Bug#348046: exim4-daemon-heavy: TLS delivery attempts fail with: (gnutls_handshake): A TLS packet with unexpected length was received.

Andrew McGlashan andrew.mcglashan at affinityvision.com.au
Sun Oct 28 15:05:18 UTC 2007 

Hi Marc,

Marc Haber wrote:
>> I prefer to stick with standard packages as supplied by apt package
>> management.... I am not interested in doing any re-compiles and
>> moving too far away from the standards that are currently in place.
>
> Then you're out of luck.

Okay.... well I'll persevere if I can with some more information.

>> I want to be able to support the use of Incredimail against my mail
>> server without departing from my strict policy of using SMTP Auth
>> over port 465 with SSL security.
>
> Port 465 is an RFC violation anyway, it was never assigned for SMTP
> over SSL in the first place. Microsoft is the only instance who
> insists on using this non-standard.

I have just re-configured my server to accept 25 / 265 and 587 for SSL/TLS 
connections.

03_exim4-config_tlsoptions:
  tls_on_connect_ports=465:587

AND in /etc/default/exim4
 SMTPLISTENEROPTIONS='-oX 587:465:25 -oP /var/run/exim4/exim.pid'

Now.... I can send using port 25 or 465 both with SSL with OE, but 587 with 
OE times out and eventually gives the same error on the server as does 
IncrediMail -- although IM does it almost immediately.

Leaving the port at 25 is not acceptable because any old wireless hotspot 
will interfere with my direct SMTP Auth connections by hijacking the port 25 
traffic and using their own sending mail servers.

I don't know why port 587 with SSL isn't working with OE though.

By default if you select SSL for outgoing mail server with OE, then it uses 
port 25 -- this has to be changed to 465 in my case to work as I prefer.

GMAIL also breaks the RFC then as they only use port 465....

> The widely accepted standardized way to do secure SMTP is STARTTLS,
> which is kind of SMTP-over-SSL-over-SMTP and can be run on the
> standardized ports 25 (SMTP) and 587 (mail submission).
>
> But you are likely to fall into the same trap with your incredimail
> that way.

IM will not work on port 25, 465 or 587.

On my server, I can see the following:

# netstat -an|grep -e 25 -e 465 -e 587|grep tcp
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 192.168.2.2:25          80.161.186.2:63657 
TIME_WAIT


And when OE is 'waiting' on port 587 tests:

# netstat -an|grep -e 25 -e 465 -e 587|grep tcp
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:465             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        0      0 192.168.2.2:587         192.168.0.158:2854 
ESTABLISHED

When I give up on the waiting, the following is sent to 
/var/log/exim4/mainlog:

2007-10-29 02:06:07 TLS error on connection from [192.168.0.158] 
(gnutls_handshake): A TLS packet with unexpected length was received


Kind Regards
AndrewM

More information about the Pkg-exim4-maintainers mailing list