Re: [exim] Problem with TLS connection

Góra strony
Delete this message
Reply to this message
Autor: Hill Ruyter
Data:  
Dla: Heiko Schlittermann, <exim-users@exim.org>
Temat: Re: [exim] Problem with TLS connection
Thank you Heiko I think I understand
You have correctly surmised that I had 587 in the TLS_on_connect_ports
list

I had incorrectly thought that I needed to put the port number I was wishing
to use for TLS connections in this list.

I have changed the configuration to just include 465 in that list now and
will re-test to see if the problem goes away

It is interesting how my mis-configuration did not show up until the server
re-booted since this setting has been there for some time.
I will let you know if I have success, if you could run your test again
Heiko that would be brilliant


Thanks again

Hill


From: Heiko Schlittermann <hs@???>
Organization: schlittermann -- internet & unix support
Date: Wed, 18 May 2011 23:17:29 +0200
To: "<exim-users@???>" <exim-users@???>
Subject: Re: [exim] Problem with TLS connection

Hello Hill,

I did some tests:

    heiko@jumper:~$ swaks -tlsc -s mail.ruyter.co.uk -q EHLO -p 587
                              ^(*) not the trailing "s" here
    === Trying mail.ruyter.co.uk:587...
    === Connected to mail.ruyter.co.uk.
    === TLS started w/ cipher DHE-RSA-AES256-SHA
    === TLS peer subject DN="/CN=mail.ruyter.co.uk"
    <~  220 mail.ruyter.co.uk ESMTP Exim 4.71 Wed, 18 May 2011 22:11:02
+0100
     ~> EHLO jumper.schlittermann.de
    <~  250-mail.ruyter.co.uk Hello dslb-088-073-177-189.pools.arcor-ip.net
[88.73.177.189]
    <~  250-SIZE 52428800
    <~  250-PIPELINING
    <~  250-AUTH PLAIN LOGIN
    <~  250 HELP
     ~> QUIT
    <~  221 mail.ruyter.co.uk closing connection
    === Connection closed with remote host.


About the same using:

    heiko@jumper:~$ openssl s_client -connect mail.ruyter.co.uk:587
    Š
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID:
0614607DD7763A213868095FD0D8E6B0D099E2189140BDB6A510E6EE9A3C59B9
        Session-ID-ctx:
        Master-Key:
05D5A6D3A166ADC90B3CCBC7C48F5B4D3B45D7CD6E1074B3B4AE1592735DF757C4CE416DB176
8D6C332B74B36F876EA0
        Key-Arg   : None
        Start Time: 1305752845
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    ---
    220 mail.ruyter.co.uk ESMTP Exim 4.71 Wed, 18 May 2011 22:13:36 +0100



It seems, that you configured your Exim to use tls_on_connect on port
587, that's what most clients do not expect.

    Port  25:    SMTP with our without STLS
    Port 465:    SMTPS
    Port 587:    SMTP with our without STLS
                 (should be used for mail submmission)


Just check your Exim configuration, the tls_on_connect_ports option
should not be used, at least not for port 25 or port 587, except you
have good reasons to do so. If you're not sure if you found the right
config:

    exim -bV


should tell you the location of the config file.

    exim -bP tls_on_connect_ports


should tell you the current setting as Exim reads it from the
configuration file.

That your LAN clients are not affected may be a result of miraclous auto
problem resolving features of your clients (notably outlook). Clients
outside your network are handicapped by firewalls or similiar beasts
probably.

If your successfully changed the mentioned option, the above shown
swaks command should work in a slightly modified form:

    swaks -tls -s mail.ruyter.co.uk -q EHLO -p 587
              ^(*) - note the missing "s" here


--
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/