Re: [exim] URGENT : Help with TLS

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] URGENT : Help with TLS
Hi,

Francois Sauterey <fs@???> (Do 22 Aug 2013 16:16:01 CEST):
> debian squeeze
> exim4 : 4.72-6+squeeze3
> server: manny.fsu.fr
>
> I can't send mail from the website server (manny), to me (i.e;
> fs@???) [ the mail server is an old gentoo with qmail :-( ]
>
> Here is the dialog:
> > Connecting to mx1.fsu.fr [91.121.120.209]:25 ... connected
> >   SMTP<< 220 ns2014523.ovh.net ESMTP
> >   SMTP>> EHLO manny.fsu.fr
> >   SMTP<< 250-ns2014523.ovh.net
> >          250-PIPELINING
> >          250-STARTTLS
> >          250-8BITMIME
> >          250 SIZE 0
> >   SMTP>> STARTTLS
> >   SMTP<< 220 ready for tls
> >   SMTP>> EHLO manny.fsu.fr
> >   SMTP<< 250-ns2014523.ovh.net
> >          250-PIPELINING
> >          250-8BITMIME
> >          250 SIZE 0
> >   SMTP>> MAIL FROM:<fs@???> SIZE=1555
> >   SMTP>> RCPT TO:<fs@???>
> >   SMTP>> DATA
> > LOG: MAIN
> >   TLS error on connection to mx1.fsu.fr [91.121.120.209] (recv): A TLS packet with unexpected length was received.
> > LOG: MAIN
> >   Remote host mx1.fsu.fr [91.121.120.209] closed connection in response to MAIL FROM:<fs@???> SIZE=1555
> > LOG: MAIN
> >   == fs@??? R=dnslookup T=remote_smtp defer (-18): Remote host mx1.fsu.fr [91.121.120.209] closed connection in response to MAIL FROM:<fs@???> SIZE=1555

>
> It's seem a TLS pb, but I don't understand why ! ( the CN certficate is
> manny.fsu.fr (OK))
>
> So two questions:
> 1) in urgency: how to tell the exim4 website to not use TLS (problems
> appair whit the STARTTLS) [some google reference talk about debian
> package pb...]
>
> 2) in futur) how to do TLS works ?


The remote server uses uses an inacceptable (to GnuTLS) signature
algorithm:

- subject `C=AU,ST=Some-State,O=Internet Widgits Pty Ltd', issuer `C=AU,ST=Some-State,O=Internet Widgits Pty Ltd', RSA key 1024 bits, signed using RSA-MD5 (broken!), activated `2006-06-07 09:06:04 UTC', expires `2007-06-08 09:06:04 UTC',

RSA-MD5 is outdated and GnuTLS won't accept it anymore.

    - You may link your Exim with OpenSSL, it's not as picky as GnuTLS. 
    - You may avoid using TLS for this host. 
    - You may generate a new certificate using RSA-SHA1 for the
      signature. (Newer "openssl req …" does this per default.)


But as always, I might be completly wrong.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-