On 15/09/2020 00:29, Marc MERLIN wrote:
> So, exim -d+all does not make it very clear that TLS is even failing and
(I don't see that, in your output below)
> that AUTH is being done without TLS,
Nope.
> which is why it fails.
And therefore, nope.
> Both use the exact same update-exim4.conf.conf
>
> The debian9 that works, does:
>> 108.177.111.109 in tls_verify_hosts? no (option unset)
>> 108.177.111.109 in tls_try_verify_hosts? yes (matched "*")
>> 108.177.111.109 in tls_verify_cert_hostnames? yes (matched "*")
>> TLS: server cert verification includes hostname: "smtp.gmail.com".
>> TLS: server certificate verification optional.
>> TLS: will request OCSP stapling
>> about to gnutls_handshake
>> gnutls_handshake was successful
>> TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>> cipher: TLS1.2:ECDHE_ECDSA_CHACHA20_POLY1305:256
>> Have channel bindings cached for possible auth usage.
>> SMTP>> EHLO salt.c.domain.internal
>> cmd buf flush 36 bytes
>> tls_do_write(0x7fffe26a2470, 36)
>> gnutls_record_send(SSL, 0x7fffe26a2470, 36)
>> outbytes=36
>> Calling gnutls_record_recv(0x5651ba5ed450, 0x7fffe26a1470, 4096)
>> read response data: size=224
>> SMTP<< 250-smtp.gmail.com at your service, [104.155.163.105]
>> 250-SIZE 35882577
>> 250-8BITMIME
>> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-CHUNKING
>> 250 SMTPUTF8
>> 108.177.111.109 in hosts_avoid_pipelining? no (option unset)
>
> debian10 does:
>> 74.125.202.109 in hosts_avoid_esmtp? no (option unset)
>> SMTP>> EHLO salt2.c.domain.internal
>> cmd buf flush 37 bytes
>> read response data: size=168
>> SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>> 250-SIZE 35882577
>> 250-8BITMIME
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-CHUNKING
>> 250 SMTPUTF8
>> 74.125.202.109 in hosts_avoid_tls? no (option unset)
>> SMTP>> STARTTLS
>> cmd buf flush 10 bytes
>> read response data: size=30
>> SMTP<< 220 2.0.0 Ready to start TLS
>> 74.125.202.109 in hosts_require_ocsp? no (option unset)
>> 74.125.202.109 in hosts_request_ocsp? yes (matched "*")
>> initialising GnuTLS as a client on fd 6
>> GnuTLS global init required.
>> initialising GnuTLS client session
>> Expanding various TLS configuration options for session credentials.
>> TLS: no client certificate specified; okay
>> GnuTLS<3>: ASSERT: ../../../lib/x509/common.c[_gnutls_x509_get_raw_field2]:1575
>> GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_subject_unique_id]:3902
>> GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[gnutls_x509_crt_get_issuer_unique_id]:3952
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> Added 126 certificate authorities.
>> GnuTLS using default session cipher/priority "NORMAL"
>> GnuTLS<2>: added 6 protocols, 29 ciphersuites, 18 sig algos and 9 groups into priority list
>> Setting D-H prime minimum acceptable bits to 1024
>> 74.125.202.109 in tls_verify_hosts? no (option unset)
>> 74.125.202.109 in tls_try_verify_hosts? yes (matched "*")
>> 74.125.202.109 in tls_verify_cert_hostnames? yes (matched "*")
>> TLS: server cert verification includes hostname: "smtp.gmail.com".
>> TLS: server certificate verification optional.
>> TLS: will request OCSP stapling
>> about to gnutls_handshake
>> GnuTLS<2>: Keeping ciphersuite 13.02 (GNUTLS_AES_256_GCM_SHA384)
>> GnuTLS<2>: Keeping ciphersuite 13.03 (GNUTLS_CHACHA20_POLY1305_SHA256)
>> GnuTLS<2>: Keeping ciphersuite 13.01 (GNUTLS_AES_128_GCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite 13.04 (GNUTLS_AES_128_CCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite c0.2c (GNUTLS_ECDHE_ECDSA_AES_256_GCM_SHA384)
>> GnuTLS<2>: Keeping ciphersuite cc.a9 (GNUTLS_ECDHE_ECDSA_CHACHA20_POLY1305)
>> GnuTLS<2>: Keeping ciphersuite c0.ad (GNUTLS_ECDHE_ECDSA_AES_256_CCM)
>> GnuTLS<2>: Keeping ciphersuite c0.0a (GNUTLS_ECDHE_ECDSA_AES_256_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite c0.2b (GNUTLS_ECDHE_ECDSA_AES_128_GCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite c0.ac (GNUTLS_ECDHE_ECDSA_AES_128_CCM)
>> GnuTLS<2>: Keeping ciphersuite c0.09 (GNUTLS_ECDHE_ECDSA_AES_128_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite c0.30 (GNUTLS_ECDHE_RSA_AES_256_GCM_SHA384)
>> GnuTLS<2>: Keeping ciphersuite cc.a8 (GNUTLS_ECDHE_RSA_CHACHA20_POLY1305)
>> GnuTLS<2>: Keeping ciphersuite c0.14 (GNUTLS_ECDHE_RSA_AES_256_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite c0.2f (GNUTLS_ECDHE_RSA_AES_128_GCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite c0.13 (GNUTLS_ECDHE_RSA_AES_128_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite 00.9d (GNUTLS_RSA_AES_256_GCM_SHA384)
>> GnuTLS<2>: Keeping ciphersuite c0.9d (GNUTLS_RSA_AES_256_CCM)
>> GnuTLS<2>: Keeping ciphersuite 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite 00.9c (GNUTLS_RSA_AES_128_GCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite c0.9c (GNUTLS_RSA_AES_128_CCM)
>> GnuTLS<2>: Keeping ciphersuite 00.2f (GNUTLS_RSA_AES_128_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite 00.9f (GNUTLS_DHE_RSA_AES_256_GCM_SHA384)
>> GnuTLS<2>: Keeping ciphersuite cc.aa (GNUTLS_DHE_RSA_CHACHA20_POLY1305)
>> GnuTLS<2>: Keeping ciphersuite c0.9f (GNUTLS_DHE_RSA_AES_256_CCM)
>> GnuTLS<2>: Keeping ciphersuite 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1)
>> GnuTLS<2>: Keeping ciphersuite 00.9e (GNUTLS_DHE_RSA_AES_128_GCM_SHA256)
>> GnuTLS<2>: Keeping ciphersuite c0.9e (GNUTLS_DHE_RSA_AES_128_CCM)
>> GnuTLS<2>: Keeping ciphersuite 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1)
>> GnuTLS<2>: Advertizing version 3.4
>> GnuTLS<2>: Advertizing version 3.3
>> GnuTLS<2>: Advertizing version 3.2
>> GnuTLS<2>: Advertizing version 3.1
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>> GnuTLS<2>: EXT[0x55e83ae8e7b0]: client generated X25519 shared key
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1162
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1413
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>> GnuTLS<3>: ASSERT: ../../lib/constate.c[_gnutls_epoch_get]:923
>> gnutls_handshake was successful
>> TLS: checking peer certificate
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_parse_dn]:283
>> GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>> GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> GnuTLS<3>: ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:990
>> GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>> GnuTLS<3>: ASSERT: ../../../lib/x509/name_constraints.c[gnutls_x509_crt_get_name_constraints]:470
>> TLS certificate verified: peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com"
>> GnuTLS<3>: ASSERT: ../../lib/ocsp-api.c[gnutls_ocsp_status_request_get2]:99
>> cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
>> Have channel bindings cached for possible auth usage.
>> SMTP>> EHLO salt2.c.domain.internal
>> cmd buf flush 37 bytes
>> tls_write(0x7fff61d2b230, 37)
>> gnutls_record_send(SSL, 0x7fff61d2b230, 37)
>> outbytes=37
>> Calling gnutls_record_recv(0x55e83ae8e7b0, 0x7fff61d2a230, 4096)
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
>> GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
>> GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1577
>> GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_int]:1775
>> read response data: size=221
>> SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>> 250-SIZE 35882577
>> 250-8BITMIME
>> 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-CHUNKING
>> 250 SMTPUTF8
>> 74.125.202.109 in hosts_avoid_pipelining? no (option unset)
>
> By then, STARTTLS hasn't happened, I'm not sure why and it's not obvious (to me) from those logs.
Uh, I can see it. Look again:
> debian10 does:
>> 74.125.202.109 in hosts_avoid_esmtp? no (option unset)
>> SMTP>> EHLO salt2.c.domain.internal
>> cmd buf flush 37 bytes
>> read response data: size=168
>> SMTP<< 250-smtp.gmail.com at your service, [34.68.13.114]
>> 250-SIZE 35882577
>> 250-8BITMIME
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-CHUNKING
>> 250 SMTPUTF8
>> 74.125.202.109 in hosts_avoid_tls? no (option unset)
>> SMTP>> STARTTLS
... there.
--
Cheers,
Jeremy