Bug#515999: Workaround for outlook error 0x800CCC1A

Tue Mar 3 07:45:45 UTC 2009

Sam Morris wrote:
>> For maximum interoperability a safer default should be chosen, such as
>> not using any certificates or using a separate store in /etc/exim (like
>> the default certificate files).
> 
> For those who, after upgrading to lenny, are receiving the following
> error with Outlook:
> 
>         Task '[account] - Sending' reported error (0x800CCC1A): 'Your
>         server does not support the connection encryption type you have
>         specified. Try changing the encryption method. Contact your mail
>         server administrator or Internet service provider (ISP) for
>         additional assistance'.
> 
> Accompanied by the following Exim log messages:
> 
>         TLS error on connection from [host] (gnutls_handshake): A record
>         packet with illegal version was received.
> 
> Don't worry, the error message is totally wrong in every way. You don't
> need to screw around with your account settings. You do, however, need
> to disable the verification of client certificates.
> 
> To do this, place the following in /etc/exim4/conf.d/00_localmacros and
> reload exim:
> 
>         MAIN_TLS_TRY_VERIFY_HOSTS = 
> 
> That is, set the macro to the empty string.	
> 
> Perhaps tls_try_verify_hosts should not be set to '*' by default, given
> that:
> 
>      1. It does not increase security
>      2. It results in about 35 KiB of overhead for each TLS-using
>         connection
>      3. It causes one of the most popular mail clients to barf
> 

I agree with that, most servers don't need to verify client certificates.
Of course the error message from the Windows mailers is stupid, but it
is also hard to track down. 

Regards
	Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team