Re: [exim] TLS problems of late

Alan Hicks Fri, 22 Feb 2013 09:42:24 -0800

On Friday 22 February 2013 15:29:56 Warren Baker wrote:
> HI All,
> 
> Has anyone noticed a problem with exim-4.80.01+OpenSSL 1.0.1e
> (installed from FreeBSD ports) and it delivering to remote hosts using
> TLS?
> Some remote hosts do work. Debugging shows that SSL negotiation
> finished successfully but straight after that it is logged that the
> remote closed the connection in response to MAIL FROM:<>
> Disabling TLS fixes the problem or reverting to OpenSSL 0.9.8q (part
> of base in FreeBSD 8.2) fixes the problem.
> 
> Anyone have suggestions on the best way to debug this to determine if
> its a OpenSSL or a Exim problem ?
> 
> Below is an example of one remote host with a non-working and a working
> version:
> 
> 14:28:57 95534 Connecting to maile.printspots.com [216.16.225.134]:25
> ... connected
> 14:28:58 95534 expanding: $primary_hostname
> 14:28:58 95534    result: mx1.percol8.co.za
> 14:28:58 95534 waiting for data on socket
> 14:28:58 95534 read response data: size=121
> 14:28:58 95534   SMTP<< 220 at-5000.VFPRINT.NET Microsoft ESMTP MAIL
> Service, Version: 6.0.3790.4675 ready at  Fri, 22 Feb 2013 07:28:58
> -0500
> 14:28:58 95534 216.16.225.134 in hosts_avoid_esmtp? no (option unset)
> 14:28:58 95534   SMTP>> EHLO mx1.percol8.co.za
> 14:28:58 95534 waiting for data on socket
> 14:28:58 95534 read response data: size=334
> 14:28:58 95534   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
> 14:28:58 95534          250-TURN
> 14:28:58 95534          250-SIZE
> 14:28:58 95534          250-ETRN
> 14:28:58 95534          250-PIPELINING
> 14:28:58 95534          250-DSN
> 14:28:58 95534          250-ENHANCEDSTATUSCODES
> 14:28:58 95534          250-8bitmime
> 14:28:58 95534          250-BINARYMIME
> 14:28:58 95534          250-CHUNKING
> 14:28:58 95534          250-VRFY
> 14:28:58 95534          250-TLS
> 14:28:58 95534          250-STARTTLS
> 14:28:58 95534          250-X-EXPS GSSAPI NTLM LOGIN
> 14:28:58 95534          250-X-EXPS=LOGIN
> 14:28:58 95534          250-AUTH GSSAPI NTLM LOGIN
> 14:28:58 95534          250-AUTH=LOGIN
> 14:28:58 95534          250-X-LINK2STATE
> 14:28:58 95534          250-XEXCH50
> 14:28:58 95534          250 OK
> 14:28:58 95534 216.16.225.134 in hosts_avoid_tls? no (option unset)
> 14:28:58 95534   SMTP>> STARTTLS
> 14:28:58 95534 waiting for data on socket
> 14:28:59 95534 read response data: size=29
> 14:28:59 95534   SMTP<< 220 2.0.0 SMTP server ready
> 14:28:59 95534 setting SSL CTX options: 0x1000000
> 14:28:59 95534 Diffie-Hellman initialized from default with 2048-bit prime
> 14:28:59 95534 Initialized TLS
> 14:28:59 95534 Calling SSL_connect
> 14:28:59 95534 SSL info: before/connect initialization
> 14:28:59 95534 SSL info: before/connect initialization
> 14:28:59 95534 SSL info: SSLv2/v3 write client hello A
> 14:28:59 95534 SSL info: SSLv3 read server hello A
> 14:28:59 95534 SSL info: SSLv3 read server certificate A
> 14:28:59 95534 SSL info: SSLv3 read server done A
> 14:28:59 95534 SSL info: SSLv3 write client key exchange A
> 14:28:59 95534 SSL info: SSLv3 write change cipher spec A
> 14:28:59 95534 SSL info: SSLv3 write finished A
> 14:28:59 95534 SSL info: SSLv3 flush data
> 14:28:59 95534 SSL info: SSLv3 read finished A
> 14:28:59 95534 SSL info: SSL negotiation finished successfully
> 14:28:59 95534 SSL info: SSL negotiation finished successfully
> 14:28:59 95534 SSL_connect succeeded
> 14:28:59 95534 Cipher: TLSv1:DES-CBC3-SHA:168
> 14:28:59 95534   SMTP>> EHLO mx1.percol8.co.za
> 14:28:59 95534 tls_do_write(0x7fffffffca80, 24)
> 14:28:59 95534 SSL_write(SSL, 0x7fffffffca80, 24)
> 14:28:59 95534 outbytes=24 error=0
> 14:28:59 95534 waiting for data on socket
> 14:28:59 95534 Calling SSL_read(0x801c0e800, 0x7fffffffaa80, 4096)
> 14:28:59 95534 read response data: size=311
> 14:28:59 95534   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
> 14:28:59 95534          250-TURN
> 14:28:59 95534          250-SIZE
> 14:28:59 95534          250-ETRN
> 14:28:59 95534          250-PIPELINING
> 14:28:59 95534          250-DSN
> 14:28:59 95534          250-ENHANCEDSTATUSCODES
> 14:28:59 95534          250-8bitmime
> 14:28:59 95534          250-BINARYMIME
> 14:28:59 95534          250-CHUNKING
> 14:28:59 95534          250-VRFY
> 14:28:59 95534          250-X-EXPS GSSAPI NTLM LOGIN
> 14:28:59 95534          250-X-EXPS=LOGIN
> 14:28:59 95534          250-AUTH GSSAPI NTLM LOGIN
> 14:28:59 95534          250-AUTH=LOGIN
> 14:28:59 95534          250-X-LINK2STATE
> 14:28:59 95534          250-XEXCH50
> 14:28:59 95534          250 OK
> 14:28:59 95534 216.16.225.134 in hosts_avoid_pipelining? yes (matched "*")
> 14:28:59 95534 not using PIPELINING
> 14:28:59 95534 216.16.225.134 in hosts_require_auth? no (option unset)
> 14:28:59 95534 216.16.225.134 in hosts_try_auth? no (option unset)
> 14:28:59 95534   SMTP>> MAIL FROM:<[email protected]> SIZE=16250
> 14:28:59 95534 tls_do_write(0x7fffffffca80, 59)
> 14:28:59 95534 SSL_write(SSL, 0x7fffffffca80, 59)
> 14:28:59 95534 outbytes=59 error=0
> 14:28:59 95534 waiting for data on socket
> 14:28:59 95534 Calling SSL_read(0x801c0e800, 0x7fffffffaa80, 4096)
> 14:29:00 95534 SSL info: SSL negotiation finished successfully
> 14:29:00 95534 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1
> first_address is not NULL
> 14:29:00 95534 tls_close(): shutting down SSL
> 14:29:00 95534 SSL info: SSL negotiation finished successfully
> 14:29:00 95534 LOG: MAIN
> 14:29:00 95534   Remote host maile.printspots.com [216.16.225.134]
> closed connection in response to MAIL FROM:<[email protected]>
> SIZE=16250
> 
> as opposed to the working version to the same remote host:
> 
> Connecting to maile.printspots.com [216.16.225.134]:25 ... connected
> waiting for data on socket
> read response data: size=121
>   SMTP<< 220 at-5000.VFPRINT.NET Microsoft ESMTP MAIL Service,
> Version: 6.0.3790.4675 ready at  Fri, 22 Feb 2013 08:01:14 -0500
> 216.16.225.134 in hosts_avoid_esmtp? no (option unset)
>   SMTP>> EHLO mx1.percol8.co.za
> waiting for data on socket
> read response data: size=334
>   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
>          250-TURN
>          250-SIZE
>          250-ETRN
>          250-PIPELINING
>          250-DSN
>          250-ENHANCEDSTATUSCODES
>          250-8bitmime
>          250-BINARYMIME
>          250-CHUNKING
>          250-VRFY
>          250-TLS
>          250-STARTTLS
>          250-X-EXPS GSSAPI NTLM LOGIN
>          250-X-EXPS=LOGIN
>          250-AUTH GSSAPI NTLM LOGIN
>          250-AUTH=LOGIN
>          250-X-LINK2STATE
>          250-XEXCH50
>          250 OK
> 216.16.225.134 in hosts_avoid_tls? no (option unset)
>   SMTP>> STARTTLS
> waiting for data on socket
> read response data: size=29
>   SMTP<< 220 2.0.0 SMTP server ready
> setting SSL CTX options: 0x1000000
> Diffie-Hellman initialized from default with 2048-bit prime
> Initialized TLS
> Calling SSL_connect
> SSL info: before/connect initialization
> SSL info: before/connect initialization
> SSL info: SSLv2/v3 write client hello A
> SSL info: SSLv3 read server hello A
> SSL info: SSLv3 read server certificate A
> SSL info: SSLv3 read server done A
> SSL info: SSLv3 write client key exchange A
> SSL info: SSLv3 write change cipher spec A
> SSL info: SSLv3 write finished A
> SSL info: SSLv3 flush data
> SSL info: SSLv3 read finished A
> SSL info: SSL negotiation finished successfully
> SSL info: SSL negotiation finished successfully
> SSL_connect succeeded
> Cipher: TLSv1:RC4-MD5:128
>   SMTP>> EHLO mx1.percol8.co.za
> tls_do_write(0x7fffffffc8c0, 24)
> SSL_write(SSL, 0x7fffffffc8c0, 24)
> outbytes=24 error=0
> waiting for data on socket
> Calling SSL_read(0x801c84000, 0x7fffffffa8c0, 4096)
> read response data: size=311
>   SMTP<< 250-at-5000.VFPRINT.NET Hello [41.79.180.20]
>          250-TURN
>          250-SIZE
>          250-ETRN
>          250-PIPELINING
>          250-DSN
>          250-ENHANCEDSTATUSCODES
>          250-8bitmime
>          250-BINARYMIME
>          250-CHUNKING
>          250-VRFY
>          250-X-EXPS GSSAPI NTLM LOGIN
>          250-X-EXPS=LOGIN
>          250-AUTH GSSAPI NTLM LOGIN
>          250-AUTH=LOGIN
>          250-X-LINK2STATE
>          250-XEXCH50
>          250 OK
> 216.16.225.134 in hosts_avoid_pipelining? yes (matched "*")
> not using PIPELINING
> 216.16.225.134 in hosts_require_auth? no (option unset)
> 216.16.225.134 in hosts_try_auth? no (option unset)
>   SMTP>> MAIL FROM:<[email protected]> SIZE=16250
> tls_do_write(0x7fffffffc8c0, 59)
> SSL_write(SSL, 0x7fffffffc8c0, 59)
> outbytes=59 error=0
> waiting for data on socket
> Calling SSL_read(0x801c84000, 0x7fffffffa8c0, 4096)
> read response data: size=59
>   SMTP<< 250 2.1.0 [email protected] OK
> 
> 
> 
> thanks


This may be a cipher issue as they are different in your two examples.

Non Working
14:28:59 95534 Cipher: TLSv1:DES-CBC3-SHA:168
Working
Cipher: TLSv1:RC4-MD5:128

You could try the tls_require_ciphers option as per chapter 41 of the the 
excellent exim manual.  http://exim.org/exim-html-
current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

A list of supported ciphers can be found with 'openssl ciphers'.

Alan

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS problems of late

Reply via email to