Autor: Boylan, Ross Datum: To: exim-users@exim.org Betreff: Re: [exim] TLS error on connection to smtp.office365.com
(gnutls_handshake): An unexpected TLS packet was received.
I got smtptest to work, but not exim. The winning invocation was
smtptest -u xxx@??? -a xxx@??? -t "" -p 587 smtp.office365.com
This invocation uses -t "" rather than the previous -s, which presumably switches to TLS from SSL, and adds the -a argument to get authorization to work. Results include
subject_CN=outlook.com, issuer_CN=DigiCert Cloud Services CA-1
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
So what is smtptest doing that exim is not? The exim debug logs sort of look as if it is expecting to negotiate TLS immediately on connection, rather than after the initial EHLO, but that seems more likely to be about what is reported rather than what happens.
Other highlights of the successful session with smtptest:
S: 220 CY1PR03CA0007.outlook.office365.com Microsoft ESMTP MAIL Service ready at Fri, 28 Apr 2017 20:46:43 +0000
C: EHLO smtptest
S: 250-CY1PR03CA0007.outlook.office365.com Hello [64.54.171.2]
S: 250-SIZE 157286400
S: 250-PIPELINING
S: 250-DSN
S: 250-ENHANCEDSTATUSCODES
S: 250-STARTTLS
S: 250-8BITMIME
S: 250-BINARYMIME
S: 250 CHUNKING
C: STARTTLS
S: 220 2.0.0 SMTP server ready
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
write to 7F95E53ECB40 [7F95E53ED0C0] (517 bytes => 517 (0x205))
....
SSL_connect:SSLv2/v3 write client hello A
read from 7F95E53ECB40 [7F95E53F2620] (7 bytes => 7 (0x7))
0000 16 03 03 0d 4d 02
0007 - <SPACES/NULS>
read from 7F95E53ECB40 [7F95E53F262A] (3403 bytes => 3403 (0xD4B))
.....
# Maybe it matters that the cert is untrusted?
SSL_connect:unknown state
Peer cert verify depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
verify error:num=20:unable to get local issuer certificate
verify return:1
Peer cert verify depth=1 /C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
verify error:num=27:certificate not trusted
verify return:1
Peer cert verify depth=0 /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
verify return:1
...
subject_CN=outlook.com, issuer_CN=DigiCert Cloud Services CA-1
TLS connection established: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
Asking for capabilities again since they might have changed
C: EHLO smtptest
...
S: 250-CY1PR03CA0007.outlook.office365.com Hello [64.54.171.2]
S: 250-SIZE 157286400
S: 250-PIPELINING
S: 250-DSN
S: 250-ENHANCEDSTATUSCODES
S: 250-AUTH LOGIN
S: 250-8BITMIME
S: 250-BINARYMIME
S: 250 CHUNKING
C: AUTH LOGIN
.....
S: 235 2.7.0 Authentication successful target host SN2PR05MB2671.namprd05.prod.outlook.com
Authenticated.
Security strength factor: 128
________________________________________
From: Boylan, Ross
Sent: Friday, April 28, 2017 11:32:41 AM
To: exim-users@???
Subject: TLS error on connection to smtp.office365.com (gnutls_handshake): An unexpected TLS packet was received.
My campus recently switched to office365.com on port 587 from an internal Exchange server. Unfortunately, I haven't been able to connect. Typical error message is
TLS error on connection to outlook-namwest2.office365.com [40.97.133.114] (gnutls_handshake): An unexpected TLS packet was received.
Searching on the internet has some advice on setting up connections to office365, but I think I have everything set.
Could it be a problem that my passwd.client file has (some info obscured)
smtp.office365.com:xxx@???:xxxx
but that the ultimate host name is different, as seen above? The router uses the smtp.office365.com name.
Other ideas, including ways to isolate the problem?
I also tried with smtptest and got a similar, early, failure. It seems to be before any real authentication, since it never asked for a password. I'm putting this first because it may have more detail about the problem than the exim logs further down.
--------------------------------------------------------------------------
$ smtptest -u xxx@??? -s -p 587 smtp.office365.com -v
starting TLS engine
setting up TLS connection
SSL_connect:before/connect initialization
write to 7FA54998CB40 [7FA54998D0C0] (517 bytes => 517 (0x205))
0000 16 03 01 02 00 01 00 01|fc 03 03 d2 00 f3 fa 76
0010 73 99 a9 80 25 a8 a9 f3|e8 7a 59 da b2 72 12 86
0020 dd 14 4a 98 f9 4e b8 e9|27 6b ac 00 00 82 c0 30
0030 c0 2c c0 28 c0 24 c0 14|c0 0a 00 a3 00 9f 00 6b
0040 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
0050 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 2f
0060 c0 2b c0 27 c0 23 c0 13|c0 09 00 a2 00 9e 00 67
0070 00 40 00 33 00 32 00 9a|00 99 00 45 00 44 c0 31
0080 c0 2d c0 29 c0 25 c0 0e|c0 04 00 9c 00 3c 00 2f
0090 00 96 00 41 c0 11 c0 07|c0 0c c0 02 00 05 00 04
00a0 c0 12 c0 08 00 16 00 13|c0 0d c0 03 00 0a 00 ff
00b0 01 00 01 51 00 0b 00 04|03 00 01 02 00 0a 00 34
00c0 00 32 00 0e 00 0d 00 19|00 0b 00 0c 00 18 00 09
00d0 00 0a 00 16 00 17 00 08|00 06 00 07 00 14 00 15
00e0 00 04 00 05 00 12 00 13|00 01 00 02 00 03 00 0f
00f0 00 10 00 11 00 23 00 00|00 0d 00 20 00 1e 06 01
0100 06 02 06 03 05 01 05 02|05 03 04 01 04 02 04 03
0110 03 01 03 02 03 03 02 01|02 02 02 03 00 0f 00 01
0120 01 00 15 00 e0
0205 - <SPACES/NULS>
SSL_connect:SSLv2/v3 write client hello A
read from 7FA54998CB40 [7FA549992620] (7 bytes => 7 (0x7))
0000 32 32 30 20 4d 57 48
SSL_connect:error in SSLv2/v3 read server hello A -1
SSL_connect error -1
SSL session removed
failure: TLS negotiation failed!
---------------------------------------------------
This is from a debugging session with exim
---------------------------------------------------------------------------
outlook-namwest.office365.com [40.97.124.34]:587 status = usable
40.97.124.34 in serialize_hosts? no (option unset)
delivering 1d3vC1-0007Xf-NB to outlook-namwest.office365.com [40.97.124.34] (xxx@???)
set_process_info: 28999 delivering 1d3vC1-0007Xf-NB to outlook-namwest.office365.com [40.97.124.34] (xxxx@???)
Transport port=465 replaced by host-specific port=587
Connecting to outlook-namwest.office365.com [40.97.124.34]:587 ... connected
40.97.124.34 in hosts_avoid_esmtp? no (option unset)
40.97.124.34 in hosts_require_ocsp? no (option unset)
40.97.124.34 in hosts_request_ocsp? yes (matched "*")
initialising GnuTLS as a client on fd 7
GnuTLS global init required.
initialising GnuTLS client session
Expanding various TLS configuration options for session credentials.
TLS: no client certificate specified; okay
TLS: tls_verify_certificates not set or empty, ignoring
GnuTLS using default session cipher/priority "NORMAL"
Setting D-H prime minimum acceptable bits to 1024
in tls_verify_hosts? no (option unset)
in tls_try_verify_hosts? no (option unset)
TLS: server certificate verification not required.
TLS: will request OCSP stapling
about to gnutls_handshake
LOG: MAIN
TLS error on connection to outlook-namwest.office365.com [40.97.124.34] (gnutls_handshake): An unexpected TLS packet was received.
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
set_process_info: 28999 delivering 1d3vC1-0007Xf-NB: just tried outlook-namwest.office365.com [40.97.124.34] for xxx@???: result DEFER
added retry item for T:outlook-namwest.office365.com:40.97.124.34:587: errno=-37 more_errno=0,A flags=2
I have disable_ipv6 = true; without it exim tried only IPv6 addresses, which weren't routable by the OS.
exim 4.84_2 running on Debian Jessie.