https://bugs.exim.org/show_bug.cgi?id=2018
--- Comment #2 from Nenad Opsenica <[email protected]> --- > What's the evidence for "proxy settings are not even checked"? Excerpt from HAproxy log: Jan 16 17:45:13 localhost haproxy[29817]: 10.9.27.240:57140 [16/Jan/2017:17:45:13.557] smtp bk_mail-starttls/mail2 6/0/12 0 SD 0/0/0/0/0 0/0 And debug information from exim when connection is being made to port 465 with SSL/TLS: 17:45:14 11748 Connection request from 10.9.4.12 port 60468 17:45:14 11748 interface address=10.9.4.25 port=465 17:45:14 11748 search_tidyup called 17:45:14 11748 1 SMTP accept process running 17:45:14 11748 Listening... 17:45:14 11750 sender_fullhost = [10.9.4.12] 17:45:14 11750 sender_rcvhost = [10.9.4.12] 17:45:14 11750 Process 11750 is handling incoming connection from [10.9.4.12] 17:45:14 11750 host in host_lookup? yes (matched "*") 17:45:14 11750 looking up host name for 10.9.4.12 17:45:14 11750 DNS lookup of 12.4.9.10.in-addr.arpa (PTR) gave HOST_NOT_FOUND 17:45:14 11750 returning DNS_NOMATCH 17:45:14 11750 IP address lookup using gethostbyaddr() 17:45:14 11750 IP address lookup failed: h_errno=1 17:45:14 11750 LOG: host_lookup_failed MAIN 17:45:14 11750 no host name found for IP address 10.9.4.12 17:45:14 11750 sender_fullhost = [10.9.4.12] 17:45:14 11750 sender_rcvhost = [10.9.4.12] 17:45:14 11750 set_process_info: 11750 handling incoming connection from [10.9.4.12] 17:45:14 11750 openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3) 17:45:14 11750 openssl option, adding from 1100000: 2000000 (no_sslv3) 17:45:14 11750 setting SSL CTX options: 0x3100000 17:45:14 11750 Diffie-Hellman initialized from default with 2048-bit prime 17:45:14 11750 ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding "auto" with "prime256v1" 17:45:14 11750 ECDH: curve 'prime256v1' 17:45:14 11750 ECDH: enabled 'prime256v1' curve 17:45:14 11750 tls_certificate file /etc/pki/tls/certs/...DELETED_HERE..... 17:45:14 11750 tls_privatekey file /etc/pki/tls/certs/...DELETED_HERE..... 17:45:14 11750 Initialized TLS 17:45:14 11750 required ciphers: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA 17:45:14 11750 host in tls_verify_hosts? no (option unset) 17:45:14 11750 host in tls_try_verify_hosts? no (option unset) 17:45:14 11750 Calling SSL_accept 17:45:14 11750 SSL info: before/accept initialization 17:45:14 11750 SSL info: before/accept initialization 17:45:14 11750 SSL info: SSLv2/v3 read client hello A 17:45:14 11750 LOG: MAIN 17:45:14 11750 TLS error on connection from [10.9.4.12] (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 17:45:14 11750 LOG: MAIN 17:45:14 11750 TLS client disconnected cleanly (rejected our certificate?) 17:45:14 11750 search_tidyup called 17:45:14 11748 child 11750 ended: status=0x0 17:45:14 11748 normal exit, 0 17:45:14 11748 0 SMTP accept processes now running 17:45:14 11748 Listening... The same setup works perfectly with StartTLS. Function smtp_start_session() in smtp_in.c, calls tls_server_start() before checking with check_proxy_protocol_host() if proxy protocol is used. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
