Bug#674990: exim breaks (again?) with TLS packet with unexpected length

Tue May 29 23:19:57 UTC 2012

Hi Andreas,

thanks for your help.

On Di, 29 Mai 2012, Andreas Metzler wrote:
> 587 uses starttls, you'll need to talk to 465 to give abovementioned
> openssl test a chance to succeed.

Ok, after adding the necessary GLobalSign to the accepted CA certificates
I can talk to the server via openssl and gnutls-cli on port 465.

I could even send an actual email by typing in all the commands
including authentication etc using gnutl-cli:
> gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
>   smtp.jaist.ac.jp -p 465

Here is a transcript:
$ gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 smtp.jaist.ac.jp -p 465
Processed 7 CA certificate(s).
Resolving 'smtp.jaist.ac.jp'...
Connecting to '150.65.19.12:465'...
- Peer's certificate is trusted
- The hostname in the certificate matches 'smtp.jaist.ac.jp'.
....
220 mailrelayi.jaist.ac.jp ESMTP
EHLO mithrandir
250-mailrelayi.jaist.ac.jp
250-8BITMIME
250-SIZE 104857600
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN
AUTH LOGIN
334 VXNlcm5hbWU6
.....some....string
334 UGFzc3dvcmQ6
.....some...string
235 #2.0.0 OK Authenticated
MAIL FROM:<preining at logic.at>
250 sender <preining at logic.at> ok
RCPT TO:<preining at debian.org>
250 recipient <preining at debian.org> ok
DATA
354 go ahead
From: "Norbert Preining" <preining at logic.at>
To: "Norbert Preining" <preining at debian.org>
Subject: Hello WOrld
See you soon
.
250 ok:  Message 117646959 accepted
QUIT
221 mailrelayi.jaist.ac.jp
*** Fatal error: The TLS connection was non-properly terminated.
*** Server has terminated the connection abnormally.
$

But interestingly the mail was properly delivered, so no problem on 
this side.

The only hickup was that at then end 
> connect if the SSL/settings are modified (for 4.77
> gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> experimental) simply set tls_require_ciphers to the abovementioned
> priority string.)

Now I tried to convince exim to do the same, but without success.
According to your remarks I set the foillowing variables in
	/etc/exim4/conf.d/main/000_localmacros

DCsmarthost=smtp.jaist.ac.jp::465
gnutls_compat_mode=true
gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2

called update-exim4.conf and restarted exim. Unfortunately it did
not work out, I got:
2012-05-30 08:08:15 [11828] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-30 08:08:15 [11825] 1SZVOZ-0007rj-8Q == preining at logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection

which is at least a step forward ...

Any further ideas?

-----------------------------
One more thing: I want to complain to the tech staff here: can you
tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
supported, I can tell them?

Thanks a lot and all the best

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
VOBSTER (n.)
A strain of perfectly healthy rodent which develops cancer the moment
it enter a laboratory.
			--- Douglas Adams, The Meaning of Liff