Re: [exim] the great TLS mystery

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: WJCarpenter
CC: Exim Mailing List
Subject: Re: [exim] the great TLS mystery
On 2011-02-23 at 17:45 -0800, WJCarpenter wrote:
> My server is configured to advertise authentication only to localhost
> and TLS connections. (I can show those configs if it comes to that, but
> I don't think it's necessarily relevant.) After configuring his client


I do -- could we please see the authenticators and and setting with
"tls" in the name? Including the output of running:

% exim -bV
% exim -bP | fgrep tls

> I know what you are thinking ... something screwy with my
> auth_advertise_hosts macro or my server_advertise_condition. I spent a
> bunch of time staring that those before I happened to notice this in my
> log files: "SMTP command timeout on TLS connection from...." Every
> time he connected from his DOS telnet or from his Thunderbird and let
> the connection timeout, the Exim log line indicates that the connection
> was using TLS. I have plenty of other command timeouts that are not TLS
> (my own tests, plus the usual door-knockers).


Are you 100% sure that the error message corresponds to the telnet
sessions, not just Thunderbird? I suspect something like:
tls_on_connect_ports = 465
and Thunderbird configured with SSL, not TLS: this being Mozilla-speak
for "encryption on connect, instead of using STARTTLS".

> So, my question is ... what could make Exim believe that a certain
> connection was using TLS when (as far as I can tell) it really was not?


To see that message, the internal variable tls_active must be set >= 0
(to match the file descriptor corresponding to the connection). This
means that tls_server_start() has been called, which means that
something has happened to enable SSL/TLS.

-Phil