Re: [exim] $tls_in_sni is blank

Top Page
Delete this message
Reply to this message
Author: Nospam2k
Date:  
To: Exim-users
Subject: Re: [exim] $tls_in_sni is blank
Here is a full log from exim -bd -q1h -d


27434 Connection request from 76.14.5.213 port 57373
27434 LOG: smtp_connection MAIN
27434   SMTP connection from [76.14.5.213]:57373 I=[107.180.239.134]:587 (TCP/IP connection count = 1)
27434 search_tidyup called
27434 1 SMTP accept process running
27434 Listening...
27469 host in rfc1413_hosts? yes (matched "*")
27469 doing ident callback
27469 Tried TCP Fast Open but apparently not enabled by sysctl
27469 non-TFO mode connection attempt to 76.14.5.213, 13 data
27469 ident connection to 76.14.5.213 failed: Connection refused
27469 sender_fullhost = [76.14.5.213]:57373
27469 sender_rcvhost = [76.14.5.213] (port=57373)
27469 Process 27469 is handling incoming connection from [76.14.5.213]:57373
27469 host in host_lookup? yes (matched "*")
27469 looking up host name for 76.14.5.213
27469 DNS lookup of 213.5.14.76.in-addr.arpa (PTR) succeeded
27469 Reverse DNS security status: unverified
27469 IP address lookup yielded "76-14-5-213.sf-cable.astound.net"
27469 DNS lookup of 76-14-5-213.sf-cable.astound.net (A) gave HOST_NOT_FOUND
27469 returning DNS_NOMATCH
27469 no IP addresses found for 76-14-5-213.sf-cable.astound.net
27469 76.14.5.213 does not match any IP address for 76-14-5-213.sf-cable.astound.net
27469 sender_fullhost = [76.14.5.213]:57373
27469 sender_rcvhost = [76.14.5.213] (port=57373)
27469 set_process_info: 27469 handling incoming connection from [76.14.5.213]:57373 I=[107.180.239.134]:587
27469 host in host_reject_connection? no (option unset)
27469 host in sender_unqualified_hosts? no (option unset)
27469 host in recipient_unqualified_hosts? no (option unset)
27469 host in helo_verify_hosts? no (option unset)
27469 host in helo_try_verify_hosts? no (option unset)
27469 host in helo_accept_junk_hosts? no (option unset)
27469 host in hosts_proxy? no (option unset)
27469 SMTP>> 220 panel.dafhosting.com ESMTP Exim 4.92.2 Thu, 17 Oct 2019 12:53:12 -0700
27469 Process 27469 is ready for new message
27469 smtp_setup_msg entered
27469 SMTP<< EHLO openssl.client.net
27469 openssl.client.net in helo_lookup_domains? no (end of list)
27469 sender_fullhost = (openssl.client.net) [76.14.5.213]:57373
27469 sender_rcvhost = [76.14.5.213] (port=57373 helo=openssl.client.net)
27469 set_process_info: 27469 handling incoming connection from (openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587
27469 using ACL "acl_check_helo"
27469 processing "accept"
27469 accept: condition test succeeded in ACL "acl_check_helo"
27469 end of ACL "acl_check_helo": ACCEPT
27469 host in dsn_advertise_hosts? no (option unset)
27469 host in pipelining_advertise_hosts? yes (matched "*")
27469 host in auth_advertise_hosts? yes (matched "*")
27469 Evaluating advertise_condition for PLAIN athenticator
27469 Evaluating advertise_condition for LOGIN athenticator
27469 host in chunking_advertise_hosts? yes (matched "*")
27469 host in tls_advertise_hosts? yes (matched "*")
27469 SMTP>> 250-panel.dafhosting.com Hello openssl.client.net [76.14.5.213]
27469 250-SIZE 52428800
27469 250-8BITMIME
27469 250-PIPELINING
27469 250-AUTH PLAIN LOGIN
27469 250-CHUNKING
27469 250-STARTTLS
27469 250 HELP
27469 SMTP<< STARTTLS
27469 openssl option, adding from 1104000: 1000000 (no_sslv2 +no_sslv3)
27469 openssl option, adding from 1104000: 2000000 (no_sslv3)
27469 setting SSL CTX options: 0x3104000
27469 Diffie-Hellman initialized from default with 2048-bit prime
27469 ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection
27469 tls_certificate file /etc/letsencrypt/live//fullchain.pem
27469 TLS error '(SSL_CTX_use_certificate_chain_file file=/etc/letsencrypt/live//fullchain.pem): error:0200100D:system library:fopen:Permission denied'
27469 LOG: MAIN
27469   TLS error on connection from (openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 (SSL_CTX_use_certificate_chain_file file=/etc/letsencrypt/live//fullchain.pem): error:0200100D:system library:fopen:Permission denied
27469 SMTP>> 454 TLS currently unavailable
27469 SMTP<< ?????.??k?L7?iuH????B?Ww???P??.??
27469 LOG: smtp_syntax_error MAIN
27469   SMTP syntax error in "\026\003\001?\217\001??\213\003\001.\335\313k\022\272\024L7\264iu\031\017H\023\020\003\244\223\322\031\222B\347Ww\345\355\024\374P??.\300\024\300" H=(openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 NUL character(s) present (shown as '?')
27469 SMTP>> 501 NUL characters are not allowed in SMTP commands
27469 SMTP<< ?9???????5????    ?3?E?/?A???????
27469 LOG: smtp_syntax_error MAIN
27469   SMTP syntax error in "?9\377\205?\210?\201?5?\204\300\023\300    ?3?E?/?A\300\021\300\007?\005?\004\300\022\300\b?\026?" H=(openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 NUL character(s) present (shown as '?')
27469 SMTP>> 501 NUL characters are not allowed in SMTP commands
27469 SMTP<< ????4??????thedoorfellowship.org?
                                              ???
27469 LOG: smtp_syntax_error MAIN
27469   SMTP syntax error in "?\377\001??4???\032?\030??\025thedoorfellowship.org?\v?\002\001??" H=(openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 NUL character(s) present (shown as '?')
27469 SMTP>> 501 NUL characters are not allowed in SMTP commands
27469 SMTP>> 421 panel.dafhosting.com lost input connection
27469 LOG: smtp_connection MAIN
27469   SMTP connection from (openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 lost D=0.391s
27469 search_tidyup called
27469 LOG: MAIN
27469   no MAIL in SMTP connection from (openssl.client.net) [76.14.5.213]:57373 I=[107.180.239.134]:587 D=0.392s C=EHLO,STARTTLS
27469 SMTP>>(close on process exit)
27434 child 27469 ended: status=0x100
27434   normal exit, 1
27434 0 SMTP accept processes now running
27434 Listening...




> On Oct 17, 2019, at 12:41 PM, Nospam2k <nospam2k@???> wrote:
>
> I’ve installed 4.92.2 on CentOS 7.
>
>
> openssl s_client -tls1 -starttls smtp -connect thedoorfellowship.org:587 <http://thedoorfellowship.org:587/> -servername thedoorfellowship.org <http://thedoorfellowship.org/>
>
> Returns No client certificate CA names sent.
>
>
> /var/log/exim/main.log shows:
>
> TLS error on connection from (openssl.client.net <http://openssl.client.net/>) [76.14.5.213]:57315 I=[107.180.239.134]:587 (SSL_CTX_use_certificate_chain_file file=/etc/letsencrypt/live//fullchain.pem): error:0200100D:system library:fopen:Permission denied
>
> where /live//… is /live/$tls_in_sni/fullchain.pem
>
>
> I know this needs to be sanitized, but I’m just testing right now and can’t figure out why it’s blank.
>
>