[exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmail, …

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Marc MERLIN
Datum:  
To: Jeremy Harris, Andrew C Aitchison
CC: exim-users
Alte Treads: Re: [exim] How to debug an encrypted smtp auth connection?, Re: [exim] How to debug an encrypted smtp auth connection?, Re: [exim] How to debug an encrypted smtp auth connection?, Re: [exim] How to debug an encrypted smtp auth connection?
Betreff: [exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmail, but Debian10/exim4.92 doesn't?
On Fri, Sep 11, 2020 at 01:45:11PM -0700, Marc MERLIN via Exim-users wrote:
> Ooooh, never mind, I was focussing on the AUTH bit when I totally missed
> that my client never issued STARTTLS.
> Now I need to figure out why that's not working, but that's easier to debug.


So, exim -d+all does not make it very clear that TLS is even failing and
that AUTH is being done without TLS, which is why it fails.

I diffed d+all from a client that worked (debian9) with one that didn't work
(debian10). I found this:

ii  exim4-daemon-light   4.89-2+deb9u7   amd64           lightweight Exim MTA (v4) daemon
root@salt:~# ldd /usr/sbin/exim4 |grep tls
        libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f83d2db1000)
vs
ii  exim4-daemon-light 4.92-8+deb10u4 amd64        lightweight Exim MTA (v4) daemon
root@salt2:/etc/exim4# ldd /usr/sbin/exim4 |grep tls
        libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f840b5d2000)
        libgnutls-dane.so.0 => /usr/lib/x86_64-linux-gnu/libgnutls-dane.so.0 (0x00007f840b5c8000)


Both use the exact same update-exim4.conf.conf

The debian9 that works, does:
>  108.177.111.109 in tls_verify_hosts? no (option unset)
>  108.177.111.109 in tls_try_verify_hosts? yes (matched "*")
>  108.177.111.109 in tls_verify_cert_hostnames? yes (matched "*")
>  TLS: server cert verification includes hostname: "smtp.gmail.com".
>  TLS: server certificate verification optional.
>  TLS: will request OCSP stapling
>  about to gnutls_handshake
>  gnutls_handshake was successful
>  TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>  cipher: TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256
>  Have channel bindings cached for possible auth usage.
>    SMTP>> EHLO salt.c.domain.internal
>  cmd buf flush 36 bytes
>  tls_do_write(0x7fffe26a2470, 36)
>  gnutls_record_send(SSL, 0x7fffe26a2470, 36)
>  outbytes=36
>  Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
>  read response data: size=224
>    SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
>           250-SIZE 35882577
>           250-8BITMIME
>           250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>           250-ENHANCEDSTATUSCODES
>           250-PIPELINING
>           250-CHUNKING
>           250 SMTPUTF8
>  108.177.111.109 in hosts_avoid_pipelining? no (option unset)


debian10 does:
>  74.125.202.109 in hosts_avoid_esmtp? no (option unset)
>    SMTP>> EHLO salt2.c.domain.internal
>  cmd buf flush 37 bytes
>  read response data: size=168
>    SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>           250-SIZE 35882577
>           250-8BITMIME
>           250-STARTTLS
>           250-ENHANCEDSTATUSCODES
>           250-PIPELINING
>           250-CHUNKING
>           250 SMTPUTF8
>  74.125.202.109 in hosts_avoid_tls? no (option unset)
>    SMTP>> STARTTLS
>  cmd buf flush 10 bytes
>  read response data: size=30
>    SMTP<< 220 2.0.0 Ready to start TLS
>  74.125.202.109 in hosts_require_ocsp? no (option unset)
>  74.125.202.109 in hosts_request_ocsp? yes (matched "*")
>  initialising GnuTLS as a client on fd 6
>  GnuTLS global init required.
>  initialising GnuTLS client session
>  Expanding various TLS configuration options for session credentials.
>  TLS: no client certificate specified; okay
>  GnuTLS<3>: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1575
>  GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3902
>  GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  Added 126 certificate authorities.
>  GnuTLS using default session cipher/priority "NORMAL"
>  GnuTLS<2>: added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list
>  Setting D-H prime minimum acceptable bits to 1024
>  74.125.202.109 in tls_verify_hosts? no (option unset)
>  74.125.202.109 in tls_try_verify_hosts? yes (matched "*")
>  74.125.202.109 in tls_verify_cert_hostnames? yes (matched "*")
>  TLS: server cert verification includes hostname: "smtp.gmail.com".
>  TLS: server certificate verification optional.
>  TLS: will request OCSP stapling
>  about to gnutls_handshake
>  GnuTLS<2>: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
>  GnuTLS<2>: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
>  GnuTLS<2>: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
>  GnuTLS<2>: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
>  GnuTLS<2>: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
>  GnuTLS<2>: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
>  GnuTLS<2>: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
>  GnuTLS<2>: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
>  GnuTLS<2>: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
>  GnuTLS<2>: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
>  GnuTLS<2>: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
>  GnuTLS<2>: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
>  GnuTLS<2>: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
>  GnuTLS<2>: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
>  GnuTLS<2>: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
>  GnuTLS<2>: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
>  GnuTLS<2>: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
>  GnuTLS<2>: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
>  GnuTLS<2>: Advertizing version 3.4
>  GnuTLS<2>: Advertizing version 3.3
>  GnuTLS<2>: Advertizing version 3.2
>  GnuTLS<2>: Advertizing version 3.1
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>  GnuTLS<2>: EXT[0x55e83ae8e7b0]: client generated X25519 shared key
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>  GnuTLS<3>: ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:923
>  gnutls_handshake was successful
>  TLS: checking peer certificate
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_parse_dn]:283
>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>  GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>  GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>  TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>  cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
>  Have channel bindings cached for possible auth usage.
>    SMTP>> EHLO salt2.c.domain.internal
>  cmd buf flush 37 bytes
>  tls_write(0x7fff61d2b230, 37)
>  gnutls_record_send(SSL, 0x7fff61d2b230, 37)
>  outbytes=37
>  Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>  GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577
>  GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_int]:1775
>  read response data: size=221
>    SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>           250-SIZE 35882577
>           250-8BITMIME
>           250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>           250-ENHANCEDSTATUSCODES
>           250-PIPELINING
>           250-CHUNKING
>           250 SMTPUTF8
>  74.125.202.109 in hosts_avoid_pipelining? no (option unset)


By then, STARTTLS hasn't happened, I'm not sure why and it's not obvious (to me) from those logs.

Any idea what's going on?

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.

Home page: http://marc.merlins.org/