Re: [exim] SSL_renegotiate:wrong ssl version
On Sat, Sep 10, 2022 at 01:59:50PM +0200, Cyborg via Exim-users wrote: > 250 HELP > HELO smtp.example.com > 250 smtp.target.de Hello smtp.example.com [83.246.32.110] > MAIL FROM: > 250 OK > RCPT TO: > RENEGOTIATING > 140149325708800:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl > version:ssl/ssl_lib.c:2143: Your mistake is to expect a default invocation of s_client(1) to provide a "transparent" channel. This is not the case, instead s_client(1) interprets certain input lines specially (from 1.1.1 manpage): CONNECTED COMMANDS If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the server. If end of file is reached then the connection will be closed down. When used interactively (which means neither -quiet nor -ign_eof have been given), then certain commands are also recognized which perform special operations. These commands are a letter which must appear at the start of a line. They are listed below. Q End the current SSL connection and exit. R Renegotiate the SSL session (TLSv1.2 and below only). B Send a heartbeat message to the server (DTLS only) k Send a key update message to the server (TLSv1.3 only) K Send a key update message to the server and request one back (TLSv1.3 only) speaking of "case", one simple way to work around these is to issue all SMTP commands in lower case. rcpt to: ... quit rather than: RCPT TO: ... QUIT Or use the "ign_eof" and/or the "-quiet" option. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SSL_renegotiate:wrong ssl version
On 10/09/2022 12:59, Cyborg via Exim-users wrote: Verify return code: 21 (unable to verify the first certificate) b) fails ^^ These words return plenty of hits from my usual search engine. Exactly what trust-anchors and intermediates do both your exim and your s_client know about? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] SSL_renegotiate:wrong ssl version
Hi, I discovered a renegotiation problem between openssl s_client and exim(same openssl) This is, what Exim 4.96 Release 2 Fedora 35 logged: 2022-09-10 13:47:18 unexpected disconnection while reading SMTP command from (d111.x-mailer.de) [83.246.32.110] D=13s 2022-09-10 13:48:14 unexpected disconnection while reading SMTP command from (d111.x-mailer.de) [83.246.32.110] D=16s 2022-09-10 13:51:25 unexpected disconnection while reading SMTP command from (d111.x-mailer.de) [83.246.32.110] D=12s And this happend on the client side: # openssl s_client -connect me.target.de:25 -starttls smtp CONNECTED(0003) ...lots of SSL INFOS issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2858 bytes and written 438 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- 250 HELP HELO smtp.example.com 250 smtp.target.de Hello smtp.example.com [83.246.32.110] MAIL FROM: 250 OK RCPT TO: RENEGOTIATING 140149325708800:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version:ssl/ssl_lib.c:2143: I tried it 3 times, everytime with the same result, an exact renegotiation after RCPT TO. The certificate is fine, openssl does not seem to be able to verify because it doesn't know which domainname it should have, as no hint was given to openssl s_client. Any ideas why this renegotiation is : a) started at all b) fails and c) on how to counter this? best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] malfunctioning email delivery after upgrade to Exim 4.96
On 04/09/2022 22:09, Ján Lalinský via Exim-users wrote: ==r...@xyz.com R=xxx (-36): host lookup for did not complete (DNS timeout?) There is no problem with DNS resolution of the relevant domains on those MX servers whatsover, judging by using dig and host command in shell. But judging by the error from Exim, there is. Assuming that this name-resolution should have used DNS, of course. no immediate delivery: more than 10 messages received in one connection That's not an error, only informative. See the main config option smtp_accept_queue_per_connection. We tried settings smtp_accept_max_per_connection = 100 smtp_accept_queue_per_connection = 100 in exim.conf, but to no avail. Then your daemon is not running that configuration. Did you restart it, after that edit? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/