[exim] TLS with gmail started failing

Etusivu
Poista viesti
Vastaa
Lähettäjä: Marc MERLIN
Päiväys:  
Vastaanottaja: exim-users
Aihe: [exim] TLS with gmail started failing

Howdy,

I have my personal Email (merlins.org) forwarded to gmail (merlin@???) and
have had that for over 10 years for an IP that never changed (209.81.13.136)

Starting a few days ago all my Emails got rejected by gmail, with "TLS error on
connection (recv): Resource temporarily unavailable, try again."

I've been using exim4 forever, I'm reasonably sure nothing changed on my
side in the last 2-3 days that this started happening.
Any idea what this could be, and whether the problem could be on my side?

I temporarily fixed it with 'hostsavoidtls=*' which indeed turned off
TLS and allowed Email to flow again.

Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256

Details:
Connecting to alt1.gmail-smtp-in.l.google.com [2607:f8b0:4001:c15::1a]:25 ... failed: Network is unreachable
LOG: MAIN
H=alt1.gmail-smtp-in.l.google.com [2607:f8b0:4001:c15::1a] Network is unreachable
Connecting to alt1.gmail-smtp-in.l.google.com [74.125.129.27]:25 ... connected
SMTP<< 220 mx.google.com ESMTP e22si2221532iog.49 - gsmtp
SMTP>> EHLO mail1.merlins.org

  SMTP<< 250-mx.google.com at your service, [209.81.13.136]
         250-SIZE 157286400
         250-8BITMIME
         250-STARTTLS
         250-ENHANCEDSTATUSCODES
         250-PIPELINING
         250-CHUNKING
         250 SMTPUTF8

SMTP>> STARTTLS

SMTP<< 220 2.0.0 Ready to start TLS
SMTP>> EHLO mail1.merlins.org

LOG: MAIN
H=alt1.gmail-smtp-in.l.google.com [74.125.129.27] TLS error on connection (recv): Resource temporarily unavailable, try again.
LOG: MAIN
H=alt1.gmail-smtp-in.l.google.com [74.125.129.27]: Remote host closed connection in response to EHLO mail1.merlins.org

With more debug logs enabled, I see
14:32:02 5341 74.125.141.26 in hosts_avoid_tls? no (end of list)
14:32:02 5341 SMTP>> STARTTLS
14:32:02 5341 read response data: size=30
14:32:02 5341 SMTP<< 220 2.0.0 Ready to start TLS
14:32:02 5341 74.125.141.26 in hosts_require_ocsp? no (option unset)
14:32:02 5341 74.125.141.26 in hosts_request_ocsp? yes (matched "*")
14:32:02 5341 initialising GnuTLS as a client on fd 9
14:32:02 5341 GnuTLS global init required.
14:32:02 5341 initialising GnuTLS client session
14:32:02 5341 Expanding various TLS configuration options for session credentials.
14:32:02 5341 TLS: no client certificate specified; okay
14:32:02 5341 Added 99 certificate authorities.
14:32:02 5341 GnuTLS using default session cipher/priority "NORMAL"
14:32:02 5341 Setting D-H prime minimum acceptable bits to 1024
14:32:02 5341 74.125.141.26 in tls_verify_hosts? no (option unset)
14:32:02 5341 74.125.141.26 in tls_try_verify_hosts? yes (matched "*")
14:32:02 5341 74.125.141.26 in tls_verify_cert_hostnames? yes (matched "*")
14:32:02 5341 TLS: server cert verification includes hostname: "alt4.gmail-smtp-in.l.google.com".
14:32:02 5341 TLS: server certificate verification optional.
14:32:02 5341 TLS: will request OCSP stapling
14:32:02 5341 about to gnutls_handshake
14:32:03 5341 gnutls_handshake was successful
14:32:03 5341 TLS certificate verification failed (certificate invalid): peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts)
14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
14:32:03 5341 Have channel bindings cached for possible auth usage.
14:32:03 5341 SMTP>> EHLO mail1.merlins.org
14:32:03 5341 tls_do_write(0xbfd5f57c, 24)
14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24)
14:32:03 5341 outbytes=24
14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096)
14:32:03 5341 LOG: MAIN
14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error on connection (recv): Resource temporarily unavailable, try again.
14:32:03 5341 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
14:32:03 5341 tls_close(): shutting down TLS
14:32:03 5341 LOG: MAIN
14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26]: Remote host closed connection in response to EHLO mail1.merlins.org

I do see the verification failure, but it shouldn't matter due to "TLS
verify failure overridden (host in tls_try_verify_hosts)"

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                       | PGP 7F55D5F27AAF9D08