Bug#674990: exim breaks (again?) with TLS packet with unexpected length

Andreas Metzler ametzler at downhill.at.eu.org
Wed May 30 17:37:09 UTC 2012

On 2012-05-30 Norbert Preining <preining at logic.at> wrote:
> On Di, 29 Mai 2012, Andreas Metzler wrote:
> > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> >   smtp.jaist.ac.jp -p 465
> The only hickup was that at then end 
> > connect if the SSL/settings are modified (for 4.77
> > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > experimental) simply set tls_require_ciphers to the abovementioned
> > priority string.)

> Now I tried to convince exim to do the same, but without success.
> According to your remarks I set the foillowing variables in
> 	/etc/exim4/conf.d/main/000_localmacros

> DCsmarthost=smtp.jaist.ac.jp::465
> gnutls_compat_mode=true
> gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2

Two things: 
* gnutls_require_protocols does not accept a GnuTLS string, it is a
  different syntax. "TLS1.0:SSL3
* The respective setting needs to be on the transport. (The
  corresponding main configuration settings apply when exim is
  accepting mail on the SMTP port.)


> -----------------------------
> One more thing: I want to complain to the tech staff here: can you
> tell me what else, besides the fact that TLS1.1 and TLS1.2 are not
> supported, I can tell them?

Nothing specific. I wozuld just hit them with the fact that

openssl s_client -connect smtp.jaist.ac.jp:465

fails. This should give more incentive than bringing in GnuTLS, which
is far less used. There are broken servers around (see e.g.

cu andreas

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Pkg-exim4-maintainers mailing list