Re: [exim] TLS with gmail started failing
Marc MERLIN via Exim-users writes: > Mmmh, not what I expected quite, but upgrading exim4 seems to have fixed > the issue. Relevant updates: > Unpacking libnet-ssleay-perl (1.85-2+b1) over (1.77-1+b1) ... > Unpacking libssl1.1:i386 (1.1.1b-2) over (1.1.0f-4) ... > Unpacking libgnutls30:i386 (3.6.7-3) over (3.6.6-2) ... > Unpacking libgnutls-dane0:i386 (3.6.7-3) ... > Unpacking libsasl2-modules-db:i386 (2.1.27+dfsg-1) ... > Unpacking libsasl2-2:i386 (2.1.27+dfsg-1) over (2.1.25.dfsg1-2) ... > Unpacking exim4-daemon-heavy (4.92-7) over (4.87-3+b1) ... > > And now things work again. Thanks for the hint! That helped a lot. I was so sure the problem was on the other end, since I did upgrade that and hadn't touched the exim installation. I hit this after upgrading my sendmail smarthost to buster. I guess that enabled TLSv1.3 support on the smarthost side. Upgrading exim to 4.92-8 (from current sid) fixed the issue. I was also running the odd combo of a new libgnutls30 (from sid) with an old exim4 package (from stretch). So I guess I did it to myself.. But at least we are two :-) Bjørn -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On 10/06/2019 11:12, Richard Jones via Exim-users wrote: > I can't help with your problem, but could I ask specifically how you got > such detailed logging and where it was logged? exim -d-all+tls stderr -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Jun 07, Exim Users wrote > With more debug logs enabled, I see > 14:32:02 5341 74.125.141.26 in hosts_avoid_tls? no (end of list) > 14:32:02 5341 SMTP>> STARTTLS > 14:32:02 5341 read response data: size=30 > 14:32:02 5341 SMTP<< 220 2.0.0 Ready to start TLS > 14:32:02 5341 74.125.141.26 in hosts_require_ocsp? no (option unset) > 14:32:02 5341 74.125.141.26 in hosts_request_ocsp? yes (matched "*") > 14:32:02 5341 initialising GnuTLS as a client on fd 9 > 14:32:02 5341 GnuTLS global init required. > 14:32:02 5341 initialising GnuTLS client session > 14:32:02 5341 Expanding various TLS configuration options for session > credentials. Hi, I can't help with your problem, but could I ask specifically how you got such detailed logging and where it was logged? Thanks, Richard -- junix.systems/privacy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Sat, Jun 08, 2019 at 06:58:32AM +0200, Andreas Metzler via Exim-users wrote: > Marc MERLIN via Exim-users wrote: > >> On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote: > >> > Is my cipher list unsuitable? cipher: > >> > TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 > > [...] > > Sorry, I totally failed to give a required bit of info, which exim I have. > > debian exim4 4.87-3+b1 > > > I don't upgrade unless I have to, as a general policy :) > > Hello, > > Combining 3 years old exim with with quite recent (>= 3.6.4) GnuTLS > seems to be an adventorous choice to me. There is at least one known > issue. > > https://bugs.exim.org/show_bug.cgi?id=2359 Thank you for that bug, looks a lot like what I hit. So, you're thinking that something else upgraded my gnutls, that in turn the new package missed a non compat flag with older exim4, so the old exim4 stayed, and things broke If so, that sounds very plausible. Thanks for that Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | PGP 7F55D5F27AAF9D08 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
Marc MERLIN via Exim-users wrote: >> On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote: >> > Is my cipher list unsuitable? cipher: >> > TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 [...] > Sorry, I totally failed to give a required bit of info, which exim I have. > debian exim4 4.87-3+b1 > I don't upgrade unless I have to, as a general policy :) Hello, Combining 3 years old exim with with quite recent (>= 3.6.4) GnuTLS seems to be an adventorous choice to me. There is at least one known issue. https://bugs.exim.org/show_bug.cgi?id=2359 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
Viktor Dukhovni via Exim-users wrote: >> On Jun 7, 2019, at 1:37 PM, Viktor Dukhovni via Exim-users >> wrote: >> Actually, that did not work, I must have botched the command-line >> arguments. The "STARTTLS" never happened, as can be seen from the >> fact that the EHLO response still contains 'STARTTLS', which would >> not be the case once starttls is established. Sorry, I am Postfix >> and OpenSSL developer, not Exim or GnuTLS. Perhaps someone else >> will post the correct options, or you can double-check the manpage. > See http://www.moeding.net/2010/01/testing-smtp-auth-after-starttls/ > Apparently, with those command-line options, you need to type the > STARTTLS yourself, wait for the server 2XX ACK, and then type "Ctrl-D" > (TTY EOF sequence), telling gnutls-cli to take over and perform the > handshake. There are likely better ways of doing this... --starttls-proto=smtp ;-) cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On 07/06/2019 18:09, Marc MERLIN wrote: > tls_require_ciphers = NORMAL:%COMPAT > > tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0 > > tls_require_ciphers = SECURE128 I see you're already fixed, but something along the lines of NORMAL:!VERS-TLS1.3 See https://gnutls.org/manual/html_node/Priority-Strings.html for the full horror. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 10:26:50AM -0700, Marc MERLIN via Exim-users wrote: > On Fri, Jun 07, 2019 at 10:09:40AM -0700, Marc MERLIN via Exim-users wrote: > > Sorry, I totally failed to give a required bit of info, which exim I have. > > debian exim4 4.87-3+b1 > > And yes, I did also read that I should upgrade for security reasons. > Working on that ATM. Mmmh, not what I expected quite, but upgrading exim4 seems to have fixed the issue. Relevant updates: Unpacking libnet-ssleay-perl (1.85-2+b1) over (1.77-1+b1) ... Unpacking libssl1.1:i386 (1.1.1b-2) over (1.1.0f-4) ... Unpacking libgnutls30:i386 (3.6.7-3) over (3.6.6-2) ... Unpacking libgnutls-dane0:i386 (3.6.7-3) ... Unpacking libsasl2-modules-db:i386 (2.1.27+dfsg-1) ... Unpacking libsasl2-2:i386 (2.1.27+dfsg-1) over (2.1.25.dfsg1-2) ... Unpacking exim4-daemon-heavy (4.92-7) over (4.87-3+b1) ... And now things work again. It's as if gmail detected that I had a vulnerable version of exim and just started rejecting Email from it (good) but without a useful message as to why (bad). That said, I could be totally off base, and it could be a totally different issue that unexplainably started a few days ago and got fixed by an exim upgrade. Connecting to gmail-smtp-in.l.google.com [74.125.199.27]:25 ... connected SMTP<< 220 mx.google.com ESMTP 25si2556555pgw.171 - gsmtp SMTP>> EHLO mail1.merlins.org SMTP<< 250-mx.google.com at your service, [209.81.13.136] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 SMTP>> STARTTLS SMTP<< 220 2.0.0 Ready to start TLS SMTP>> EHLO mail1.merlins.org SMTP<< 250-mx.google.com at your service, [209.81.13.136] 250-SIZE 157286400 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 SMTP>> MAIL FROM: SIZE=1552 SMTP>> RCPT TO: will write message using CHUNKING SMTP>> BDAT 437 LAST SMTP<< 250 2.1.0 OK 25si2556555pgw.171 - gsmtp SMTP<< 250 2.1.5 OK 25si2556555pgw.171 - gsmtp SMTP<< 250 2.0.0 OK 25si2556555pgw.171 - gsmtp SMTP>> QUIT SMTP(close)>> LOG: MAIN => mer...@gmail.com F= R=dnslookup T=remote_smtp S=437 H=gmail-smtp-in.l.google.com [74.125.199.27] I=[209.81.13.136] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com" K C="250 2.0.0 OK 25si2556555pgw.171 - gsmtp" Thanks for the help and answers. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
> On Jun 7, 2019, at 1:37 PM, Viktor Dukhovni via Exim-users > wrote: > > Actually, that did not work, I must have botched the command-line > arguments. The "STARTTLS" never happened, as can be seen from the > fact that the EHLO response still contains 'STARTTLS', which would > not be the case once starttls is established. Sorry, I am Postfix > and OpenSSL developer, not Exim or GnuTLS. Perhaps someone else > will post the correct options, or you can double-check the manpage. See http://www.moeding.net/2010/01/testing-smtp-auth-after-starttls/ Apparently, with those command-line options, you need to type the STARTTLS yourself, wait for the server 2XX ACK, and then type "Ctrl-D" (TTY EOF sequence), telling gnutls-cli to take over and perform the handshake. There are likely better ways of doing this... -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 10:30:52AM -0700, Marc MERLIN wrote: > > And also with gnutls-cli: > > > > $ gnutls-cli --crlf --starttls --port 25 smtp.example.net > > alt4.gmail-smtp-in.l.google.com > > Thanks for that suggestion. > That seems to work > > magic:~# gnutls-cli --crlf --starttls --port 25 > alt4.gmail-smtp-in.l.google.com > Processed 99 CA certificate(s). > Resolving 'alt4.gmail-smtp-in.l.google.com'... > Connecting to '173.194.217.26:25'... > > - Simple Client Mode: > > 220 mx.google.com ESMTP 43si392782uam.102 - gsmtp > EHLO foo.bar > 250-mx.google.com at your service, [209.81.13.136] > 250-SIZE 157286400 > 250-8BITMIME > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-CHUNKING > 250 SMTPUTF8 > quit > 221 2.0.0 closing connection 43si392782uam.102 - gsmtp Actually, that did not work, I must have botched the command-line arguments. The "STARTTLS" never happened, as can be seen from the fact that the EHLO response still contains 'STARTTLS', which would not be the case once starttls is established. Sorry, I am Postfix and OpenSSL developer, not Exim or GnuTLS. Perhaps someone else will post the correct options, or you can double-check the manpage. With "posttls-finger", we see the pre and post-handshake EHLO responses, with the latter not containing "STARTTLS" as expected. $ posttls-finger -Lsummary "[alt4.gmail-smtp-in.l.google.com]" posttls-finger: Connected to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25 posttls-finger: < 220 mx.google.com ESMTP m18si1519581ejq.1 - gsmtp posttls-finger: > EHLO straasha.imrryr.org posttls-finger: < 250-mx.google.com at your service, [100.2.39.101] posttls-finger: < 250-SIZE 157286400 posttls-finger: < 250-8BITMIME posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: certificate verification failed for alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: untrusted issuer /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign posttls-finger: Untrusted TLS connection established to alt4.gmail-smtp-in.l.google.com[172.217.218.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO straasha.imrryr.org posttls-finger: < 250-mx.google.com at your service, [100.2.39.101] posttls-finger: < 250-SIZE 157286400 posttls-finger: < 250-8BITMIME posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-PIPELINING posttls-finger: < 250-CHUNKING posttls-finger: < 250 SMTPUTF8 posttls-finger: > QUIT posttls-finger: < 221 2.0.0 closing connection m18si1519581ejq.1 - gsmtp -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 10:09:40AM -0700, Marc MERLIN via Exim-users wrote: > Sorry, I totally failed to give a required bit of info, which exim I have. > debian exim4 4.87-3+b1 And yes, I did also read that I should upgrade for security reasons. Working on that ATM. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | PGP 7F55D5F27AAF9D08 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 01:08:09PM -0400, Viktor Dukhovni via Exim-users wrote: > The handshake succeeds, but reading the EHLO response fails with > EGAIN. This suggests that the socket is non-blocking, but in that > case one would expect the read to be retried. Someone more familiar > with the code will have to explore that hypothesis further. While I'm not sure how my older exim4 would be at fault if it worked for so long and suddenly started failing 2 days ago, given the security issue with it, I'm working on the upgrade now to see if somehow that also fixes this issue at the same time. > In the meantime, have you tried "swaks" to see whether STARTTLS to > Google works outside of Exim? You can also try OpenSSL's s_client > as follows: > > $ openssl s_client -state -quiet -no_ign_eof -starttls smtp -connect > alt4.gmail-smtp-in.l.google.com:25 > > O: 250 ... > O: SSL_connect:SSL negotiation finished successfully > O: SSL_connect:SSL negotiation finished successfully > O: SSL_connect:SSLv3/TLS read server session ticket > I: QUIT > O: 221 2.0.0 Bye > O: SSL3 alert read:warning:close notify > O: SSL3 alert write:warning:close notify > > And also with gnutls-cli: > > $ gnutls-cli --crlf --starttls --port 25 smtp.example.net > alt4.gmail-smtp-in.l.google.com Thanks for that suggestion. That seems to work magic:~# gnutls-cli --crlf --starttls --port 25 alt4.gmail-smtp-in.l.google.com Processed 99 CA certificate(s). Resolving 'alt4.gmail-smtp-in.l.google.com'... Connecting to '173.194.217.26:25'... - Simple Client Mode: 220 mx.google.com ESMTP 43si392782uam.102 - gsmtp EHLO foo.bar 250-mx.google.com at your service, [209.81.13.136] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 quit 221 2.0.0 closing connection 43si392782uam.102 - gsmtp - Peer has closed the GnuTLS connection Thanks, Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | PGP 7F55D5F27AAF9D08 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
Hi Jeremy, thanks for your answer. On Fri, Jun 07, 2019 at 05:39:24PM +0100, Jeremy Harris via Exim-users wrote: > On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote: > > Is my cipher list unsuitable? cipher: > > TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 > > That's not a cipher list, it is the cipher that you negociated. Oops, correct. > With TLS1.3 certain TLS startup error types only become visible on the > first read after the handshake call. I think you've hit one. The > handling of these has been made a bit better post- 4.92 > (see eg. c15523829b). Is there any chance of you compiling a > bleeding-edge version? Sorry, I totally failed to give a required bit of info, which exim I have. debian exim4 4.87-3+b1 I don't upgrade unless I have to, as a general policy :) > Alternatively, disable TLS1.3 - the tls_require_ciphers options > for the smtp transport is expanded, so you could make this > google-specific. So, I'm not much of an expert on TLS and crypto protocols in general. I had a look at https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTreqciphgnu and I tried these 3 options directly pasted in /var/lib/exim4/config.autogenerated tls_require_ciphers = NORMAL:%COMPAT tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0 tls_require_ciphers = SECURE128 In all 3 cases I got the same: 10:04:33 4558 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 10:05:27 4916 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 10:05:56 4954 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 and the mail delivery failed all 3 times. Any idea what I should try? Thanks, Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Fri, Jun 07, 2019 at 09:16:04AM -0700, Marc MERLIN via Exim-users wrote: > 14:32:03 5341 gnutls_handshake was successful > 14:32:03 5341 TLS certificate verification failed (certificate invalid): > peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com" > 14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts) > 14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 > 14:32:03 5341 Have channel bindings cached for possible auth usage. > 14:32:03 5341 SMTP>> EHLO mail1.merlins.org > 14:32:03 5341 tls_do_write(0xbfd5f57c, 24) > 14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24) > 14:32:03 5341 outbytes=24 > 14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096) > 14:32:03 5341 LOG: MAIN > 14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error > on connection (recv): Resource temporarily unavailable, try again. The handshake succeeds, but reading the EHLO response fails with EGAIN. This suggests that the socket is non-blocking, but in that case one would expect the read to be retried. Someone more familiar with the code will have to explore that hypothesis further. In the meantime, have you tried "swaks" to see whether STARTTLS to Google works outside of Exim? You can also try OpenSSL's s_client as follows: $ openssl s_client -state -quiet -no_ign_eof -starttls smtp -connect alt4.gmail-smtp-in.l.google.com:25 O: 250 ... O: SSL_connect:SSL negotiation finished successfully O: SSL_connect:SSL negotiation finished successfully O: SSL_connect:SSLv3/TLS read server session ticket I: QUIT O: 221 2.0.0 Bye O: SSL3 alert read:warning:close notify O: SSL3 alert write:warning:close notify And also with gnutls-cli: $ gnutls-cli --crlf --starttls --port 25 smtp.example.net alt4.gmail-smtp-in.l.google.com -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On 07/06/2019 17:16, Marc MERLIN via Exim-users wrote: > Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 That's not a cipher list, it is the cipher that you negociated. > 14:32:03 5341 gnutls_handshake was successful > 14:32:03 5341 TLS certificate verification failed (certificate invalid): > peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com" > 14:32:03 5341 TLS verify failure overridden (host in tls_try_verify_hosts) > 14:32:03 5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256 > 14:32:03 5341 Have channel bindings cached for possible auth usage. > 14:32:03 5341 SMTP>> EHLO mail1.merlins.org > 14:32:03 5341 tls_do_write(0xbfd5f57c, 24) > 14:32:03 5341 gnutls_record_send(SSL, 0xbfd5f57c, 24) > 14:32:03 5341 outbytes=24 > 14:32:03 5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096) > 14:32:03 5341 LOG: MAIN > 14:32:03 5341 H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error > on connection (recv): Resource temporarily unavailable, try again. With TLS1.3 certain TLS startup error types only become visible on the first read after the handshake call. I think you've hit one. The handling of these has been made a bit better post- 4.92 (see eg. c15523829b). Is there any chance of you compiling a bleeding-edge version? Alternatively, disable TLS1.3 - the tls_require_ciphers options for the smtp transport is expanded, so you could make this google-specific. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/