Bug#467137: Error message about TLS packet with unexpected length due to usage of DNS alias name of mail server.

Raoul Bönisch jkl345 at alice-dsl.net
Tue May 12 15:53:20 UTC 2009 

This email contains a simple workaround to this problem.

Subject: exim4: Error message about TLS packet with unexpected length due to usage of DNS alias name of mail server.
Package: exim4
Version: 4.69-11
Severity: normal

This problem is similar to #467137, #482404, #467137, #478470. Note that I am using exim4-daemon-light though.

I am using DSL-product Alice by HanseNet in germany. They advise to use smtp.alice-dsl.net as an smtp server. See https://www.alice-dsl.de/alicehelp/index.jsp?showContentNodeId=1291&type=6#1291 (german help page).

With this setup I get this error:

TLS recv error on connection to out.alice-dsl.net [88.44.60.16]: A TLS packet with unexpected length was received.
TLS send error on connection to out.alice-dsl.net [88.44.60.16]: The specified session has been invalidated for some reason.
R=smarthost_auto T=remote_smtp_smarthost defer (-45): SMTP error from remote mail server after MAIL FROM:<jkl345 at alice-dsl.net> SIZE=1517: host out.alice-dsl.net [88.44.60.16]: 454 5.7.3 Client does not have permission to submit mail to this server.

I investigated the smtp server address:

# host smtp.alice-dsl.net
smtp.alice-dsl.net  	CNAME	out.alice-dsl.net
out.alice-dsl.net   	A	88.44.60.16

# nslookup smtp.alice-dsl.net
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
smtp.alice-dsl.net	canonical name = out.alice-dsl.net.
Name:	out.alice-dsl.net
Address: 88.44.60.16

Obviously smtp.alice-dsl.net is an alias dns name while out.alice-dsl.net is its canonical name.

I put in the canonical smtp server name in the exim4 configuration and the problem was solved. The mail gets thru without the error message.

The problem does not seem to be entropy related. It is never there with mail server out.alice-dsl.net and it is there every time with smtp.alice-dsl.net. Plus, there is enough entropy available:

cat /proc/sys/kernel/random/entropy_avail
1305

I have tried removing ca-certificates which didn't solve the problem.

My guess is that exim4 looks up the canonical name and tries to check it against the configuration file /etc/exim4/passwd.client to find login and password. When using the alias dns name in this file, exim4 doesn't find any login and password.

I assume this is not the desired behaviour of exim4. Exim4 should lookup the canonical name as well as alias names, in case ISP's publish alias names of their DNS servers.

At least there should be a hint to this problem in the documentation and the advice to check DNS names of mail servers and try them to get things working.

Greetings,

Raoul


-- Package-specific info:
Exim version 4.69 #1 built 10-May-2009 09:42:17
Copyright (c) University of Cambridge 2006
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#;// Modified by Raoul B?ch <jkl345 at gmx.net> :: `date` Mon Dec  1 16:28:26 UTC 2008
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='res'
dc_local_interfaces='127.0.0.1'
dc_readhost='res'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='mail.gmx.net;smtp.alice-dsl.net;smtp.cvmx.de'
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:res.br.priv

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-2-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]         1.5.26     Debian configuration management sy
ii  exim4-base                    4.69-11    support files for all Exim MTA (v4
ii  exim4-daemon-light            4.69-11    lightweight Exim MTA (v4) daemon

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
  exim4/drec:

More information about the Pkg-exim4-maintainers mailing list