Re: [exim] Failure to deliver to Gmail

Top Page
Delete this message
Reply to this message
Author: Richard Jones
Date:  
To: exim-users
Subject: Re: [exim] Failure to deliver to Gmail
On Jun 28, Antoine via Exim-users wrote
> -VERS-TLS1.3


Thanks Antoine, but that doesn't seem to work:

$ gnutls-cli -l --priority SECURE256:-VERS-TLS1.3
Cipher suites for SECURE256:-VERS-TLS1.3
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                    0xc0, 0x2c    TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                     0xcc, 0xa9    TLS1.2
TLS_ECDHE_ECDSA_AES_256_CCM                           0xc0, 0xad    TLS1.2
TLS_ECDHE_RSA_AES_256_GCM_SHA384                      0xc0, 0x30    TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                       0xcc, 0xa8    TLS1.2
TLS_RSA_AES_256_GCM_SHA384                            0x00, 0x9d    TLS1.2
TLS_RSA_AES_256_CCM                                   0xc0, 0x9d    TLS1.2
TLS_DHE_RSA_AES_256_GCM_SHA384                        0x00, 0x9f    TLS1.2
TLS_DHE_RSA_CHACHA20_POLY1305                         0xcc, 0xaa    TLS1.2
TLS_DHE_RSA_AES_256_CCM                               0xc0, 0x9f    TLS1.2


Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-DTLS1.2, VERS-DTLS1.0

So far, so good, but then Exim seems to ignore this:

$ grep tls_require_ciphers /var/lib/exim4/config.autogenerated
tls_require_ciphers = SECURE256:-VERS-TLS1.3

$ exim -d -M 1hg7kY-0005cN-VO | grep -A 2 -B 1 cipher:
27657 TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
27657 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
27657 Have channel bindings cached for possible auth usage.
27657 SMTP>> EHLO smtp.junix.systems

Aha! Wait, adding the same stanza to the remote_smtp transport fixed the
problem! Thanks all for the pointers.

Is this the expected behaviour?

Thanks,

Richard

--
junix.systems/privacy