Re: [exim] TLS session is required, but an attempt to start TLS failed

[Patrick Porteous via Exim-users]

Thanks for the assistance with this issue.  As it turns out I had added 
*hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when 
this domain would only accept clear text connections some time ago.  It 
had been so long ago that I forgot that the entry had been added.  The 
exim -bt u...@example.com command revealed the transport which helped me 
track down the entry.  I commented out the hosts_avoid_tls config and 
everything is back to normal.  Appreciate the assistance and as always 
am glad to learn more about Exim.

-Patrick
On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote:
Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
I've recently started receiving the following message in my log files 
when sending to one host:

2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp 
defer (-38) H=example.com [###.###.###.194]: a TLS session is 
required, but an attempt to start TLS failed

The error is causing email addressed to this host to hang in my queue 
and then fail to be delivered after the time out period. My 
exim.config is setup with the following options enabled:

Thats exactly what should happen, if you enforce TLS and the other 
side can't offer it, it fails.

You used:

hosts_require_tls = ....
tls_tempfail_tryclear = false

in your transport . Ergo, it fails, if it's not possible. And I go 
10:1 whatever is used in:

tls_require_ciphers = ...

is not been offered in the external mailserver tls offer i.e. because 
it's a malconfigured exchange server.

To not block your queue, you can do this:

begin retry
# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      refused
*                      quota
*                      tls_required
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

which instantly sends a delivery-message to the sender, if TLS fails.

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/