On Thu, Feb 20, 2014 at 05:28:41PM +0000, Jeremy Harris wrote:
> On 20/02/14 17:12, Marc MERLIN wrote:
> >2) It may not be very easy for me to run exim in debug mode while waiting
> >for their next encrypted Email,
> >but if it's the only way, I can try.
> >In the meantime, see this tshark output, namely:
> >TLSv1 72 Change Cipher Spec
> >TLSv1 295 Encrypted Handshake Message
> >TLSv1 103 Application Data
> >TLSv1 103 Encrypted Alert
> >TLSv1 343 Application Data
> >TLSv1 247 Encrypted Alert
> >
> >Can I get better debug output without running with -d+all for all incoming
> >Email?
>
> http://exim.org/exim-html-4.80/doc/html/spec_html/ch-access_control_lists.html#SECTcontrols
>
> You can turn on debug in an acl, so you can do it only for certain
> mails. Goes to a files called "debuglog".
Good point, I'll have to look at that.
On Thu, Feb 20, 2014 at 05:33:37PM +0000, Viktor Dukhovni wrote:
> On Thu, Feb 20, 2014 at 09:12:59AM -0800, Marc MERLIN wrote:
>
> > 2) It may not be very easy for me to run exim in debug mode while waiting for their next encrypted Email,
> > but if it's the only way, I can try.
> > In the meantime, see this tshark output, namely:
> > TLSv1 72 Change Cipher Spec
> > TLSv1 295 Encrypted Handshake Message
> > TLSv1 103 Application Data
> > TLSv1 103 Encrypted Alert
> > TLSv1 343 Application Data
> > TLSv1 247 Encrypted Alert
>
> The encrypted alert is almost certainly a "shutdown" message. Exim
> logs the client sent "QUIT", which is consistent with graceful
> termination of the session. So there is nothing interesting to be
> logged about TLS. Perhaps Amex were trying to send you a message
> that exceeds your 25 MB message size limit (and thus give up after
> EHLO).
If I've received mail from and rcpt to, doesn't exim log those?
Actually if any Email is rejected at DATA, don't I get more logging info,
including something in rejectlog?
> > Can I get better debug output without running with -d+all for
> > all incoming Email?
>
> Before launching into debugging TLS, consider simpler issues first.
I would, but I got no useful logging about the SMTP connection. My logs show
that I got HELO, STARTTLS, and then QUIT.
As for the message size, it was a one line URL or 4 digit OTP, so doubt it
was 25MB, but that's still a good idea :)
I guess without knowing the encrypted portion of the message in debugging
mode, I won't get to know what's going on. I'll try to get that unless there
is something else I'm missing.
Currently I have
log_selector = \
+address_rewrite \
+all_parents \
+arguments \
+connection_reject \
+delay_delivery \
+delivery_size \
+dnslist_defer \
+incoming_interface \
+incoming_port \
+lost_incoming_connection \
+queue_run \
+received_sender \
+received_recipients \
+retry_defer \
+sender_on_delivery \
+size_reject \
+skip_delivery \
+smtp_confirmation \
+smtp_connection \
+smtp_protocol_error \
+smtp_syntax_error \
+subject \
+tls_cipher \
+tls_peerdn \
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/
