Re: [exim] A TLS fatal alert has been received.: Insufficien…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: Exim-users
Subject: Re: [exim] A TLS fatal alert has been received.: Insufficient security
> On Jun 11, 2019, at 2:08 PM, Thomas Krichel via Exim-users <exim-users@???> wrote:
>
>> shows that the error message in question is from the GnuTLS DANE
>> library in dane_state_init() trying to initialize libunbound...
>
> On the sender or the receiver? Is there any fix I can do
> or do I need to educate the pros from gmx or web.de?


The problem is on your end. Exim's call to the GnuTLS dane_state_init()
function fails, because the latter is unable to initialize libunbound.
This is unfortunate, because Exim does not need GnuTLS to perform any
DNS lookups, and provides the any required TLSA records to GnuTLS.

My advice is to switch to a version of Exim that is linked against
OpenSSL.

You could of course figure out why libunbound is unhappy... Perhaps
its trust-anchor is not available, or there's some other config
problem, but IMHO it is simpler to just trade GPL purity for a
more pragmatic choice of SSL library.

-- 
    Viktor.