Autor: W B Hacker Data: A: exim users Assumpte: Re: [exim] the great TLS mystery
WJCarpenter wrote: > In the course of troubleshooting why one of my users couldn't get his
> client configured the way we like it, I came across a mystery w/r/t TLS
> in Exim.
>
> My Exim is 4.71 as installed by Ubuntu Lucid Lynx (10.04) server (the
> "heavy" exim). I do not use any of the Debian/Ubuntu exim configuration
> stuff; I have my own from-scratch exim4.conf.
>
> My server is configured to advertise authentication only to localhost
> and TLS connections. (I can show those configs if it comes to that, but
> I don't think it's necessarily relevant.) After configuring his client
> for STARTTLS and an appropriate port, he was getting errors from
> Thunderbird that told me TB was a bit confused.
>
> I walked him through doing a telnet session to my SMTP port and doing
> "ehlo foo" to see what was advertised. Much to my surprise, he got this
> response:
>
> 250-my.server.name Hello his.dynamic.address.bellsouth.net
> [111.222.333.444]
> 250-SIZE 52428800
> 250-PIPELINING
> 250-AUTH PLAIN LOGIN
> 250-HELP
> 250 STARTTLS
>
> If I connect to the same port (remotely, also on a dynamically assigned
> ISP IP address), I get something different. I don't see the AUTH
> advertisement, and the other capabilities are reordered a bit. (BTW, he
> sent me a screen shot of his DOS box telnet session, so I don't have to
> trust him to have done the right things.) In other words, I see what I
> expect, but he sees something that I don't want to happen.
>
> I know what you are thinking ... something screwy with my
> auth_advertise_hosts macro or my server_advertise_condition. I spent a
> bunch of time staring that those before I happened to notice this in my
> log files: "SMTP command timeout on TLS connection from...." Every time
> he connected from his DOS telnet or from his Thunderbird and let the
> connection timeout, the Exim log line indicates that the connection was
> using TLS. I have plenty of other command timeouts that are not TLS (my
> own tests, plus the usual door-knockers).
>
> So, my question is ... what could make Exim believe that a certain
> connection was using TLS when (as far as I can tell) it really was not?
>
This is on port 587? Or 25? Or ???
My suspicion is the end-user MUA and telnet will give different log entries,
even on the same port. If they ARE arriving on the same port...
Check the MUA settings w/r choice of:
SSL
SSL/TLS
TLS if available
... *and* the port chosen (default or manual change..).