Re: [exim] Receiving the error : TLS error on connection (re…

On 09/06/2020 12:28, Brent Clark via Exim-users wrote:
> Where I work, we just inherited a series of third party out going spam
> servers.
> For various reason, we need to loadbalance but more importantly direct
> traffic for when we need to perform maintenance on these servers.
>
> What we decided so use and do is put haproxy in front.
>
> The intended topology is:
> [clients MTA servers] - 587 -> [haproxy] - 587 -> [outgoing spamservers]

You're serving spam?
And why do your MTAs talk on 587 ?

> On odd occasion we see the following error message(s) on the clients
> MTAs. And the mail just sits in the queue. When we revert back, it all
> flows.

(Grammar grumble. "Revert" already implies a reversal. Adding "back"
is redundant. Seems to be an Indian subcontinent habit, at my $work)


> We cant figure it out, and why.
> What we think is happening is. There is a cert miss match. And as a
> result Exim just refuses to send or accept the mail.

I don't think that conclusion holds...


> gnutls_handshake was successful
> TLS certificate verification failed (certificate invalid):
> peerdn="CN=antispam6-REMOVED"
> TLS verify failure overridden (host in tls_try_verify_hosts)

Note, the verify fail was ignored byt this exim.

> 5:02
> Calling gnutls_record_recv(0x5634066e64a0, 0x7fffc4a62180, 4096)
> LOG: MAIN
>   H=se-balancer.REMOVED [REMOVEDIP] TLS error on connection (recv): The
> TLS connection was non-properly terminated.
>   SMTP(closed)<<

The TCP connection was closed by the far end. Not by this end (exi,
in client mode).


Load-balancers and SMTP... I do not recommend the combination.

--
Cheers,
Jeremy