Re: [exim] exim.org still incorrectly configured

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] exim.org still incorrectly configured
Adam D. Barratt via Exim-users <exim-users@???> (Sa 16 Okt 2021 17:43:57 CEST):
> >
> > This hh.schlittermann.de runs the latest Exim, and probaby sends you
> > an SNI your server for some reason doesn't accept?
>
> FWIW, I've also seen two of these, at 23:53:41UTC yesterday and
> 11:08:41UTC today. The server in question is running Debian's 4.92-
> 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log
> selector.
>
> The log entries for the second failed connection are:
>
> 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection count = 1)
> 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been received.
> 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de [213.128.132.49] closed by EOF
> 2021-10-16 11:08:41 no MAIL in SMTP connection from hh.schlittermann.de [213.128.132.49] D=0s C=EHLO,STARTTLS
>
> The same server has received 21 successful connections from
> hh.schlittermann.de in the past couple of days.


Interesting. Can you tell *what* SNI the server hh sent?
That's what the hh server uses as the transport:

    remote_smtp:
      driver = smtp
      tls_sni = $host
      dnssec_request_domains = *
      hosts_try_dane = *
      hosts_require_dane = +require_dane
      hosts_try_fastopen =


So, it sends you *your* hostname as an SNI.

--
Heiko