Autor: WJCarpenter Data: A: Exim Mailing List Assumpte: [exim] the great TLS mystery
In the course of troubleshooting why one of my users couldn't get his
client configured the way we like it, I came across a mystery w/r/t TLS
in Exim.
My Exim is 4.71 as installed by Ubuntu Lucid Lynx (10.04) server (the
"heavy" exim). I do not use any of the Debian/Ubuntu exim configuration
stuff; I have my own from-scratch exim4.conf.
My server is configured to advertise authentication only to localhost
and TLS connections. (I can show those configs if it comes to that, but
I don't think it's necessarily relevant.) After configuring his client
for STARTTLS and an appropriate port, he was getting errors from
Thunderbird that told me TB was a bit confused.
I walked him through doing a telnet session to my SMTP port and doing
"ehlo foo" to see what was advertised. Much to my surprise, he got this
response:
If I connect to the same port (remotely, also on a dynamically assigned
ISP IP address), I get something different. I don't see the AUTH
advertisement, and the other capabilities are reordered a bit. (BTW, he
sent me a screen shot of his DOS box telnet session, so I don't have to
trust him to have done the right things.) In other words, I see what I
expect, but he sees something that I don't want to happen.
I know what you are thinking ... something screwy with my
auth_advertise_hosts macro or my server_advertise_condition. I spent a
bunch of time staring that those before I happened to notice this in my
log files: "SMTP command timeout on TLS connection from...." Every
time he connected from his DOS telnet or from his Thunderbird and let
the connection timeout, the Exim log line indicates that the connection
was using TLS. I have plenty of other command timeouts that are not TLS
(my own tests, plus the usual door-knockers).
So, my question is ... what could make Exim believe that a certain
connection was using TLS when (as far as I can tell) it really was not?