Re: [exim] TLS session is required, but an attempt to start…

Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
> I've recently started receiving the following message in my log files
> when sending to one host:
>
> 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is
> required, but an attempt to start TLS failed
> 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is
> required, but an attempt to start TLS failed
> 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is
> required, but an attempt to start TLS failed
> 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is
> required, but an attempt to start TLS failed
> 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is
> required, but an attempt to start TLS failed
> 2022-10-18 07:12:46 someuser@??? R=dnslookup T=remote_smtp
> defer (-38) H=example.com [###.###.###.194]: a TLS session is
> required, but an attempt to start TLS failed
>
> The error is causing email addressed to this host to hang in my queue
> and then fail to be delivered after the time out period.  My
> exim.config is setup with the following options enabled:
>
Thats exactly what should happen, if you enforce TLS and the other side
can't offer it, it fails.

You used:

hosts_require_tls = ....
tls_tempfail_tryclear = false

in your transport . Ergo, it fails, if it's not possible. And I go 10:1
whatever is used in:

tls_require_ciphers = ...

is not been offered in the external mailserver tls offer i.e. because
it's a malconfigured exchange server.

To not block your queue, you can do this:

begin retry
# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      refused
*                      quota
*                      tls_required
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

which instantly sends a delivery-message to the sender, if TLS fails.

best regards,
Marius