Re: [exim] TLS session is required, but an attempt to start TLS failed
Thanks for the assistance with this issue. As it turns out I had added *hosts_avoid_tls = *.example.com* to the *remote_smtp **transport *when this domain would only accept clear text connections some time ago. It had been so long ago that I forgot that the entry had been added. The exim -bt u...@example.com command revealed the transport which helped me track down the entry. I commented out the hosts_avoid_tls config and everything is back to normal. Appreciate the assistance and as always am glad to learn more about Exim. -Patrick On 10/18/2022 8:56 AM, Cyborg via Exim-users wrote: Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: Thats exactly what should happen, if you enforce TLS and the other side can't offer it, it fails. You used: hosts_require_tls = tls_tempfail_tryclear = false in your transport . Ergo, it fails, if it's not possible. And I go 10:1 whatever is used in: tls_require_ciphers = ... is not been offered in the external mailserver tls offer i.e. because it's a malconfigured exchange server. To not block your queue, you can do this: begin retry # Address or Domain Error Retries # - - --- * refused * quota * tls_required * * F,2h,15m; G,16h,1h,1.5; F,4d,6h which instantly sends a delivery-message to the sender, if TLS fails. best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: Thats exactly what should happen, if you enforce TLS and the other side can't offer it, it fails. You used: hosts_require_tls = tls_tempfail_tryclear = false in your transport . Ergo, it fails, if it's not possible. And I go 10:1 whatever is used in: tls_require_ciphers = ... is not been offered in the external mailserver tls offer i.e. because it's a malconfigured exchange server. To not block your queue, you can do this: begin retry # Address or Domain Error Retries # - - --- * refused * quota * tls_required * * F,2h,15m; G,16h,1h,1.5; F,4d,6h which instantly sends a delivery-message to the sender, if TLS fails. best regards, Marius OpenPGP_0x048770A738345DD3.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
Patrick Porteous via Exim-users (Di 18 Okt 2022 14:58:49 CEST): > I've recently started receiving the following message in my log files when > sending to one host: > > 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is > required, but an attempt to start TLS failed … > > The error is causing email addressed to this host to hang in my queue and > then fail to be delivered after the time out period. My exim.config is > setup with the following options enabled: > > tls_advertise_hosts = * > tls_certificate = /usr/local/ssl/apache-selfsigned.crt > tls_privatekey = /usr/local/ssl/apache-selfsigned.key This is for your Exim acting as a server, but I understand, that you're sending *to another* host, so it irrelevant here. > verify error:num=18:self signed certificate … this can be an issue, depending on the TLS settings of your remote transport. Find the transport exim -bt and review the transport configuration (or share it with us). Normally Exim should fallback to clear text communication if TLS isn't possible, so I suspect you having some TLS related transport settings. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
On 18/10/2022 13:58, Patrick Porteous via Exim-users wrote: I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed This is your Exim trying to send to some other host? My exim.config is setup with the following options enabled: tls_advertise_hosts = * tls_certificate = /usr/local/ssl/apache-selfsigned.crt tls_privatekey = /usr/local/ssl/apache-selfsigned.key Those are for connections inbound to your host, hence not relevant. Look at your transport configuration. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] TLS session is required, but an attempt to start TLS failed
I've recently started receiving the following message in my log files when sending to one host: 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed 2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp defer (-38) H=example.com [###.###.###.194]: a TLS session is required, but an attempt to start TLS failed The error is causing email addressed to this host to hang in my queue and then fail to be delivered after the time out period. My exim.config is setup with the following options enabled: tls_advertise_hosts = * tls_certificate = /usr/local/ssl/apache-selfsigned.crt tls_privatekey = /usr/local/ssl/apache-selfsigned.key The output from openssl s_client -connect example.com:25 -starttls smtp is: CONNECTED(0003) depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN = mail.example.com, emailAddress = myaddr...@example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = State, L = My City, O = "My ORG", OU = IT, CN = mail.example.com, emailAddress = myaddr...@example.com verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com i:/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com --- Server certificate -BEGIN CERTIFICATE- MY CERT DATA -END CERTIFICATE- subject=/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com issuer=/C=US/ST=State/L=My City/O=My ORG/OU=IT/CN=mail.example.com/emailAddress=myaddr...@example.com --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1783 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No StatePN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 63CF1FE61EED74FBDBA1A3D8672533D0B9FB72737A05D24D59A5D22ECEFF71CD Session-ID-ctx: Master-Key: KEY### Key-Arg : None Krb5 PrincipState: None PSK identity: None PSK identity hint: None Start Time: 1666097362 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 HELP I can send mail to all other hosts except this host without receiving the error and can receive from this host and all others without issue. My question is if there is a way to reconfigure the TLS on my Exim server to get around this type of error on the receiving server? Thanks for the help, Patrick -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
