[exim] the great TLS mystery

Wed, 23 Feb 2011 17:51:38 -0800

In the course of troubleshooting why one of my users couldn't get his client configured the way we like it, I came across a mystery w/r/t TLS in Exim.
My Exim is 4.71 as installed by Ubuntu Lucid Lynx (10.04) server (the "heavy" exim). I do not use any of the Debian/Ubuntu exim configuration stuff; I have my own from-scratch exim4.conf. 


My server is configured to advertise authentication only to localhost 
and TLS connections.  (I can show those configs if it comes to that, but 
I don't think it's necessarily relevant.)  After configuring his client 
for STARTTLS and an appropriate port, he was getting errors from 
Thunderbird that told me TB was a bit confused.



I walked him through doing a telnet session to my SMTP port and doing 
"ehlo foo" to see what was advertised.  Much to my surprise, he got this 
response:


250-my.server.name Hello his.dynamic.address.bellsouth.net [111.222.333.444]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-HELP
250 STARTTLS


If I connect to the same port (remotely, also on a dynamically assigned 
ISP IP address), I get something different.  I don't see the AUTH 
advertisement, and the other capabilities are reordered a bit.  (BTW, he 
sent me a screen shot of his DOS box telnet session, so I don't have to 
trust him to have done the right things.)  In other words, I see what I 
expect, but he sees something that I don't want to happen.



I know what you are thinking ... something screwy with my 
auth_advertise_hosts macro or my server_advertise_condition.  I spent a 
bunch of time staring that those before I happened to notice this in my 
log files:  "SMTP command timeout on TLS connection from...."  Every 
time he connected from his DOS telnet or from his Thunderbird and let 
the connection timeout, the Exim log line indicates that the connection 
was using TLS.  I have plenty of other command timeouts that are not TLS 
(my own tests, plus the usual door-knockers).



So, my question is ... what could make Exim believe that a certain 
connection was using TLS when (as far as I can tell) it really was not?




--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to