[Pkg-exim4-users] tracking - TLS error on connection from host [x.x.x.x] (gnutls_handshake): timed out

Marco Kammerer marco.kammerer at uibk.ac.at
Thu Aug 6 15:36:31 UTC 2009


Hello

simon at josefsson.org wrote
 >> I am running debian etch with the normal exim (i know lenny is out an
>> i should upgrade)
>>
>> The server acts as mx, for checking emails for spam and forwarding
>> them to different mailservers.
>>
>> Since 1 week i read the following in /var/log/exim4/maillog
>> that the TLS handshake failed
>>
>> http://de.pastebin.ca/1520372
>
> Hi.
>
> Are you sure these aren't just normal timeouts from hosts that don't
> want to complete the TLS handshake?  Could be hosts probing your
> machine.
>
no, because, they where waiting and retrying for days and they are from
known hosters/providers.

the interessting thing is, that the setup of this server was running since
2007-11 without any change

more i will write below

>> gnutls-bin is installed on the mashine
>>
>> i yesterday exchanged the certificate - i tought this could be a reason
>>
>> i made some trackings
>>
>> openssl s_client -connect localhost:666
>> http://de.pastebin.ca/1520365
>
> Looks fine to me?
>
OK, so the certs should be ok?


>> exim4 -bd -d+tls -oX 0.0.0.0.666 -tls-on-connect
>> http://de.pastebin.ca/1520369
>
> This looks you are talking TLS-over-TCP against a server that sends a
> SMTP header, so the error is expected.
>
that output was received when connecting with
openssl s_client -connect localhost:666
to the client not with a normal client ....

do want to get an output of a normal client to?

>> here everything works good out.
>>
>> if i check via
>> swaks -a -tls -q AUTH -s mx4-au xxx
>> http://de.pastebin.ca/1520382
>
> Seems correct to me as well.
>
>> any hint is appreciated.
>>
>> i have now deactivate tls via
>> MAIN_TLS_ADVERTISE_HOSTS=1.1.1.1
>> so that no advertise is done, but that is not the ideal way ....
>
> I think I need some more information on what you believe the error is to
> be able to debug further.
>
mh, ok i will quess

this config was running since 2007-11, so i think something changed

possibilities
a.) there was a change in certificated right now. Possible some certs were
running out - not mine, for example one of the main certs.
b.) some servers received a update of the mail software

after i have disabled tls at all, these servers
from here
http://de.pastebin.ca/1520372
delivered the mails ....

if you like i can give you a login, or you can test against the server.
i can enable tls again on one of them for testing.

like i wrote i have not change things since 2007, now i upgraded my self
signed certificate against a normal wildcard certificate - because i tought
possibly this could it be. but no improvement.

Marco




More information about the Pkg-exim4-users mailing list