Re: [exim] My self signed cert seems to fail with american e…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] My self signed cert seems to fail with american express
On Thu, Feb 20, 2014 at 10:03:52AM -0800, Marc MERLIN wrote:

> > > In the meantime, see this tshark output, namely:
> > > TLSv1 72 Change Cipher Spec
> > > TLSv1 295 Encrypted Handshake Message
> > > TLSv1 103 Application Data
> > > TLSv1 103 Encrypted Alert
> > > TLSv1 343 Application Data
> > > TLSv1 247 Encrypted Alert
> >
> > The encrypted alert is almost certainly a "shutdown" message. Exim
> > logs the client sent "QUIT", which is consistent with graceful
> > termination of the session. So there is nothing interesting to be
> > logged about TLS. Perhaps Amex were trying to send you a message
> > that exceeds your 25 MB message size limit (and thus give up after
> > EHLO).
>
> If I've received mail from and rcpt to, doesn't exim log those?


When an SMTP client sees a message limit in the EHLO response (SIZE
SMTP extension) that is smaller than the message size, it never
sends MAIL FROM, RCPT TO, ... Rather it just disconnects and
returns the mesasge to the sender.

Your MTA publishes a message size of 25MB. You will see nothing
in your logs for messages larger than that, when the client avoids
useless chatter with messages that exceed the size limit.

> Actually if any Email is rejected at DATA, don't I get more logging info,
> including something in rejectlog?


The transaction stops at (the post-STARTTLS) EHLO.

> > > Can I get better debug output without running with -d+all for
> > > all incoming Email?
> >
> > Before launching into debugging TLS, consider simpler issues first.
>
> I would, but I got no useful logging about the SMTP connection. My logs show
> that I got HELO, STARTTLS, and then QUIT.


As expected with a message size limit constraint.

> As for the message size, it was a one line URL or 4 digit OTP, so doubt it
> was 25MB, but that's still a good idea :)


If however, this message is not > 25MB, then the Amex MTA does not
like something else about your server.

> I guess without knowing the encrypted portion of the message in debugging
> mode, I won't get to know what's going on. I'll try to get that unless there
> is something else I'm missing.


There is nothing to decrypt. You got STARTTLS in cleartext, and
then only EHLO followed by QUIT inside the encrypted session.

Did you and Amex agree on some non-default TLS security policy
(where say they try to verify your server certificate)? Did Amex
mistakenly apply a mandatory authentication TLS policy to your
domain?

-- 
    Viktor.