Phil, Thank you very kindly for your help.
I will look into the ciphers and gnutls_compat_mode per your direction. Additionally, I found a work around. I had originally (in 8.04 LTS) assigned tls_try_verify_hosts to * thereby enabling it. However, I had never been able to get it to do what I had been trying to do at that time which had been to require that only Outlook clients that had an approved certificate installed be able to send email via the exim server. I found that I may have misunderstood the purpose of tls_try_verify_hosts at that time any way. However, although that had not worked, leaving tls_try_verify_hosts enabled had not seemed to do anything and therefore I had just left it enabled. When trying to find the cause in this recent 9.10 install, I disabled tls_try_verify_hosts and found that after doing so I am able to receive the certificate from the server and can send encrypted email again. After finding that worked, I searched on gnutls and tls_try_verify_hosts and found that some other folks have also been having trouble with this. In fact, I see that you contributed to that thread. http://www.mail-archive.com/[email protected]/msg33756.html It appears to me that something was done with tls_try_verify_hosts from between the exim4 version in 8.04 LTS and 9.10. Thus for now I have it disabled. Thank you again -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Phil Pennock Sent: Sunday, May 02, 2010 2:32 PM To: [email protected] Cc: [email protected] Subject: Re: [exim] Outlook failing gnutls_handshake after resetting up on ubuntu 9.10 On 2010-05-01 at 11:10 +0900, [email protected] wrote: > Outlook 2007 produces the following error (not exact wording): > > Sending of test email message: does not support the encryption type supplied > by the server. Please change the encryption method. Contact your > administrator... The encryption type is not connected directly to the certificate. There's: * versions of SSL/TLS enabled * ciphersuites supported for the session With OpenSSL, I'd say { openssl ciphers }. I don't know with GnuTLS that this command matches what Exim would see, but { gnutls-serv -l }. For instance, if on 8.04 that would include SSL2.0, but on 9.10 it reports: Protocols: SSL3.0, TLS1.0, TLS1.1, TLS1.2 then this might be your problem. Separately, Exim 4.70 onwards has the option "gnutls_compat_mode", which makes the gnutls_session_enable_compatibility_mode() call into GnuTLS. I don't recall which clients that call exists for, but it might be worth turning on to experiment with. It weakens the security somewhat and I'm not in a position to state what the impact of the changes is. I don't know what Outlook does and does not support, but hopefully this provides some help. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
