Jürgen Herz wrote:
Sven Hartge wrote:
Exim advertises STARTTLS in the EHLO response but upon sending the
STARTTLS command, nothing happens, it looks some client input is
expected. Not if connected via client nor by hand (telnet).
You should see a "220 TLS go ahead" if you use telnet to debug.
My guess: Your server is out of entropy (check
/proc/sys/kernel/random/entropy_avail, it should be >2000) and exim is
still calculating its dh_params and session key.
Yesterday before posting I already read a hint on the web regarding
entropy_avail. When I checked this, it was 5 - but I thought it's ok
since it's not null.
Yesterday, long after I mailed my post, I finally noticed errors on the
TLS connections showing up in the logs (about 3 hours after telnetting
and killing telnet after waiting a few minutes for response).
Today I just tested STARTTLS again and instantly got the expected 220.
And indeed, today entropy_vail was 1184 when started. But this value is
quite inconsistent and mostly is around 5.
Now I'm quite puzzled, but after some searches it looks like a common
problem. ldd says exim4 is linked against libgnutls.so.11 as well as
libssl.so.0.9.7. Does this mean I can choose at runtime which lib to use?
Thanks,
Jürgen
P.S. This is the second try since my first answer didn't show up on the
list for three hours. So please ignore any dupes if they finally show up.
With fewer than ten servers running Exim, I cannot say for
*sure*, but with OpenSSL on FreeBSD this has never been an issue
for us with Exim, Qmail, Courier-MTA, DBMail, several IMAP/POP
daemons, or anything else that uses SSL/TLS/or SSH.
AFAIK, one has a choice on either *BSD or Linux as to OpenSSL or
GNUTLS - and each no doubt has other advantages/disdvantages.
But it may be more important to look to the selection either one
uses to 'get entropy', i.e. /dev/random, dev/urandom, or
whatever - and if that can be / should be updated/altered on a
given system.
YMMV,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
