Bug#517394: exim4-daemon-heavy: Incoming connection fails with "(gnutls_handshake): A TLS fatal alert has been received."

Rasmus Bøg Hansen rasmus at msconsult.dk
Fri Feb 27 13:13:33 UTC 2009 

Package: exim4-daemon-heavy
Version: 4.69-9
Severity: normal


In Lenny, incoming connection from one server (only) fails with the following error message:

2009-02-27 09:36:56 TLS error on connection from mail.example.com (example.com) [1.1.1.1] (gnutls_handshake): A TLS fatal alert has been received.

With etch connections worked fine:

2009-02-09 16:46:30 1LWYL8-0001xb-Cl <= pieter at example.com H=mail.example.com (example.com) [1.1.1.1] P=esmtps X=SSL 3.0:RSA_3DES_EDE_CBC_SHA1:24 DN="" S=3725 id=auto-000002527029 at example.com

Sending *to* the same server (it is apparently both the outgoing and incoming server) with TLS works just fine:

2009-02-27 10:45:05 1LczGy-0002Bj-Ml => ralf at example.com <ralf at example.com> R=dnslookup T=remote_smtp H=mail.example.com [1.1.1.1]

According to the 200 welcome message, the remote server runs CommuniGate Pro 5.2.7:

220 gerstel.com ESMTP CommuniGate Pro 5.2.7

I consider this a bug in exim4 as TLS communication with this particular server worked fine with etch but broke in lenny - though I of course know that CommuniGate might be to blame.

Disabling TLS for this particular host (see below) apparently fixes the problem but I see it as a workaround and not a real solution.

I am unsure how to proceed now (I have no control of the remote server whatsoever), but I will gladly debug, help and provide information on this.

I have the following TLS-related configuration (also see my update-xim4.conf.conf later):

root at gere:/etc/exim4# cat /etc/exim4/conf.d/main/00_local
MAIN_TLS_ENABLE='true'
daemon_smtp_ports = smtp : submission : ssmtp
tls_on_connect_ports = 465
MESSAGE_SIZE_LIMIT=512M
CHECK_RCPT_SPF='true'
CHECK_RCPT_IP_DNSBLS = sbl-xbl.spamhaus.org : dnsbl.sorbs.net : bl.spamcop.net
CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.sorbs.net : rhsbl.ahbl.org
REMOTE_SMTP_HOSTS_AVOID_TLS = 1.1.1.1
MAIN_TLS_ADVERTISE_HOSTS = !1.1.1.1 : !mail.example.com

Regards
/Rasmus Bøg Hansen

-- Package-specific info:
Exim version 4.69 #1 built 30-Sep-2008 18:26:44
Copyright (c) University of Cambridge 2006
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='internet'
dc_other_hostnames='a.b.c.d:[a.b.c.d]:gere:gere.example.dk:/etc/exim4/domains'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='10.0.0.0/24 ; 127.0.0.1 ; ::1'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
mailname:example.dk

-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.28.7 (SMP w/2 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to da_DK.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages exim4-daemon-heavy depends on:
ii  debconf [debconf-2.0]    1.5.24          Debian configuration management sy
ii  exim4-base               4.69-9          support files for all Exim MTA (v4
ii  libc6                    2.7-18          GNU C Library: Shared libraries
ii  libdb4.6                 4.6.21-11       Berkeley v4.6 Database Libraries [
ii  libgnutls26              2.4.2-6         the GNU TLS library - runtime libr
ii  libldap-2.4-2            2.4.11-1        OpenLDAP libraries
ii  libmysqlclient15off      5.0.51a-24      MySQL database client library
ii  libpam0g                 1.0.1-5         Pluggable Authentication Modules l
ii  libpcre3                 7.6-2.1         Perl 5 Compatible Regular Expressi
ii  libperl5.10              5.10.0-19       Shared Perl library
ii  libpq5                   8.3.6-1         PostgreSQL C client library
ii  libsasl2-2               2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii  libsqlite3-0             3.5.9-6         SQLite 3 shared library

exim4-daemon-heavy recommends no packages.

exim4-daemon-heavy suggests no packages.

-- debconf information:
  exim4-daemon-heavy/drec:

More information about the Pkg-exim4-maintainers mailing list