Re: [exim] TLS with gmail started failing

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Viktor Dukhovni
Ημερομηνία:  
Προς: exim-users
Αντικείμενο: Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 09:16:04AM -0700, Marc MERLIN via Exim-users wrote:

> 14:32:03 5341 gnutls_handshake was successful
> 14:32:03 5341 TLS certificate verification failed (certificate invalid): peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
> 14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts)
> 14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
> 14:32:03 5341 Have channel bindings cached for possible auth usage.
> 14:32:03 5341 SMTP>> EHLO mail1.merlins.org
> 14:32:03 5341 tls_do_write(0xbfd5f57c, 24)
> 14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24)
> 14:32:03 5341 outbytes=24
> 14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096)
> 14:32:03 5341 LOG: MAIN
> 14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error on connection (recv): Resource temporarily unavailable, try again.


The handshake succeeds, but reading the EHLO response fails with
EGAIN. This suggests that the socket is non-blocking, but in that
case one would expect the read to be retried. Someone more familiar
with the code will have to explore that hypothesis further.

In the meantime, have you tried "swaks" to see whether STARTTLS to
Google works outside of Exim? You can also try OpenSSL's s_client
as follows:

    $ openssl s_client -state -quiet -no_ign_eof -starttls smtp -connect alt4.gmail-smtp-in.l.google.com:25
    <type QUIT after you see output (O:) with the tail of the EHLO response>
O:  250 ...
O:  SSL_connect:SSL negotiation finished successfully
O:  SSL_connect:SSL negotiation finished successfully
O:  SSL_connect:SSLv3/TLS read server session ticket
I:  QUIT
O:  221 2.0.0 Bye
O:  SSL3 alert read:warning:close notify
O:  SSL3 alert write:warning:close notify


And also with gnutls-cli:

    $ gnutls-cli --crlf --starttls --port 25 smtp.example.net alt4.gmail-smtp-in.l.google.com


-- 
    Viktor.