Bug#674990: exim breaks (again?) with TLS packet with unexpected length

Thu May 31 01:34:14 UTC 2012

Hi Andreas,

thanks for your support, very helpful, unfortunately ... it still
does not wokr out, no reason why...

On Mi, 30 Mai 2012, Andreas Metzler wrote:
> On 2012-05-30 Norbert Preining <preining at logic.at> wrote:
> > On Di, 29 Mai 2012, Andreas Metzler wrote:
> [...]
> > > gnutls-cli --priority=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2 \
> > >   smtp.jaist.ac.jp -p 465
> [...]
> > The only hickup was that at then end 
> > > connect if the SSL/settings are modified (for 4.77
> > > gnutls_require_protocols and gnutls_compat_mode, for 4.80 (in
> > > experimental) simply set tls_require_ciphers to the abovementioned
> > > priority string.)
> 
> > Now I tried to convince exim to do the same, but without success.
> > According to your remarks I set the foillowing variables in
> > 	/etc/exim4/conf.d/main/000_localmacros
> 
> > DCsmarthost=smtp.jaist.ac.jp::465
> > gnutls_compat_mode=true
> > gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2
> 
> Two things: 
> * gnutls_require_protocols does not accept a GnuTLS string, it is a
>   different syntax. "TLS1.0:SSL3
> * The respective setting needs to be on the transport. (The
>   corresponding main configuration settings apply when exim is
>   accepting mail on the SMTP port.)

Ok, I have now
	gnutls_require_protocols="TLS1.0:SSL3"
and also tried
	gnutls_require_protocols=TLS1.0:SSL3
added to the 
	conf.d/transport/30_exim4-config_remote_smtp_smarthost
as in:
remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
        {\
        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
        }\
        {} \
      }
  gnutls_require_protocols=TLS1.0:SSL3
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
...

Furthermore, in the main section I have added the 
	gnutls_compat_mode=true
(conf.d/main/000_localmacros)

update-exim4.conf (no warning)
exim restart (no warning)

delivering the message ends with:
2012-05-31 10:26:53 [5012] 1SZVOZ-0007rj-8Q SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection: Connection timed out
2012-05-31 10:26:53 [5009] 1SZVOZ-0007rj-8Q == preining at logic.at R=smarthost T=remote_smtp_smarthost defer (110): Connection timed out: SMTP timeout while connected to smtp.jaist.ac.jp [150.65.19.12] after initial connection

> Nothing specific. I wozuld just hit them with the fact that
> 
> openssl s_client -connect smtp.jaist.ac.jp:465

Ok, thanks.

> is far less used. There are broken servers around (see e.g.
> <http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/5993>).

Thanks for the link.

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
ELY (n.)
The first, tiniest inkling you get that something, somewhere, has gone
terribly wrong.
			--- Douglas Adams, The Meaning of Liff