20.02.2017 18:12, l...@lena.kiev.ua пишет:
упростить до предела - отломать tls


Для начала tls_require_ciphers

Убрал вообще (и клиент и сервер).
Теперь класс упал с "А" на "В-" на https://www.htbridge.com/ssl/
Но если сбоить перестанет, то затем можно поднастроить этот параметр.

отломать tls - даже не рассматривается ... :)

На одном из сообщений, что было заморожено, запустил доставку с дебагом (exim -d -M msg_id).
К SSL у Exim вопросов нет:
...
  SMTP>> STARTTLS
cmd buf flush 10 bytes
read response data: size=29
  SMTP<< 220 2.0.0 SMTP server ready
openssl option, adding from 1100000: 800 (dont_insert_empty_fragments +no_sslv2 +no_sslv3)
openssl option, adding from 1100800: 1000000 (no_sslv2 +no_sslv3)
openssl option, adding from 1100800: 2000000 (no_sslv3)
setting SSL CTX options: 0x3100800
Diffie-Hellman initialized from default with 2048-bit prime
tls_certificate file /usr/local/etc/exim/cert/host.cer
tls_privatekey file /usr/local/etc/exim/cert/host.key
Initialized TLS
required ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
10.0.1.1 in tls_verify_hosts? no (option unset)
10.0.1.1 in tls_try_verify_hosts? no (end of list)
Calling SSL_connect
SSL info: before/connect initialization
SSL info: before/connect initialization
SSL info: SSLv2/v3 write client hello A
SSL info: SSLv3 read server hello A
SSL info: SSLv3 read server certificate A
SSL info: SSLv3 read server key exchange A
SSL info: SSLv3 read server certificate request A
SSL info: SSLv3 read server done A
SSL info: SSLv3 write client certificate A
SSL info: SSLv3 write client key exchange A
SSL info: SSLv3 write certificate verify A
SSL info: SSLv3 write change cipher spec A
SSL info: SSLv3 write finished A
SSL info: SSLv3 flush data
SSL info: SSLv3 read finished A
SSL info: SSL negotiation finished successfully
SSL info: SSL negotiation finished successfully
SSL_connect succeeded
Cipher: TLSv1.2:ECDHE-RSA-AES256-SHA384:256
...
Дальше приветствие, mail from, rcpt to, data ... - все ок.
...
  SMTP>> QUIT
cmd buf flush 6 bytes
tls_do_write(0x7fffffffa270, 6)
SSL_write(SSL, 0x7fffffffa270, 6)
outbytes=6 error=0
tls_close(): shutting down SSL
SSL info: SSL negotiation finished successfully
  SMTP(close)>>
...
Вот здесь не понятно, почему он вернулся к обработке сообщения?
...
Leaving exchange_transport transport
set_process_info: 15161 delivering 1cfpCE-0003uE-Qp (just run exchange_transport for user@domain, ... in subprocess)
search_tidyup called
header write id:S,subid:0,size:4,final:S000004
header write id:X,subid:1,size:105,final:X100105
reading pipe for subprocess 15161 (not ended)
... куча ругани типа:
DSN read: addr->dsn_aware = 1
header read id:A,subid:0,size:00214,required:221,remaining:4881,unfinished:0 header read id:X,subid:1,size:00105,required:112,remaining:4660,unfinished:0 header read id:X,subid:2,size:04389,required:4396,remaining:4548,unfinished:0 header read id:X,subid:3,size:02067,required:2074,remaining:152,unfinished:0
remote delivery process 15161 ended
set_process_info: 15154 delivering 1cfpCE-0003uE-Qp
post-process user@domain (1)
LOG: MAIN
== user@domain <user@domain> R=exchange_router_user T=exchange_transport defer (0) H=10.0.1.1 [10.0.1.1]: failed to read pipe from transport process 15161 for transport smtp: required size=2074 > remaining size=152 and unfinished=false
...

Вижу, что никто с таким не сталкивался.
Но если найдется решение - может потом будет полезно кому-то.


--
Mikhail Golub

_______________________________________________
Exim-users mailing list
Exim-users@mailground.net
http://mailground.net/mailman/listinfo/exim-users

Ответить