Bug#674990: exim breaks (again?) with TLS packet with unexpected length

Marc Haber mh+debian-packages at zugschlus.de
Tue May 29 09:58:12 UTC 2012

On Tue, May 29, 2012 at 06:45:52PM +0900, Norbert Preining wrote:
> On Di, 29 Mai 2012, Marc Haber wrote:
> > > I have found various suggestions, like adding the Debian-exim user
> > > to the group shadow,
> > 
> > Where is this dangerous suggestion written?
> http://vk6hgr.echidna.id.au/blog/?p=184

The author of this blog entry has not read the documentation. Adding
Debian-exim to the shadow group is the most insecure way to get
authentication (as a server) to work. It has nothing to do with TLS at
all. You might want to revert that change on your system as you are
exposing all your password hashes to an attacker.

> * openssl
> $ openssl s_client -connect smtp.jaist.ac.jp:587CONNECTED(00000003)

That will not work. You need to use STARTTLS, -starttls smtp

> $ gnutls-cli -s -p 587 smtp.jaist.ac.jp
> Processed 0 CA certificate(s).
> Resolving 'smtp.jaist.ac.jp'...
> Connecting to ''...
> - Simple Client Mode:
> 220 jaist.ac.jp ESMTP mail service ready
> EHLO mithrandir
>      (nothing ... pressing Ctrl-D)

The server stalls at this point before even switching to TLS. This is
a problem of the remote side that I can see from here as well. You
should report this to the operators of the server, it is broken.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 31958061
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 31958062

More information about the Pkg-exim4-maintainers mailing list