Re: [exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmai…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] Debian9/exim4.89 does TLS and SMTP AUTH with gmail, but Debian10/exim4.92 doesn't?
On 15/09/2020 00:29, Marc MERLIN wrote:
> So, exim -d+all does not make it very clear that TLS is even failing and


(I don't see that, in your output below)

> that AUTH is being done without TLS,


Nope.

> which is why it fails.


And therefore, nope.


> Both use the exact same update-exim4.conf.conf
>
> The debian9 that works, does:
>>  108.177.111.109 in tls_verify_hosts? no (option unset)
>>  108.177.111.109 in tls_try_verify_hosts? yes (matched "*")
>>  108.177.111.109 in tls_verify_cert_hostnames? yes (matched "*")
>>  TLS: server cert verification includes hostname: "smtp.gmail.com".
>>  TLS: server certificate verification optional.
>>  TLS: will request OCSP stapling
>>  about to gnutls_handshake
>>  gnutls_handshake was successful
>>  TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>>  cipher: TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256
>>  Have channel bindings cached for possible auth usage.
>>    SMTP>> EHLO salt.c.domain.internal
>>  cmd buf flush 36 bytes
>>  tls_do_write(0x7fffe26a2470, 36)
>>  gnutls_record_send(SSL, 0x7fffe26a2470, 36)
>>  outbytes=36
>>  Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
>>  read response data: size=224
>>    SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
>>           250-SIZE 35882577
>>           250-8BITMIME
>>           250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>>           250-ENHANCEDSTATUSCODES
>>           250-PIPELINING
>>           250-CHUNKING
>>           250 SMTPUTF8
>>  108.177.111.109 in hosts_avoid_pipelining? no (option unset)

>
> debian10 does:
>>  74.125.202.109 in hosts_avoid_esmtp? no (option unset)
>>    SMTP>> EHLO salt2.c.domain.internal
>>  cmd buf flush 37 bytes
>>  read response data: size=168
>>    SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>>           250-SIZE 35882577
>>           250-8BITMIME
>>           250-STARTTLS
>>           250-ENHANCEDSTATUSCODES
>>           250-PIPELINING
>>           250-CHUNKING
>>           250 SMTPUTF8
>>  74.125.202.109 in hosts_avoid_tls? no (option unset)
>>    SMTP>> STARTTLS
>>  cmd buf flush 10 bytes
>>  read response data: size=30
>>    SMTP<< 220 2.0.0 Ready to start TLS
>>  74.125.202.109 in hosts_require_ocsp? no (option unset)
>>  74.125.202.109 in hosts_request_ocsp? yes (matched "*")
>>  initialising GnuTLS as a client on fd 6
>>  GnuTLS global init required.
>>  initialising GnuTLS client session
>>  Expanding various TLS configuration options for session credentials.
>>  TLS: no client certificate specified; okay
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1575
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3902
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  Added 126 certificate authorities.
>>  GnuTLS using default session cipher/priority "NORMAL"
>>  GnuTLS<2>: added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list
>>  Setting D-H prime minimum acceptable bits to 1024
>>  74.125.202.109 in tls_verify_hosts? no (option unset)
>>  74.125.202.109 in tls_try_verify_hosts? yes (matched "*")
>>  74.125.202.109 in tls_verify_cert_hostnames? yes (matched "*")
>>  TLS: server cert verification includes hostname: "smtp.gmail.com".
>>  TLS: server certificate verification optional.
>>  TLS: will request OCSP stapling
>>  about to gnutls_handshake
>>  GnuTLS<2>: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
>>  GnuTLS<2>: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
>>  GnuTLS<2>: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
>>  GnuTLS<2>: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
>>  GnuTLS<2>: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
>>  GnuTLS<2>: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
>>  GnuTLS<2>: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
>>  GnuTLS<2>: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
>>  GnuTLS<2>: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
>>  GnuTLS<2>: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
>>  GnuTLS<2>: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
>>  GnuTLS<2>: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
>>  GnuTLS<2>: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
>>  GnuTLS<2>: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
>>  GnuTLS<2>: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
>>  GnuTLS<2>: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
>>  GnuTLS<2>: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
>>  GnuTLS<2>: Advertizing version 3.4
>>  GnuTLS<2>: Advertizing version 3.3
>>  GnuTLS<2>: Advertizing version 3.2
>>  GnuTLS<2>: Advertizing version 3.1
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>>  GnuTLS<2>: EXT[0x55e83ae8e7b0]: client generated X25519 shared key
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>>  GnuTLS<3>: ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:923
>>  gnutls_handshake was successful
>>  TLS: checking peer certificate
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_parse_dn]:283
>>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>>  GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>>  TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>>  GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>>  cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
>>  Have channel bindings cached for possible auth usage.
>>    SMTP>> EHLO salt2.c.domain.internal
>>  cmd buf flush 37 bytes
>>  tls_write(0x7fff61d2b230, 37)
>>  gnutls_record_send(SSL, 0x7fff61d2b230, 37)
>>  outbytes=37
>>  Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>>  GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>>  GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577
>>  GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_int]:1775
>>  read response data: size=221
>>    SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>>           250-SIZE 35882577
>>           250-8BITMIME
>>           250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>>           250-ENHANCEDSTATUSCODES
>>           250-PIPELINING
>>           250-CHUNKING
>>           250 SMTPUTF8
>>  74.125.202.109 in hosts_avoid_pipelining? no (option unset)

>
> By then, STARTTLS hasn't happened, I'm not sure why and it's not obvious (to me) from those logs.


Uh, I can see it. Look again:


> debian10 does:
>>  74.125.202.109 in hosts_avoid_esmtp? no (option unset)
>>    SMTP>> EHLO salt2.c.domain.internal
>>  cmd buf flush 37 bytes
>>  read response data: size=168
>>    SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>>           250-SIZE 35882577
>>           250-8BITMIME
>>           250-STARTTLS
>>           250-ENHANCEDSTATUSCODES
>>           250-PIPELINING
>>           250-CHUNKING
>>           250 SMTPUTF8
>>  74.125.202.109 in hosts_avoid_tls? no (option unset)
>>    SMTP>> STARTTLS


... there.


--
Cheers,
Jeremy