[Pkg-exim4-users] tracking - TLS error on connection from host [x.x.x.x] (gnutls_handshake): timed out

Marco Kammerer marco.kammerer at uibk.ac.at
Thu Aug 6 15:36:31 UTC 2009


simon at josefsson.org wrote
 >> I am running debian etch with the normal exim (i know lenny is out an
>> i should upgrade)
>> The server acts as mx, for checking emails for spam and forwarding
>> them to different mailservers.
>> Since 1 week i read the following in /var/log/exim4/maillog
>> that the TLS handshake failed
>> http://de.pastebin.ca/1520372
> Hi.
> Are you sure these aren't just normal timeouts from hosts that don't
> want to complete the TLS handshake?  Could be hosts probing your
> machine.
no, because, they where waiting and retrying for days and they are from
known hosters/providers.

the interessting thing is, that the setup of this server was running since
2007-11 without any change

more i will write below

>> gnutls-bin is installed on the mashine
>> i yesterday exchanged the certificate - i tought this could be a reason
>> i made some trackings
>> openssl s_client -connect localhost:666
>> http://de.pastebin.ca/1520365
> Looks fine to me?
OK, so the certs should be ok?

>> exim4 -bd -d+tls -oX -tls-on-connect
>> http://de.pastebin.ca/1520369
> This looks you are talking TLS-over-TCP against a server that sends a
> SMTP header, so the error is expected.
that output was received when connecting with
openssl s_client -connect localhost:666
to the client not with a normal client ....

do want to get an output of a normal client to?

>> here everything works good out.
>> if i check via
>> swaks -a -tls -q AUTH -s mx4-au xxx
>> http://de.pastebin.ca/1520382
> Seems correct to me as well.
>> any hint is appreciated.
>> i have now deactivate tls via
>> so that no advertise is done, but that is not the ideal way ....
> I think I need some more information on what you believe the error is to
> be able to debug further.
mh, ok i will quess

this config was running since 2007-11, so i think something changed

a.) there was a change in certificated right now. Possible some certs were
running out - not mine, for example one of the main certs.
b.) some servers received a update of the mail software

after i have disabled tls at all, these servers
from here
delivered the mails ....

if you like i can give you a login, or you can test against the server.
i can enable tls again on one of them for testing.

like i wrote i have not change things since 2007, now i upgraded my self
signed certificate against a normal wildcard certificate - because i tought
possibly this could it be. but no improvement.


More information about the Pkg-exim4-users mailing list