Re: [exim] TLS session is required, but an attempt to start…

Top Page
This message is part of the following thread:
M+\the complete thread tree sorted by date
MMMCyborg at <-
M 
Delete this message
Reply to this message
Author: Patrick Porteous
Date:  
To: exim-users
Subject: Re: [exim] TLS session is required, but an attempt to start TLS failed
Thanks for the assistance with this issue.  As it turns out I had added
*hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when
this domain would only accept clear text connections some time ago.  It
had been so long ago that I forgot that the entry had been added.  The
exim -bt user@??? command revealed the transport which helped me
track down the entry.  I commented out the hosts_avoid_tls config and
everything is back to normal.  Appreciate the assistance and as always
am glad to learn more about Exim.

-Patrick

On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote:
> Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
>> I've recently started receiving the following message in my log files
>> when sending to one host:
>>
>> 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 someuser@??? R=dnslookup T=remote_smtp
>> defer (-38) H=example.com [###.###.###.194]: a TLS session is
>> required, but an attempt to start TLS failed
>>
>> The error is causing email addressed to this host to hang in my queue
>> and then fail to be delivered after the time out period. My
>> exim.config is setup with the following options enabled:
>>
> Thats exactly what should happen, if you enforce TLS and the other
> side can't offer it, it fails.
>
> You used:
>
> hosts_require_tls = ....
> tls_tempfail_tryclear = false
>
> in your transport . Ergo, it fails, if it's not possible. And I go
> 10:1 whatever is used in:
>
> tls_require_ciphers = ...
>
> is not been offered in the external mailserver tls offer i.e. because
> it's a malconfigured exchange server.
>
> To not block your queue, you can do this:
>
> begin retry
> # Address or Domain    Error       Retries
> # -----------------    -----       -------
>
> *                      refused
> *                      quota
> *                      tls_required
> *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
>
> which instantly sends a delivery-message to the sender, if TLS fails.
>
> best regards,
> Marius
>
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] raw mime_filenameRe: [exim] [mailop] T-Online is now really blocking messages from non-commercial and simliar senders->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)