Autor: Patrick Porteous Data: Dla: exim-users Temat: Re: [exim] TLS session is required,
but an attempt to start TLS failed
Thanks for the assistance with this issue. As it turns out I had added
*hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when
this domain would only accept clear text connections some time ago. It
had been so long ago that I forgot that the entry had been added. The
exim -bt user@??? command revealed the transport which helped me
track down the entry. I commented out the hosts_avoid_tls config and
everything is back to normal. Appreciate the assistance and as always
am glad to learn more about Exim.
-Patrick
On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote: > Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
>> I've recently started receiving the following message in my log files
>> when sending to one host:
>>
>> 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is
>> required, but an attempt to start TLS failed
>> 2022-10-18 07:12:46 someuser@??? R=dnslookup T=remote_smtp
>> defer (-38) H=example.com [###.###.###.194]: a TLS session is
>> required, but an attempt to start TLS failed
>>
>> The error is causing email addressed to this host to hang in my queue
>> and then fail to be delivered after the time out period. My
>> exim.config is setup with the following options enabled:
>>
> Thats exactly what should happen, if you enforce TLS and the other
> side can't offer it, it fails.
>
> You used:
>
> hosts_require_tls = ....
> tls_tempfail_tryclear = false
>
> in your transport . Ergo, it fails, if it's not possible. And I go
> 10:1 whatever is used in:
>
> tls_require_ciphers = ...
>
> is not been offered in the external mailserver tls offer i.e. because
> it's a malconfigured exchange server.
>
> To not block your queue, you can do this:
>
> begin retry
> # Address or Domain Error Retries
> # ----------------- ----- -------
>
> * refused
> * quota
> * tls_required
> * * F,2h,15m; G,16h,1h,1.5; F,4d,6h
>
> which instantly sends a delivery-message to the sender, if TLS fails.
>
> best regards,
> Marius
>
