Bug#822174: exim4: Please add hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS

Samuel Thibault sthibault at debian.org
Fri Apr 22 11:31:33 UTC 2016


Marc Haber, on Fri 22 Apr 2016 12:53:59 +0200, wrote:
> On Thu, Apr 21, 2016 at 10:06:38PM +0200, Samuel Thibault wrote:
> > Due to network hickups, some of my mails couldn't go through TLS to my
> > smarthost, and exim4 reverted to an unencrypted send:
> > 
> > 2016-04-16 10:39:58 1arJcE-00020M-Cx H=sonata.ens-lyon.org [140.77.166.138] TLS error on connection (gnutls_handshake): timed out
> > 2016-04-16 10:39:58 1arJcE-00020M-Cx TLS session failure: delivering unencrypted to sonata.ens-lyon.org [140.77.166.138] (not in hosts_require_tls)
> > 
> > But this got rejected by the smarthost:
> > 
> > 2016-04-16 10:40:06 1arJcE-00020M-Cx ** dave at mielke.cc R=smarthost T=remote_smtp_smarthost H=sonata.ens-lyon.org [140.77.166.138]: SMTP error from remote mail server after MAIL FROM:<samuel.thibault at ens-lyon.org> SIZE=1944: 530 5.7.0 Must issue a STARTTLS command first
> 
> Ouch. The smarthost sohuldn't advertise AUTH capabilities before
> STARTTLS if it doesn't want to authenticate in clear text.

Well, no, it doesn't:

brl$ telnet smtp.ens-lyon.org 587
Trying 140.77.166.138...
Connected to sonata.ens-lyon.org.
Escape character is '^]'.
220 sonata.ens-lyon.org ESMTP Postfix (Debian/GNU)
ehlo brl.thefreecat.org     
250-sonata.ens-lyon.org
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth
530 5.7.0 Must issue a STARTTLS command first

Samuel



More information about the Pkg-exim4-maintainers mailing list