Re: [exim] TLS error on connection

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] TLS error on connection
On Thu, Aug 27, 2015 at 03:23:37PM +0100, Gary Stainburn wrote:

> I did have a number of delay statements in my config as suggested in various
> anti-SPAM pages over many years. I have reduced them signigicantly but that
> also hasn't made any difference.


I just tried:

    $ posttls-finger ringways.co.uk
    posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: < 220 mail.ringways.co.uk ESMTP Exim 4.84 Thu, 27 Aug 2015 15:36:49 +0100
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org [38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250 HELP
    posttls-finger: > STARTTLS
    posttls-finger: < 220 TLS go ahead
    posttls-finger: SSL_connect error to mail.ringways.co.uk[88.211.105.31]:25: Connection timed out


Are you using /dev/random, rather than /dev/urandom for entropy?

There was a long pause after "220 TLS go ahead" and then a timeout.

Turning on "debug" logging shows that the timeout is right after
the TLS client HELLO.

    $ posttls-finger -Ldebug ringways.co.uk
    posttls-finger: initializing the client-side TLS engine
    posttls-finger: Connected to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: < 220 mail.ringways.co.uk ESMTP Exim 4.84 Thu, 27 Aug 2015 15:39:27 +0100
    posttls-finger: > EHLO mournblade.imrryr.org
    posttls-finger: < 250-mail.ringways.co.uk Hello mournblade.imrryr.org [38.117.134.19]
    posttls-finger: < 250-SIZE 104857600
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250 HELP
    posttls-finger: > STARTTLS
    posttls-finger: < 220 TLS go ahead
    posttls-finger: setting up TLS connection to mail.ringways.co.uk[88.211.105.31]:25
    posttls-finger: SSL_connect:before/connect initialization
    posttls-finger: SSL_connect:SSLv2/v3 write client hello A
    ... delay ...
    posttls-finger: SSL_connect error to mail.ringways.co.uk[88.211.105.31]:25: Connection timed out


So either you have MTU or other network issues with sending the
server TLS HELLO etc. or your server is not producing "entopy"
quickly enough, because you're using /dev/random instead of
/dev/urandom as your randomness source for seeding TLS.

-- 
    Viktor.