[Pkg-exim4-users] How to get around "Must issue a STARTTLS command first"

Norbert Preining preining at logic.at
Mon Aug 2 01:41:24 UTC 2010

Hi Marc,

On Sa, 31 Jul 2010, Marc Haber wrote:
> Please don't obfuscate. It is not security relevant which server

Sorry smtp.jaist.ac.jp::587

> Try 
> echo foo | exim -d mh+pkg-exim4-users at zugschlus.de
> and send the output to the list. Exim will asterisk out the password,
> so there is no private data in the debug output.

(First of all, good that I checked, it did *NOT*!!!! asterix out the
password. *I* did change the real passwd to ******* below:
file lookup required for smtp.jaist.ac.jp
  in /etc/exim4/passwd.client
smtp.jaist.ac.jp in "alpha.logic.tuwien.ac.at"? no (end of list)
smtp.jaist.ac.jp in "smtp.jaist.ac.jp"? yes (matched "smtp.jaist.ac.jp")
lookup yielded: preining:******** in hosts_try_auth? yes (matched "")

Thanks for the hint, the problem is here, I guess I don't have to
send the full log:
initialized certificate stuff
initialized GnuTLS session
  TLS error on connection to smtp.jaist.ac.jp [] (gnutls_handshake): A TLS packet with unexpected length was received.
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL in hosts_require_tls? no (option unset)

Then it continues with un-protected delivery (I don't have it
in hosts_requrire_tls fo rnow, will add it later), and 
breaks down with the known problem.

Looking up the debian BTS I see a bug related to that, so
I tried swaks and that worked:
=== Trying smtp.jaist.ac.jp:587...
=== Connected to smtp.jaist.ac.jp.
<-  220 jaist.ac.jp ESMTP mail service ready
 -> EHLO mithrandir
<-  250-mailrelayi.jaist.ac.jp
<-  250-8BITMIME
<-  250-SIZE 104857600
<-  250-STARTTLS
<-  220 Go ahead
=== TLS started w/ cipher AES256-SHA
=== TLS peer subject DN="/C=JP/ST=Ishikawa/L=Nomi/OU=Center for Information Science/O=JAPAN ADVANCED INSTITUTE OF SCIENCE AND TECHNOLOGY/CN=smtp.jaist.ac.jp"
 ~> EHLO mithrandir
<~  250-mailrelayi.jaist.ac.jp
<~  250-8BITMIME
<~  250-SIZE 104857600
 ~> MAIL FROM:<root at mithrandir>
<~* 530 Authentication required
 ~> QUIT
<~  221 mailrelayi.jaist.ac.jp
=== Connection closed with remote host.

but it seems that swaks uses OPenSSL (at least you
wrote that in bug 467137).

Then I tried to connect with gnutls-cli but didn't manage:
$ gnutls-cli -s -p 587 smtp.jaist.ac.jp
Resolving 'smtp.jaist.ac.jp'...
Connecting to ''...

- Simple Client Mode:

220 jaist.ac.jp ESMTP mail service ready
EHLO mithrandir
- Peer has closed the GNUTLS connection

So now I don't know where to go from here ...

Best wishes

Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
PAPPLE (vb.)
To do what babies do to soup with their spoons.
			--- Douglas Adams, The Meaning of Liff

More information about the Pkg-exim4-users mailing list