Re: [exim] Not advertising STARTTLS

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhil Pennock at <-
MPhil Pennock at ->
Delete this message
Reply to this message
Author: Allen Williams
Date:  
To: anw-dist, exim-users
Subject: Re: [exim] Not advertising STARTTLS


On 09/20/2010 06:16 PM, Phil Pennock wrote:
> These should be sufficient. To be sure that they're not overriden
> elsewhere, do you see the same values when you run:
>
> $ exim -bP | fgrep tls_
>
> ? This also confirms that the binary as invoked is using the config you
> expect.
>
>
OK, I got this:

ops:~# exim4 -bP | grep tls_
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
gnutls_require_kx =
gnutls_require_mac =
gnutls_require_protocols =
log_selector = +tls_peerdn
received_header_text = Received: ${if def:sender_rcvhost {from
$sender_rcvhost\n\t}{${if def:sender_ident {from
${quote_local_part:$sender_ident} }}${if def:sender_helo_name
{(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if
def:received_protocol {with $received_protocol}} ${if def:tls_cipher
{($tls_cipher)\n\t}}(Exim $version_number)\n\t${if def:sender_address
{(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if
def:received_for {\n\tfor $received_for}}
tls_advertise_hosts = *
tls_certificate = /etc/exim4/tls/exim.crt
tls_crl =
tls_dhparam =
tls_on_connect_ports =
tls_privatekey = /etc/exim4/tls/exim.key
no_tls_remember_esmtp
tls_require_ciphers =
tls_try_verify_hosts = *
tls_verify_certificates = ${if
exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts =

Note that I got the three statements in question:

tls_advertise_hosts = *
tls_certificate = /etc/exim4/tls/exim.crt
tls_privatekey = /etc/exim4/tls/exim.key

> Next, invoke Exim with debugging as a daemon on a non-standard port and
> then telnet to it. After the EHLO, you should see something like:
>
> # exim -oX 29 -d -bd
> [...]
> 51789 host in pipelining_advertise_hosts? yes (matched "*")
> 51789 host in auth_advertise_hosts? yes (matched "*")
> 51789 host in tls_advertise_hosts? yes (matched "*")
> 51789 SMTP>> 250-mx.spodhuis.org Hello localhost [::1]
> 51789 250-SIZE 67108864
> 51789 250-EXPN
> 51789 250-PIPELINING
> 51789 250-STARTTLS
> 51789 250 HELP
>
> If it doesn't match tls_advertise_hosts that will be why.
>
>
I can't use a non-standard port because my ISP only opens up certain
ports; however, when I run it on port 25, I get this:

ops:/var/log/exim4# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ops.infoisland.net ESMTP Exim 4.69 Mon, 20 Sep 2010 20:46:42 -0400
ehlo 10.1.1.23
250-ops.infoisland.net Hello localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP

Which does advertise STARTTLS. But this is being run in a putty
terminal that is on the local host.

Ha! Stop! I also tried port 125 and telnet'd from localhost, and got
the same thing. The problem arises when I then start ASSP, which runs
on port 25, in which case, connecting to 25, I get the original response
to a local (or remote) telnet into port 25. But, a local telnet into
port 125 gives me the above (correct) response, even with ASSP running.

I'm so sorry for taking up useless bandwith (both electronic and
mental), I thought ASSP was "transparent"; evidently not. So, my
problem isn't exim, it's ASSP, which is also connecting to Exim on port
125, but to the rest of the world is on port 25.

So, thank you so much. This experimentation showed exim4, whether I
telnet locally or remotely on either port 25 or 125 (well, I can't do it
remotely on 125), is behaving correctly. For some reason, when ASSP is
in the chain, it doesn't advertise correctly. What I need to do is find
out why ASSP isn't "transparent", or why exim4 would advertise
differently through ASSP. If you know anything about ASSP, any hints
would be welcome, but now it's clear the problem is not Exim. If I get
a solution, I'll email this list for future reference.

Thanks so much, and many sorrows for the false alarm.

Regards,
Allen


> Also check that you're using an Exim built with SSL support. If you
> invoke { exim -bV } then the "Support for:" line should list either
> OpenSSL or GnuTLS.
>
>
>> Escape character is '^]'.
>> 220 ops.infoisland.net ESMTP Exim 4.69 Sun, 19 Sep 2010 16:54:50 -0400
>> ehlo 10.1.1.23
>> 250-ops.infoisland.net Hello mail.infoisland.net [10.1.1.23]
>> 250-SIZE 52428800
>> 250 HELP
>>
> I am very surprised to not see PIPELINING there, as it should be on by
> default and I wouldn't expect most to have to disable it.
>
> -Phil
>
>

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Not advertising STARTTLS[exim] Exim + procmail (very high load)->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)