Re: [exim] TLS session is required, but an attempt to start TLS failed
Thanks for the assistance with this issue. As it turns out I had added *hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when this domain would only accept clear text connections some time ago. It had been so long ago that I forgot that the entry had been added. The exim -bt u...@example.com command revealed the transport which helped me track down the entry. I commented out the hosts_avoid_tls config and everything is back to normal. Appreciate the assistance and as always am glad to learn more about Exim. -Patrick On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote: Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: Thats exactly what should happen, if you enforce TLS and the other side can't offer it, it fails. You used: hosts_require_tls = tls_tempfail_tryclear = false in your transport . Ergo, it fails, if it's not possible. And I go 10:1 whatever is used in: tls_require_ciphers = ... is not been offered in the external mailserver tls offer i.e. because it's a malconfigured exchange server. To not block your queue, you can do this: begin retry # Address or Domain Error Retries # - - --- * refused * quota * tls_required * * F,2h,15m; G,16h,1h,1.5; F,4d,6h which instantly sends a delivery-message to the sender, if TLS fails. best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] raw mime_filename
Exim version 4.95 #5 (FreeBSD 12.3) built 18-Oct-2022 13:42:33
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2020
Probably Berkeley DB version 1.8x (native mode)
Support for: crypteq iconv() use_setclassresources Expand_dlfunc OpenSSL
TLS_resume Content_Scanning DKIM DMARC PIPE_CONNECT
Experimental_Queue_Ramp SPF SRS TCP_Fast_Open Experimental_ARC
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql passwd
Authenticators: plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/mbx autoreply pipe smtp
In exim config:
warn condition = ${if def:mime_filename}
logwrite = TEST: $mime_filename
With this mime part (utf-8) all ok:
--hJ1w4fdd7nJgV1TgS95Plkir
Content-Type: text/plain; charset=UTF-8;
name="=?UTF-8?B?0L/QtdGA0LXQstGW0YDQutCw0ZfSkS50eHQ=?="
Content-Disposition: attachment;
filename*0*=UTF-8''%D0%BF%D0%B5%D1%80%D0%B5%D0%B2%D1%96%D1%80%D0%BA%D0%B0;
filename*1*=%D1%97%D2%91%2E%74%78%74
Content-Transfer-Encoding: base64
ZGdkZmdkZg==
--hJ1w4fdd7nJgV1TgS95Plkir--
Exim running with debug:
pBj0VVcSTH1a84AUmONrMFYf
13:45:06 71378 MIME: found content-type: header, value is 'text/plain'
13:45:06 71378 MIME: considering paramlist
'charset=UTF-8;name="=?UTF-8?B?0L/QtdGA0LXQstGW0YDQutCw0ZfSkS50eHQ=?=";'
13:45:06 71378 MIME: found charset= parameter in content-type: header,
value 'UTF-8'
13:45:06 71378 MIME: considering paramlist
'name="=?UTF-8?B?0L/QtdGA0LXQstGW0YDQutCw0ZfSkS50eHQ=?=";'
13:45:06 71378 MIME: found name= parameter in content-type: header,
value 'перевіркаїґ.txt'
13:45:06 71378 MIME: found content-disposition: header, value is
'attachment'
13:45:06 71378 MIME: considering paramlist
'filename*0*=UTF-8''%D0%BF%D0%B5%D1%80%D0%B5%D0%B2%D1%96%D1%80%D0%BA%D0%B0;filename*1*=%D1%97%D2%91%2E%74%78%74;'
13:45:06 71378 MIME: considering paramlist
'filename*1*=%D1%97%D2%91%2E%74%78%74;'
13:45:06 71378 MIME: found filename parameter in content-disposition:
header, value is 'перевіркаїґ.txt'
13:45:06 71378 MIME: found content-transfer-encoding: header, value is
'base64'
13:45:06 71378 using ACL "acl_check_mime"
13:45:06 71378 processing "warn" (/usr/local/etc/exim/configure 358)
13:45:06 71378 check decode = default
13:45:06 71378 warn: condition test succeeded in ACL "acl_check_mime"
13:45:06 71378 processing "warn" (/usr/local/etc/exim/configure 362)
13:45:06 71378 ╭considering: ${if def:mime_filename}
13:45:06 71378 ├──condition: def:mime_filename
13:45:06 71378 ├─result: true
13:45:06 71378 ├──expanding: ${if def:mime_filename}
13:45:06 71378 ╰─result: true
13:45:06 71378 check condition = ${if def:mime_filename}
13:45:06 71378 = true
13:45:06 71378 ╭considering: TEST: $mime_filename
13:45:06 71378 ├──expanding: TEST: $mime_filename
13:45:06 71378 ╰─result: TEST: перевіркаїґ.txt
13:45:06 71378 ╰──(tainted)
13:45:06 71378 check logwrite = TEST: $mime_filename
13:45:06 71378= TEST: перевіркаїґ.txt
13:45:06 71378 LOG: MAIN
13:45:06 71378 TEST: перевіркаїґ.txt
Have a problem with this MIME part (windows-1251):
0D414212928A8F055
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: quoted-printable
=EF=E5=F0=E5=E2=B3=F0=EA=E0
0D414212928A8F055
Content-Type: TEXT/PLAIN;
name="=?windows-1251?Q?=EF=E5=F0=E5=E2=B3=F0=EA=E0=BF=B4=2Etxt?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
filename="=?windows-1251?Q?=EF=E5=F0=E5=E2=B3=F0=EA=E0=BF=B4=2Etxt?="
ZGdkZmdkZg==
0D414212928A8F055--
Debug:
17:34:38 71940 MIME: Next part with boundary --0D414212928A8F055
17:34:38 71940 MIME: found content-type: header, value is 'text/plain'
17:34:38 71940 MIME: considering paramlist
'name="=?windows-1251?Q?=EF=E5=F0=E5=E2=B3=F0=EA=E0=BF=B4=2Etxt?=";'
17:34:38 71940 MIME: found name= parameter in content-type: header,
value '▒▒▒.txt'
17:34:38 71940 MIME: found content-transfer-encoding: header, value is
'base64'
17:34:38 71940 MIME: found content-disposition: header, value is
'attachment'
17:34:38 71940 MIME: considering paramlist
'filename="=?windows-1251?Q?=EF=E5=F0=E5=E2=B3=F0=EA=E0=BF=B4=2Etxt?=";'
17:34:38 71940 MIME: found filename= parameter in content-disposition:
header, value '▒▒▒.txt'
17:34:38 71940 MIME: found filename parameter in content-disposition:
header, value is '▒▒▒.txt'
17:34:38 71940 using ACL "acl_check_mime"
17:34:38 71940 processing "warn" (/usr/local/etc/exim/configure 362)
17:34:38 71940 ╭considering: ${if def:mime_filename}
17:34:38 71940 ├──condition: def:mime_filename
17:34:38 71940 ├─result: true
17:34:38 71940 ├──expanding: ${if def:mime_filename}
17:34:38 71940 ╰─result: true
17:34:38 71940 check condition = ${if def:mime_filename}
Re: [exim] TLS session is required, but an attempt to start TLS failed
Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: Thats exactly what should happen, if you enforce TLS and the other side can't offer it, it fails. You used: hosts_require_tls = tls_tempfail_tryclear = false in your transport . Ergo, it fails, if it's not possible. And I go 10:1 whatever is used in: tls_require_ciphers = ... is not been offered in the external mailserver tls offer i.e. because it's a malconfigured exchange server. To not block your queue, you can do this: begin retry # Address or Domain Error Retries # - - --- * refused * quota * tls_required * * F,2h,15m; G,16h,1h,1.5; F,4d,6h which instantly sends a delivery-message to the sender, if TLS fails. best regards, Marius OpenPGP_0x048770A738345DD3.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
Patrick Porteous via Exim-users (Di 18 Okt 2022 14:58:49 CEST): > I've recently started receiving the following message in my log files when > sending to one host: > > 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is > required, but an attempt to start TLS failed … > > The error is causing email addressed to this host to hang in my queue and > then fail to be delivered after the time out period. My exim.config is > setup with the following options enabled: > > tls_advertise_hosts = * > tls_certificate = /usr/local/ssl/apache-selfsigned.crt > tls_privatekey = /usr/local/ssl/apache-selfsigned.key This is for your Exim acting as a server, but I understand, that you're sending *to another* host, so it irrelevant here. > verify error:num=18:self signed certificate … this can be an issue, depending on the TLS settings of your remote transport. Find the transport exim -bt and review the transport configuration (or share it with us). Normally Exim should fallback to clear text communication if TLS isn't possible, so I suspect you having some TLS related transport settings. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] raw mime_filename
Developers, can you help me? On 14.10.2022 18:03, Andrew C Aitchison wrote: On Fri, 14 Oct 2022, Mikhail Golub via Exim-users wrote: One more example. In letter: Content-Description: =?windows-1251?B?wvXu5F/C+/Xu5C54bHN4?= In $mime_content_description: =?windows-1251?b?wvxu5f/c+/xu5c54bhn4?= Compare it: =?windows-1251?B?wvXu5F/C+/Xu5C54bHN4?= =?windows-1251?b?wvxu5f/c+/xu5c54bhn4?= I have a script https://www.aitchison.me.uk/clearsubject.pl piping the above though it gives: -- In letter: Content-Description: Вход_Выход.xlsx In $mime_content_description: ВьnеяЬыьnеОxnш Compare it: Вход_Выход.xlsx ВьnеяЬыьnеОxnш -- So $mime_content_description: has not preserved the case of the encoded text, which means that the decoded version is wrong ! -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
On 18/10/2022 13:58, Patrick Porteous via Exim-users wrote: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed This is your Exim trying to send to some other host? My exim.config is setup with the following options enabled: tls_advertise_hosts = * tls_certificate = /usr/local/ssl/apache-selfsigned.crt tls_privatekey = /usr/local/ssl/apache-selfsigned.key Those are for connections inbound to your host, hence not relevant. Look at your transport configuration. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] TLS session is required, but an attempt to start TLS failed
I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: tls_advertise_hosts = * tls_certificate = /usr/local/ssl/apache-selfsigned.crt tls_privatekey = /usr/local/ssl/apache-selfsigned.key The output from openssl s_client -connect example.com:25 -starttls smtp is: CONNECTED(0003) depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN = mail.example.com, emailAddress = myaddr...@example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN = mail.example.com, emailAddress = myaddr...@example.com verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com i:/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com --- Server certificate -BEGIN CERTIFICATE- MY CERT DATA -END CERTIFICATE- subject=/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com issuer=/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1783 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No StatePN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 63CF1FE61EED74FBDBA1A3D8672533D0B9FB72737A05D24D59A5D22ECEFF71CD Session-ID-ctx: Master-Key: KEY### Key-Arg : None Krb5 PrincipState: None PSK identity: None PSK identity hint: None Start Time: 1666097362 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 HELP I can send mail to all other hosts except this host without receiving the error and can receive from this host and all others without issue. My question is if there is a way to reconfigure the TLS on my Exim server to get around this type of error on the receiving server? Thanks for the help, Patrick -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
