[Pkg-exim4-users] configuring exim4 smtp to use SSL [SOLVED]

Gary Dale garydale at torfree.net
Tue Mar 24 03:48:06 UTC 2015 

On 18/03/15 11:18 AM, Gary Dale wrote:
> On 18/03/15 02:01 AM, Alex King wrote:
>> On 18/03/15 16:59, Gary Dale wrote:
>>> On 17/03/15 08:00 PM, Alex King wrote:
>>>> On 17/03/15 17:28, Gary Dale wrote:
>>>>> On 16/03/15 02:36 PM, Alex King wrote:
>>>>>>
>>>>>>
>>>>>> On 17/03/15 05:17, Gary Dale wrote:
>>>>>>> On 16/03/15 11:56 AM, Marc Haber wrote:
>>>>>>>> On Mon, Mar 16, 2015 at 10:54:41AM -0400, Gary Dale wrote:
>>>>>>>>> On 16/03/15 04:10 AM, Marc Haber wrote:
>>>>>>>>>> On Sun, Mar 15, 2015 at 11:20:38PM -0400, Gary Dale wrote:
>>>>>>>>>>> The log for an unsuccessful mail says:
>>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR <= <sending e-mail 
>>>>>>>>>>> address>
>>>>>>>>>>> U=garydale P=local S=1665
>>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR ** -r at localhost: 
>>>>>>>>>>> Unrouteable address
>>>>>>>>>>> 2015-03-14 00:47:44 1YWdzE-0000l6-CR ** gary at extremeground.com
>>>>>>>>>>> R=smarthost T=remote_smtp_smarthost: retry time not reached 
>>>>>>>>>>> for any
>>>>>>>>>>> host after a long failure period
>>>>>> This line, "retry time not reached for any host after a long 
>>>>>> failure period" is telling you exim has given up and won't even 
>>>>>> try to send, even for new emails arriving to be delivered for 
>>>>>> this address.
>>>>>>
>>>>>> This information is kept in the hints db.  Marc correctly pointed 
>>>>>> you to the documentation which explains what is happening and how 
>>>>>> to progress the issue.  See spec chapter 32 
>>>>>> (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-retry_configuration.html), 
>>>>>> particularly 32.10, Long-term failures.
>>>>>>
>>>>>> To manage your hints db (which should not be necessary in normal 
>>>>>> use), check out exim_ dumpdb and exim_tidydb. (Executables on 
>>>>>> your system with man pages).
>>>>>>
>>>>>> HTH,
>>>>>> Alex
>>>>>
>>>>> Would that be on a port basis? Mail sends fine to the same server 
>>>>> using port 26.
>>>>>
>>>>> The retry rule that I get for that host: is Retry rule: * * 
>>>>> F,2h,15m; G,16h,1h,1.5; F,4d,6h;
>>>>>
>>>>> Looking in the db files, I get basically less information than I 
>>>>> get with mailq and the exim4 log. Tidydb just removes records, 
>>>>> which I can also do by changing the port to 26 and running exim -M 
>>>>> <message>, which then sends the message.
>>>>>
>>>> I didn't see a failed attempt to connect to a remote system in the 
>>>> original log you posted.   The tidy_db command (or removing the 
>>>> hints (/var/spool/exim4/db/*, see Spec 32.1 Changing retry rules) 
>>>> would allow you to test sending again with the failing 
>>>> configuration (ie, not port 26), so you can see what the actual 
>>>> failure is.
>>>>
>>>> Also, viewing the hints with
>>>> exim_dumpdb /var/spool/exim4/ retry
>>>>
>>>> will show the failure reason (which will be in the logs as well, 
>>>> but not for every delivery attempt if the address has been failing 
>>>> for so long that the cutoff time for the last retry algorithm has 
>>>> been reached).
>>>
>>> mainlog shows only (after I cleared the queue and retry db) then 
>>> sent fresh e-mail:
>>> 2015-03-17 11:49:08 1YXsvN-0004wQ-2C Remote host 
>>> sunspot.dnchosting.com [199.7.109.2] closed connection in response 
>>> to initial connection
>>> along with multiple start and end queue runs and retry time not 
>>> reached for any host messages.
>>>
>>> while exim_dumpdb shows
>>>   T:sunspot.dnchosting.com:199.7.109.2:465 -18 65 Remote host 
>>> sunspot.dnchosting.com [199.7.109.2] closed connection in response 
>>> to initial connection
>>> 17-Mar-2015 10:49:11  17-Mar-2015 22:49:08  18-Mar-2015 03:52:53
>>>
>>> Again, I am able to send to this host and port using Thunderbird. It 
>>> does take encrypted connections.
>> OK, so sunspot.dnchosting.com is closing the connection.  It could be 
>> a fault/configuration at the remote site.  Is thunderbird on the same 
>> IP address as your exim?  Maybe they've blacklisted your exim box.  
>> Either way, try connecting using openssl s_client, or swaks. You can 
>> use these to debug the ssl connection and confirm you can get a raw 
>> connection to the remote server.
>
> Did that already. I can connect, send a HELO or EHLO and MAIL FROM: 
> but RCPT-TO: gives an error:
>
> RENEGOTIATING
> depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
> Network, CN = USERTrust RSA Certification Authority
> verify error:num=20:unable to get local issuer certificate
> verify return:0
>
> Thunderbird clients use local IP addresses but would go out on the 
> same routeable IP address. There is only one router in the office. 
> Moreover, I can access the same remote server using port 26 (their 
> unencrypted smtp port) using the same exim box - only the port changes.
>
> _______________________________________________
> Pkg-exim4-users mailing list
> Pkg-exim4-users at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-exim4-users
>

The problem seems to have been the location of the protocol = smtps 
line. I had it originally in 
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost. 
Moving it to /etc/exim4/exim4.conf.template seems to have done the trick.

More information about the Pkg-exim4-users mailing list