[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-31 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Git Commit  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |FIXED

--- Comment #16 from Git Commit  ---
Git commit:
https://git.exim.org/exim.git/commitdiff/da88acaeb7d76e5312c8ea799951470eaa5eca0f

commit da88acaeb7d76e5312c8ea799951470eaa5eca0f
Author: Phil Pennock 
AuthorDate: Tue Jan 31 22:15:55 2017 -0500
Commit: Phil Pennock 
CommitDate: Tue Jan 31 22:15:55 2017 -0500

handle proxy protocol v2 safely as well.

we had test suite failures (test suite success!) because proxy protocol
v2 (ppv2) wasn't being detected; by only reading 12 octets, the >= 16
check was failing.  but in fact i had previously only fixed reading
"only enough" for ppv1.

handling both ppv1 and ppv2 is complicated because the minimum valid
length for ppv1 is 15 octets but for ppv2 the size to read is in the
15th and 16th octets.

so refactored a little and we now use a total of 3 reads for the ppv2
case (assuming no fragmentation, etc; we'll actually keep reading now
instead of aborting) to get the entire ppv2 header of exactly the right
size, so that tls handshake immediately following the pp header is not
also swallowed.

fixes: 2018
tested: manually, tls and non-tls, ppv1 and ppv2, all ways.
release: should be cherry-picked into 4.89rc series

 doc/doc-txt/ChangeLog |   2 +
 src/src/smtp_in.c | 128 +++---
 2 files changed, 103 insertions(+), 27 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-31 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #15 from Phil Pennock  ---
Okay, problem is easy to see:

if (ret >= 16 && memcmp(, v2sig, 12) == 0)

We now only read 16 characters in the first pass, so that's never true.  Deoh.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-31 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Phil Pennock  changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|FIXED   |---

--- Comment #14 from Phil Pennock  ---
Jeremy saw test suite failures, I have dug into how to configure haproxy to try
proxy protocol v2 and indeed, I see failure.  I broke v2.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #13 from Git Commit  ---
Git commit:
https://git.exim.org/exim.git/commitdiff/f700ea4d43b74a85ff4f606828fee4e9a2131f9c

commit f700ea4d43b74a85ff4f606828fee4e9a2131f9c
Author: Phil Pennock 
AuthorDate: Mon Jan 30 19:54:47 2017 -0500
Commit: Phil Pennock 
CommitDate: Mon Jan 30 19:54:47 2017 -0500

Document that fixed 2018

Fixes: 2018
---
 doc/doc-txt/ChangeLog | 4 
 1 file changed, 4 insertions(+)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index bc9b19f..69c7789 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -73,6 +73,10 @@ JH/15 Angle-bracket nesting (an error inserted by broken
sendmails) levels are
   now limited to an arbitrary five deep, while parsing addresses with the
   strip_excess_angle_brackets option enabled.

+PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and
+  instead leave the unprompted TLS handshake in socket buffer for the
+  TLS library to consume.
+

 Exim version 4.88
 -

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Phil Pennock  changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution|--- |FIXED

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #12 from Phil Pennock  ---
Have pushed a fix for this.  I'm marking it closed; Nenad, please try Exim
4.89RC1 which I'll be cutting tonight and re-open the ticket if you still
experience problems.

Thank you for your patience!

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Phil Pennock  changed:

   What|Removed |Added

   Assignee|jgh146...@wizmail.org   |p...@exim.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #11 from Phil Pennock  ---
Isolated the problem, confirmed with a debug statement.

We're doing a fixed read for proxy handling, assuming that the read will come
up short for PROXYv1.  For SMTP where server-speaks-first, that's true for
compliant clients.

For TLS, where client-speaks-first and the proxy waits for client data before
opening the backend connection, it's not true.  With a little bit of debugging
added:

90478 Bytes read not within PROXY header: 178

For plaintext, that "178" is the desired "0".

Am pondering solutions right now.  I consider this blocking of 4.89RC1.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Phil Pennock  changed:

   What|Removed |Added

 CC||p...@exim.org

--- Comment #10 from Phil Pennock  ---
I can reproduce and am investigating further.  I have exim on my laptop and
haproxy on my laptop, setup such that:

daemon_smtp_ports = 25 : 465 : 466 : 587 : 588
tls_on_connect_ports = 465 : 466
hosts_proxy = <; ${if forany{466:588}{=={$received_port}{$item}} {127.0.0.1 ;
::1}{}}

and for proxy testing, I start Exim with `-oX 127.0.0.1` and run:

  sudo haproxy -f haproxy.conf -db -d

with an haproxy configuration of:

frontend ft_smtp_submission
  bind 0.0.0.0:587
  mode tcp
  no option http-server-close
  timeout client 1m
  log global
  option tcplog
  default_backend bk_exim_submission

backend bk_exim_submission
  mode tcp
  no option http-server-close
  log global
  option tcplog
  timeout server 1m
  timeout connect 5s
  server exim 127.0.0.1:588 send-proxy

frontend ft_smtp_tlsonconnect
  bind 0.0.0.0:465
  mode tcp
  no option http-server-close
  timeout client 1m
  log global
  option tcplog
  default_backend bk_exim_tlsonconnect

backend bk_exim_tlsonconnect
  mode tcp
  no option http-server-close
  log global
  option tcplog
  timeout server 1m
  timeout connect 5s
  server exim 127.0.0.1:466 send-proxy

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #9 from Jeremy Harris  ---
Grab a packet capture and look at the first few TLS packets (or attach it
here).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #8 from Nenad Opsenica  ---
> That looks like a TLS config problem.

Well, literally the same exim configuration works just fine if I connect
directly from Thunderbird to exim server (therefore, without hosts_proxy
settings). 

Only if connection goes over HAproxy, error occurs.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #7 from Jeremy Harris  ---
That looks like a TLS config problem.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-30 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #6 from Nenad Opsenica  ---
Unfortunatelly, provided patch does not work (I have applied it to 4.88 patched
with v2 proxy patch; patching went cleanly).

Proxied session was detected, but TLS was not established.


Client (Thunderbird) after a while pops up information dialog with "The message
could not be sent because the connection to Outgoing server was lost in the
middle of the transaction"

Exim debug session (10.9.27.240 is Thunderbird's address, it connects to
HAproxy):

15:31:21 16939 Initialized TLS
15:31:21 16939 required ciphers:
ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA
15:31:21 16939 host in tls_verify_hosts? no (option unset)
15:31:21 16939 host in tls_try_verify_hosts? no (option unset)
15:31:21 16939 Calling SSL_accept
15:31:21 16939 SSL info: before/accept initialization
15:31:21 16939 SSL info: before/accept initialization
15:31:51 16939 LOG: MAIN
15:31:51 16939   TLS error on connection from [10.9.27.240] (SSL_accept):
error::lib(0):func(0):reason(0)
15:31:51 16939 LOG: MAIN
15:31:51 16939   TLS client disconnected cleanly (rejected our certificate?)
15:31:51 16939 search_tidyup called
15:31:51 16924 child 16939 ended: status=0x0
15:31:51 16924   normal exit, 0
15:31:51 16924 0 SMTP accept processes now running
15:31:51 16924 Listening...

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-29 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Git Commit  changed:

   What|Removed |Added

 CC||g...@exim.org

--- Comment #5 from Git Commit  ---
Git commit:
https://git.exim.org/exim.git/commitdiff/1811cb4cb491183bd4b32bca3e80f77b4c8d391d

commit 1811cb4cb491183bd4b32bca3e80f77b4c8d391d
Author: Jeremy Harris 
AuthorDate: Tue Jan 17 00:39:41 2017 +
Commit: Jeremy Harris 
CommitDate: Sun Jan 29 15:09:48 2017 +

shuffle proxy-protocol to wrap tls-on-connect startup.  bug 2018

 src/src/smtp_in.c | 111 +++---
 1 file changed, 55 insertions(+), 56 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-19 Thread Phil Pennock 
On 2017-01-18 at 16:06 +, Jeremy Harris wrote:
> To expand: Exim's implementation of Proxy Protocol
> is currently hooked in after the TLS start done for
> tls-on-connect.
> 
> It turns out that the protocol spec document is ambiguous
> and the other way about (proxy-protocol handling done
> in-clear, then TLS) is the preferred way for HAproxy.
> 
> Is anyone using and relying on the current Exim implementation
> ordering?   Or shall I just swap them round?

I think that Jeremy knows my opinion here, but so that others know what
is likely to happen if nobody speaks up:

I strongly favour swapping them around, putting a note in
README.UPDATING and avoiding adding yet another knob.

So if you are relying upon something which speaks Proxy Protocol
initiating its _own_ TLS connection to an Exim TLS-on-connect backend,
_then_ speaking PP within that, _before_ passing off to hand-off from
the origin client, then you need to speak up with some details so that
we can understand and weigh the cost of the added complexity, and make
sure that we can then handle it without ending up with TLS tunnelled
inside TLS.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-18 Thread Jeremy Harris 
On 18/01/17 14:05, ad...@bugs.exim.org wrote:
> https://bugs.exim.org/show_bug.cgi?id=2018
> 
> Jeremy Harris  changed:
> 
>What|Removed |Added
> 
>  Status|NEW |ASSIGNED

To expand: Exim's implementation of Proxy Protocol
is currently hooked in after the TLS start done for
tls-on-connect.

It turns out that the protocol spec document is ambiguous
and the other way about (proxy-protocol handling done
in-clear, then TLS) is the preferred way for HAproxy.

Is anyone using and relying on the current Exim implementation
ordering?   Or shall I just swap them round?
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-18 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Jeremy Harris  changed:

   What|Removed |Added

   Target Milestone|Exim 4.88   |Exim 4.89

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-18 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

Jeremy Harris  changed:

   What|Removed |Added

 Status|NEW |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-18 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #4 from Nenad Opsenica  ---
Just to describe my setup:
 * haproxy to do "ssl passthrough" (i.e. running in TCP mode without SSL/TLS
offloading) from clients to imap and smtp/submission servers
 * dovecot configuration, that uses this kind of setup works perfectly with
both StartTLS IMAP (port 143) and IMAPS (port 993). 

Relevant configuration parts for TLS-on-connect case (port 993/imaps)

HAproxy:

listen imap
bind :993
mode tcp 
option tcplog

stick-table type ip size 200k expire 30m
stick on src

server mail2 mail2.local.net:10993 check-send-proxy send-proxy-v2

Dovecot:

  inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
  }


Similar setup with HAproxy and Exim for TLS-on-connect case (port 465) does not
work:

HAproxy:
listen smtp
bind :465
mode tcp 
option tcplog

stick-table type ip size 200k expire 30m
stick on src

server mail2 mail2.local.net:465 check-send-proxy send-proxy-v2


Exim configuration:

hosts_proxy = IP_address_of_HAproxy_server

Exim is patched with fix for proxy-v2 from
https://bugs.exim.org/show_bug.cgi?id=2003


When I changed function smtp_start_session() in smtp_in.c, to call
check_proxy_protocol_host() first, and then tls_server_start(), proxied session
was successfully detected (debug information showed IP address of end client),
but unfortunatelly TLS session was not started; obviously this can't be fixed
that 'easy' way. 
But, it shows that HAproxy, when used with "TLS/SSL passthrough" mode prepends
unencrypted proxy header.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-17 Thread Viktor Dukhovni 
On Mon, Jan 16, 2017 at 05:17:49PM +, ad...@bugs.exim.org wrote:

> https://bugs.exim.org/show_bug.cgi?id=2018

FWIW, Postfix performs the HAPROXY handshake at the start of the
TCP session (thus prior to any TLS setup) on all ports (25, 587
and 465), i.e. whether doing STARTTLS or doing SMTP inside TLS (TLS
"wrapper mode").

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-17 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #3 from Jeremy Harris  ---
So your incoming connection did not talk TLS-on-connect.  You're assuming the
model of "proxying of a remote tls-on-connect", I think - whereas Exim is
assuming, if it supports it at all, a local tls-on-connect between the proxy
and
the MTA.

The standard for Proxy Protocol mentions a client type PP2_CLIENT_SSL
"indicates that the client connected over SSL/TLS" which I think at least
allows for the possibility of the remote TCP connection terminating a TLS.
It isn't quite clear whether that is the only model it supports.  The v1
portion of the spec says "sent immediately and at once upon the connection
establishment" but fails to say whether it is talking about the TCP connection
or the TLS connection, for a TLS case.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-16 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #2 from Nenad Opsenica  ---
> What's the evidence for "proxy settings are not even checked"?

Excerpt from HAproxy log:

Jan 16 17:45:13 localhost haproxy[29817]: 10.9.27.240:57140
[16/Jan/2017:17:45:13.557] smtp bk_mail-starttls/mail2 6/0/12 0 SD 0/0/0/0/0
0/0


And debug information from exim when connection is being made to port 465 with
SSL/TLS:

17:45:14 11748 Connection request from 10.9.4.12 port 60468
17:45:14 11748 interface address=10.9.4.25 port=465
17:45:14 11748 search_tidyup called
17:45:14 11748 1 SMTP accept process running
17:45:14 11748 Listening...
17:45:14 11750 sender_fullhost = [10.9.4.12]
17:45:14 11750 sender_rcvhost = [10.9.4.12]
17:45:14 11750 Process 11750 is handling incoming connection from [10.9.4.12]
17:45:14 11750 host in host_lookup? yes (matched "*")
17:45:14 11750 looking up host name for 10.9.4.12
17:45:14 11750 DNS lookup of 12.4.9.10.in-addr.arpa (PTR) gave HOST_NOT_FOUND
17:45:14 11750 returning DNS_NOMATCH
17:45:14 11750 IP address lookup using gethostbyaddr()
17:45:14 11750 IP address lookup failed: h_errno=1
17:45:14 11750 LOG: host_lookup_failed MAIN
17:45:14 11750   no host name found for IP address 10.9.4.12
17:45:14 11750 sender_fullhost = [10.9.4.12]
17:45:14 11750 sender_rcvhost = [10.9.4.12]
17:45:14 11750 set_process_info: 11750 handling incoming connection from
[10.9.4.12]
17:45:14 11750 openssl option, adding from 110: 100 (no_sslv2
+no_sslv3)
17:45:14 11750 openssl option, adding from 110: 200 (no_sslv3)
17:45:14 11750 setting SSL CTX options: 0x310
17:45:14 11750 Diffie-Hellman initialized from default with 2048-bit prime
17:45:14 11750 ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding
"auto" with "prime256v1"
17:45:14 11750 ECDH: curve 'prime256v1'
17:45:14 11750 ECDH: enabled 'prime256v1' curve
17:45:14 11750 tls_certificate file /etc/pki/tls/certs/...DELETED_HERE.
17:45:14 11750 tls_privatekey file /etc/pki/tls/certs/...DELETED_HERE.
17:45:14 11750 Initialized TLS
17:45:14 11750 required ciphers:
ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA
17:45:14 11750 host in tls_verify_hosts? no (option unset)
17:45:14 11750 host in tls_try_verify_hosts? no (option unset)
17:45:14 11750 Calling SSL_accept
17:45:14 11750 SSL info: before/accept initialization
17:45:14 11750 SSL info: before/accept initialization
17:45:14 11750 SSL info: SSLv2/v3 read client hello A
17:45:14 11750 LOG: MAIN
17:45:14 11750   TLS error on connection from [10.9.4.12] (SSL_accept):
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
17:45:14 11750 LOG: MAIN
17:45:14 11750   TLS client disconnected cleanly (rejected our certificate?)
17:45:14 11750 search_tidyup called
17:45:14 11748 child 11750 ended: status=0x0
17:45:14 11748   normal exit, 0
17:45:14 11748 0 SMTP accept processes now running
17:45:14 11748 Listening...

The same setup works perfectly with StartTLS.

Function smtp_start_session() in smtp_in.c, calls tls_server_start() before
checking with check_proxy_protocol_host() if proxy protocol is used.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections

2017-01-16 Thread admin 
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #1 from Jeremy Harris  ---
TLS being started immediately on the TCP connection sounds normal.  What's
the evidence for "proxy settings are not even checked"?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##