Thanks for the assistance with this issue. As it turns out I had added
*hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when
this domain would only accept clear text connections some time ago. It
had been so long ago that I forgot that the entry had been added. The
exim -bt u...@example.com command revealed the transport which helped me
track down the entry. I commented out the hosts_avoid_tls config and
everything is back to normal. Appreciate the assistance and as always
am glad to learn more about Exim.
-Patrick
On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote:
Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
I've recently started receiving the following message in my log files
when sending to one host:
2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is
required, but an attempt to start TLS failed
2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp
defer (-38) H=example.com [###.###.###.194]: a TLS session is
required, but an attempt to start TLS failed
The error is causing email addressed to this host to hang in my queue
and then fail to be delivered after the time out period. My
exim.config is setup with the following options enabled:
Thats exactly what should happen, if you enforce TLS and the other
side can't offer it, it fails.
You used:
hosts_require_tls = ....
tls_tempfail_tryclear = false
in your transport . Ergo, it fails, if it's not possible. And I go
10:1 whatever is used in:
tls_require_ciphers = ...
is not been offered in the external mailserver tls offer i.e. because
it's a malconfigured exchange server.
To not block your queue, you can do this:
begin retry
# Address or Domain Error Retries
# ----------------- ----- -------
* refused
* quota
* tls_required
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
which instantly sends a delivery-message to the sender, if TLS fails.
best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/