Re: [exim] TLS error on connection

Top Page
Delete this message
Reply to this message
Author: Gary Stainburn
Date:  
To: exim-users
Subject: Re: [exim] TLS error on connection
On Thursday 27 August 2015 19:00:52 Evgeniy Berdnikov wrote:
> On Thu, Aug 27, 2015 at 05:21:25PM +0000, Viktor Dukhovni wrote:
> > So the OP appears to have a system that does not tolerate large
> > client HELLO messages. There may be some "middle-box" (firewall
> > or similar) that is doing protocol inspection and choking on large
> > client HELLOs.
>
> Well, it can be verified with tcpdump or some other network sniffer.
> If this guess is true, then running sniffers both on client and
> server side we observe tcp rentransmissions of ClientHello packet
> on client host and nothing on the server host.
>
> As you mentioned, Path MTU might be also checked. I tried to run
> traceroute to tcp port 25 of mail.ringways.co.uk (88.211.105.31)
> with packets of different size. There is no difference for forward
> reachability of this host, so Path MTU seems to be ruled out.
> --
> Eugene Berdnikov


Thank yo both very much for the effort you've put in so far.

I can confirm that when I did

openssl s_client -connect mail.ringways.co.uk:25 -tls1_1 -starttls smtp

on the mail server it was instantanious, whereas when I did

openssl s_client -connect mail.ringways.co.uk:25 -tls1_2 -starttls smtp

there was a *very* slight delay.

The server does sit behind a Fortinet firewall which does do SMTP
interception. It has it's own built in anti-SPAM and anti-firewall facility.

As the problems I have been experiencing have been from external mail servers
I have not been able to do any testing. However, if I use the above openssl
commands from one of my hosted servers, would that re-create the problem?

I did have an issue when I tried it locally as the RCPT command did not work.
Is this normal, and how would I get round it to test the server further?

[root@ollie2 ~]# openssl s_client -connect
mail.ringways.co.uk:25 -tls1_1 -starttls smtp
CONNECTED(00000003)
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU =
SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress =
root@???
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU =
SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress =
root@???
verify return:1
---
Certificate chain
0
s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???

i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/emailAddress=root@???
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 2709 bytes and written 532 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 
42FC77EC44BB502D2BB40E0DE5065406BA2DFDE673C304FD7F6D23910A86ABE0
    Session-ID-ctx: 
    Master-Key: 
B1BC1687CAB8F5317EC26BB271413622CEDF0E285EDF6A19E6095A440FD5A8B85F834B5A67253C9255896B4324FC850D
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
    0000 - 07 21 c8 c3 25 cb 30 b4-f5 41 72 d9 bb 19 b6 f8   .!..%.0..Ar.....
    0010 - 8e 2c 93 45 00 6d 18 a9-8f 12 0e 2f 8b 19 be 1c   .,.E.m...../....
    0020 - e8 ce 65 63 3a 40 ef dd-60 b9 f1 7b f8 d7 f9 ca   ..ec:@..`..{....
    0030 - 55 e8 91 09 46 95 48 2c-86 31 13 86 22 9a 65 89   U...F.H,.1..".e.
    0040 - b0 1b 5a 00 8d 5b 60 e4-09 f8 bc 37 26 37 ef 9a   ..Z..[`....7&7..
    0050 - 69 db c2 d3 0a 14 08 b7-ef 18 4a 50 6a b2 a2 3d   i.........JPj..=
    0060 - 34 40 c7 76 c6 30 50 61-dd dd 9c 41 ef d0 77 e7   4@.v.0Pa...A..w.
    0070 - 96 3a fb b6 dc bc 53 d0-3e 53 c4 1d fd 63 cf 8c   .:....S.>S...c..
    0080 - a1 ae 78 f7 a1 fc fd c7-0d f9 04 ee 48 fa 18 32   ..x.........H..2
    0090 - f0 c4 53 7b 35 ed 59 51-1d e8 b1 fe f6 7d 25 31   ..S{5.YQ.....}%1


    Start Time: 1440774548
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
250 HELP
ehlo test.ringways.co.uk
250-mail.ringways.co.uk Hello ollie.ringways.co.uk [10.5.1.3]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
MAIL from: gary@???
250 OK
RCPT to: gary@???
RENEGOTIATING
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = 
SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = 
root@???
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = 
SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = 
root@???
verify return:1
data
503 valid RCPT command must precede DATA
quit
221 mail.ringways.co.uk closing connection
closed
[root@ollie2 ~]#