[exim] Exim 4.82 OpenSSL-1.01e and Microsoft Exchange 6.0.37…

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: exim-users
Subject: [exim] Exim 4.82 OpenSSL-1.01e and Microsoft Exchange 6.0.3790
Since turning on TLS we have had some interop problems which appear in our
logs like:

2013-11-12 16:47:44 +0000 1VgH6w-0007ss-QB
    == tls.interop.test@???
    R=dnslookup T=smtp defer (-18):
    Remote host mail.stratton.beds.sch.uk [85.12.84.41]
    closed connection in response to MAIL FROM:<fanf2@???> SIZE=1439


I can reproduce this with openssl:

$ /opt/OpenSSL-1.0.1e+0/bin/openssl s_client -crlf -starttls smtp -connect mail.stratton.beds.sch.uk:25
[...]
250 OK
ehlo ppsw-41.csi.cam.ac.uk
250-strats05.stratton.beds.sch.uk Hello [131.111.8.141]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
140248801396392:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

Turning off TLSv1.2 fixes the problem, which is a bit of a blunt hack. I
have tried all the various openssl_options individually, and none of them
fix the problem except for restricting protocol versions; disabling
TLSv1.2 but allowing 1.1 seems to be the least bad for a quick fix.

I don't have particularly good data, but this problem seems to affect
Microsoft Exchange 6.0 and probably earlier versions - I saw a failure
involving 5.0.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}