Re: [exim] Outlook failing gnutls_handshake after resetting …

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] Outlook failing gnutls_handshake after resetting up on ubuntu 9.10
Jeff Wexler wrote:
> I have been googling for three days now to no avail.
>
>


Jeff,

'Most' of the 'LookOUT!' pecaddillos have either been fixed by MS or are very
familiar here, and it just should not be a significant problem these days.

But I'm not convinced it is entirely a GNUTLS problem, either... and what you
are reporting is rare enough that you may have simply gotten your own underwear
caught in the machinery.

So - first, a few extra tests:

- try adding the no-longer-proper legacy port 465 as 'tls_on_connect', point
Outlook at it seeking 'SSL' (only) and see if Outlook JFW with the same certs.

- try *temporarily* setting port 587 to 'tls_on_connect', over-riding Outlook to
set for that port BUT 'SSL' (NOT TLS) and see if THAT works.

If neither of those work and the SSL/TLS errors persist, I'd suggest you 'park'
the entirety of the old install off to the side on backup somewhere and try a
clean install of Exim with as few non-stock options as possible. Likewise clean
cert generation from a cold start, and with no frills.

Try the new install - THEN - if the problem persists, post your authenticators
for us to have a look at as well as the SSL/TLS specifics.

Do make use of Exim's superb debug first!

Along the way - if you are not married to GNU in a proper church, you might want
to see if switching to OpenSSL makes life easier. That seems to be the case more
often than the reverse.

HTH

Bill Hacker

>
> I have just reconfigured relevant email settings (exim4, mailscanner,
> clamav, saslauthd, ldap, samba, dovecot, ssl, ca-certificates, .crt and .pem
> files) on ubuntu 9.10 by updating the current version of each's settings
> files with my customizations that I had made on Ubuntu 8.04 LTS.
>
>
>
> I am able to receive email fine but can no longer send. My configuration
> requires TLS over port 587.
>
>
>
> Please note again that the customizations, certificates, etc are those that
> worked on 8.04 LTS.
>
>
>
> Outlook 2007 produces the following error (not exact wording):
>
>
>
> Sending of test email message: does not support the encryption type supplied
> by the server. Please change the encryption method. Contact your
> administrator...
>
>
>
> And in the mainlog:
>
>
>
> SMTP connection from [123.123.123.123]:1185 I=[123.123.123.124]:587 (TCP/IP
> connection count = 1)
>
> 2010-04-30 16:05:21 [2808] no host name found for IP address 123.123.123.123
>
> 2010-04-30 16:05:22 [2808] TLS error on connection from (mycomp)
> [123.123.123.123]:1185 (gnutls_handshake): A TLS packet with
>
>
>
> unexpected length was received.
>
> 2010-04-30 16:05:22 [2808] SMTP connection from (mycomp)
> [123.123.123.123]:1185 I=[123.123.123.124]:587 closed by EOF
>
> 2010-04-30 16:05:22 [2808] no MAIL in SMTP connection from (mycomp)
> [123.123.123.123]:1185 I=[123.123.123.124]:587 D=6s C=EHLO,STARTTLS
>
>
>
> I did the following test:
>
> I first used the keys that include my public hostname (i.e., the ones that I
> have been using all along on Ubuntu 8.04LTS).
>
>
>
> exim4 -bd -d+tls -oX 127.0.0.1.587 -tls-on-connect
>
> gnutls-cli -p 587 127.0.0.1
>
>
>
> I got the following:
>
>
>
> Resolving '127.0.0.1'...
>
> Connecting to '127.0.0.1:587'...
>
> - Successfully sent 0 certificate(s) to server.
>
> - Ephemeral Diffie-Hellman parameters
>
> - Using prime: 1024 bits
>
> - Secret key: 1023 bits
>
> - Peer's public key: 1021 bits
>
> - Server has requested a certificate.
>
> - Certificate type: X.509
>
> - Got a certificate list of 1 certificates.
>
> - Certificate[0] info:
>
> - subject `C=US,O=My Org,OU=My
> Unit,L=MyCity,ST=MyState,CN=MyHostname,EMAIL=MyEmail', issuer
> `C=US,O=MyCA,OU=MyCAUnit,L=MyCity,ST=MyCity,CN=MyHostName,EMAIL=MyEmail',
> RSA key 1024 bits, signed using RSA-SHA, activated `ADateIn2008', expires
> `ADateIn2011', SHA-1 fingerprint `ABunchOfLettersAndNumbers'
>
> - The hostname in the certificate does NOT match '127.0.0.1'
>
>
>
> So, I then generated a new exim.crt and exim.key using exim-gencert and
> configured exim to use those (just for this following test) and set the CN
> to 127.0.0.1
>
>
>
> Then did gnutls-cli -p 587 127.0.0.1 again and this time a connected with a
> successful gnutls_handshake.
>
>
>
> I tried using various values for the CN in subsequent exim.crt and exim.keys
> but still get the same error message in Outlook.
>
>
>
> Were there any changes between 8.04 LTS and 9.10 that would cause this
> behavior Any ideas?
>
>
>
> I would greatly appreciate help on this.
>
>
>
> Thank you
>
>
>