There's:
* versions of SSL/TLS enabled
* ciphersuites supported for the session
With OpenSSL, I'd say { openssl ciphers }. I don't know with GnuTLS
that this command matches what Exim would see, but { gnutls-serv -l }.
For instance, if on 8.04 that would include SSL2.0, but on 9.10 it
reports:
Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2
then this might be your problem.
Separately, Exim 4.70 onwards has the option "gnutls_compat_mode", which
makes the gnutls_session_enable_compatibility_mode() call into GnuTLS.
I don't recall which clients that call exists for, but it might be worth
turning on to experiment with. It weakens the security somewhat and I'm
not in a position to state what the impact of the changes is.
I don't know what Outlook does and does not support, but hopefully this
provides some help.
-Phil
--
## List details at
http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
