[Pkg-exim4-users] configuring exim4 smtp to use SSL

Gary Dale garydale at torfree.net
Wed Mar 18 15:18:28 UTC 2015


On 18/03/15 02:01 AM, Alex King wrote:
> On 18/03/15 16:59, Gary Dale wrote:
>> On 17/03/15 08:00 PM, Alex King wrote:
>>> On 17/03/15 17:28, Gary Dale wrote:
>>>> On 16/03/15 02:36 PM, Alex King wrote:
>>>>>
>>>>>
>>>>> On 17/03/15 05:17, Gary Dale wrote:
>>>>>> On 16/03/15 11:56 AM, Marc Haber wrote:
>>>>>>> On Mon, Mar 16, 2015 at 10:54:41AM -0400, Gary Dale wrote:
>>>>>>>> On 16/03/15 04:10 AM, Marc Haber wrote:
>>>>>>>>> On Sun, Mar 15, 2015 at 11:20:38PM -0400, Gary Dale wrote:
>>>>>>>>>> The log for an unsuccessful mail says:
>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR <= <sending e-mail address>
>>>>>>>>>> U=garydale P=local S=1665
>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR ** -r at localhost: 
>>>>>>>>>> Unrouteable address
>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR ** gary at extremeground.com
>>>>>>>>>> R=smarthost T=remote_smtp_smarthost: retry time not reached 
>>>>>>>>>> for any
>>>>>>>>>> host after a long failure period
>>>>> This line, "retry time not reached for any host after a long 
>>>>> failure period" is telling you exim has given up and won't even 
>>>>> try to send, even for new emails arriving to be delivered for this 
>>>>> address.
>>>>>
>>>>> This information is kept in the hints db.  Marc correctly pointed 
>>>>> you to the documentation which explains what is happening and how 
>>>>> to progress the issue.  See spec chapter 32 
>>>>> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-retry_configuration.html), 
>>>>> particularly 32.10, Long-term failures.
>>>>>
>>>>> To manage your hints db (which should not be necessary in normal 
>>>>> use), check out exim_ dumpdb and exim_tidydb. (Executables on your 
>>>>> system with man pages).
>>>>>
>>>>> HTH,
>>>>> Alex
>>>>
>>>> Would that be on a port basis? Mail sends fine to the same server 
>>>> using port 26.
>>>>
>>>> The retry rule that I get for that host: is Retry rule: *  * 
>>>> F,2h,15m; G,16h,1h,1.5; F,4d,6h;
>>>>
>>>> Looking in the db files, I get basically less information than I 
>>>> get with mailq and the exim4 log. Tidydb just removes records, 
>>>> which I can also do by changing the port to 26 and running exim -M 
>>>> <message>, which then sends the message.
>>>>
>>> I didn't see a failed attempt to connect to a remote system in the 
>>> original log you posted.   The tidy_db command (or removing the 
>>> hints (/var/spool/exim4/db/*, see Spec 32.1 Changing retry rules) 
>>> would allow you to test sending again with the failing configuration 
>>> (ie, not port 26), so you can see what the actual failure is.
>>>
>>> Also, viewing the hints with
>>> exim_dumpdb /var/spool/exim4/ retry
>>>
>>> will show the failure reason (which will be in the logs as well, but 
>>> not for every delivery attempt if the address has been failing for 
>>> so long that the cutoff time for the last retry algorithm has been 
>>> reached).
>>
>> mainlog shows only (after I cleared the queue and retry db) then sent 
>> fresh e-mail:
>> 2015-03-17 11:49:08 1YXsvN-0004wQ-2C Remote host 
>> sunspot.dnchosting.com [199.7.109.2] closed connection in response to 
>> initial connection
>> along with multiple start and end queue runs and retry time not 
>> reached for any host messages.
>>
>> while exim_dumpdb shows
>>   T:sunspot.dnchosting.com:199.7.109.2:465 -18 65 Remote host 
>> sunspot.dnchosting.com [199.7.109.2] closed connection in response to 
>> initial connection
>> 17-Mar-2015 10:49:11  17-Mar-2015 22:49:08  18-Mar-2015 03:52:53
>>
>> Again, I am able to send to this host and port using Thunderbird. It 
>> does take encrypted connections.
> OK, so sunspot.dnchosting.com is closing the connection.  It could be 
> a fault/configuration at the remote site.  Is thunderbird on the same 
> IP address as your exim?  Maybe they've blacklisted your exim box.  
> Either way, try connecting using openssl s_client, or swaks. You can 
> use these to debug the ssl connection and confirm you can get a raw 
> connection to the remote server.

Did that already. I can connect, send a HELO or EHLO and MAIL FROM: but 
RCPT-TO: gives an error:

RENEGOTIATING
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0

Thunderbird clients use local IP addresses but would go out on the same 
routeable IP address. There is only one router in the office. Moreover, 
I can access the same remote server using port 26 (their unencrypted 
smtp port) using the same exim box - only the port changes.



More information about the Pkg-exim4-users mailing list