On Thu, Mar 19, 2015 at 01:09:35AM +0000, Tom Vernon wrote:
> STARTTLS is advertised but when I try to connect and initiate STARTTLS I get
> the following at the client end:
You can't do STARTTLS by hand. You need software that will do the TLS
handshake for you.
> mail from:bob@???
> 554 Security failure
The "mail from:" command above (whose syntax is wrong, the RFC
requires <> around the address) is not a TLS client HELLO message.
> And this at the server end:
>
> 2015-03-19 00:04:02 TLS error on connection from (ME) [xx.xx.xx.xx]
> (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol
> 2015-03-19 00:04:02 TLS client disconnected cleanly (rejected our
> certificate?)
The server agrees with that conclusion. My only comment is that
when the TLS handshake fails Exim should probably not send ASCII
error messages down the wire. Just hang up, the crypto state of
the connection is indeterminate, nothing other than TLS handshake
messages can be sent until/unless the TLS handshake completes.
--
Viktor.
