Author: Patrick Porteous Date: To: Exim-users Subject: [exim] TLS session is required, but an attempt to start TLS failed
I've recently started receiving the following message in my log files
when sending to one host:
2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 someuser@??? R=dnslookup T=remote_smtp defer
(-38) H=example.com [###.###.###.194]: a TLS session is required, but an
attempt to start TLS failed
The error is causing email addressed to this host to hang in my queue
and then fail to be delivered after the time out period. My exim.config
is setup with the following options enabled:
The output from openssl s_client -connect example.com:25 -starttls smtp is:
CONNECTED(00000003)
depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN =
mail.example.com, emailAddress = myaddress@???
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN =
mail.example.com, emailAddress = myaddress@???
verify return:1
---
Certificate chain
0 s:/C=US/ST=State/L=My City/O=My
ORG/OU=IT/CN=mail.example.com/emailAddress=myaddress@???
i:/C=US/ST=State/L=My City/O=My
ORG/OU=IT/CN=mail.example.com/emailAddress=myaddress@???
---
Server certificate
-----BEGIN CERTIFICATE-----
MY CERT DATA
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=My City/O=My
ORG/OU=IT/CN=mail.example.com/emailAddress=myaddress@???
issuer=/C=US/ST=State/L=My City/O=My
ORG/OU=IT/CN=mail.example.com/emailAddress=myaddress@???
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1783 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No StatePN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
63CF1FE61EED74FBDBA1A3D8672533D0B9FB72737A05D24D59A5D22ECEFF71CD
Session-ID-ctx:
Master-Key: KEY#######
Key-Arg : None
Krb5 PrincipState: None
PSK identity: None
PSK identity hint: None
Start Time: 1666097362
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 HELP
I can send mail to all other hosts except this host without receiving
the error and can receive from this host and all others without issue.
My question is if there is a way to reconfigure the TLS on my Exim
server to get around this type of error on the receiving server?
