On Thursday 27 August 2015 19:00:52 Evgeniy Berdnikov wrote: > On Thu, Aug 27, 2015 at 05:21:25PM +0000, Viktor Dukhovni wrote: > > So the OP appears to have a system that does not tolerate large > > client HELLO messages. There may be some "middle-box" (firewall > > or similar) that is doing protocol inspection and choking on large > > client HELLOs. > > Well, it can be verified with tcpdump or some other network sniffer. > If this guess is true, then running sniffers both on client and > server side we observe tcp rentransmissions of ClientHello packet > on client host and nothing on the server host. > > As you mentioned, Path MTU might be also checked. I tried to run > traceroute to tcp port 25 of mail.ringways.co.uk (88.211.105.31) > with packets of different size. There is no difference for forward > reachability of this host, so Path MTU seems to be ruled out. > -- > Eugene Berdnikov
Thank yo both very much for the effort you've put in so far. I can confirm that when I did openssl s_client -connect mail.ringways.co.uk:25 -tls1_1 -starttls smtp on the mail server it was instantanious, whereas when I did openssl s_client -connect mail.ringways.co.uk:25 -tls1_2 -starttls smtp there was a *very* slight delay. The server does sit behind a Fortinet firewall which does do SMTP interception. It has it's own built in anti-SPAM and anti-firewall facility. As the problems I have been experiencing have been from external mail servers I have not been able to do any testing. However, if I use the above openssl commands from one of my hosted servers, would that re-create the problem? I did have an issue when I tried it locally as the RCPT command did not work. Is this normal, and how would I get round it to test the server further? [root@ollie2 ~]# openssl s_client -connect mail.ringways.co.uk:25 -tls1_1 -starttls smtp CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected] i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE----- subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected] issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=ollie2.ringways.co.uk/[email protected] --- No client certificate CA names sent Server Temp Key: DH, 2048 bits --- SSL handshake has read 2709 bytes and written 532 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : DHE-RSA-AES256-SHA Session-ID: 42FC77EC44BB502D2BB40E0DE5065406BA2DFDE673C304FD7F6D23910A86ABE0 Session-ID-ctx: Master-Key: B1BC1687CAB8F5317EC26BB271413622CEDF0E285EDF6A19E6095A440FD5A8B85F834B5A67253C9255896B4324FC850D Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 200 (seconds) TLS session ticket: 0000 - 07 21 c8 c3 25 cb 30 b4-f5 41 72 d9 bb 19 b6 f8 .!..%.0..Ar..... 0010 - 8e 2c 93 45 00 6d 18 a9-8f 12 0e 2f 8b 19 be 1c .,.E.m...../.... 0020 - e8 ce 65 63 3a 40 ef dd-60 b9 f1 7b f8 d7 f9 ca ..ec:@..`..{.... 0030 - 55 e8 91 09 46 95 48 2c-86 31 13 86 22 9a 65 89 U...F.H,.1..".e. 0040 - b0 1b 5a 00 8d 5b 60 e4-09 f8 bc 37 26 37 ef 9a ..Z..[`....7&7.. 0050 - 69 db c2 d3 0a 14 08 b7-ef 18 4a 50 6a b2 a2 3d i.........JPj..= 0060 - 34 40 c7 76 c6 30 50 61-dd dd 9c 41 ef d0 77 e7 [email protected]. 0070 - 96 3a fb b6 dc bc 53 d0-3e 53 c4 1d fd 63 cf 8c .:....S.>S...c.. 0080 - a1 ae 78 f7 a1 fc fd c7-0d f9 04 ee 48 fa 18 32 ..x.........H..2 0090 - f0 c4 53 7b 35 ed 59 51-1d e8 b1 fe f6 7d 25 31 ..S{5.YQ.....}%1 Start Time: 1440774548 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- 250 HELP ehlo test.ringways.co.uk 250-mail.ringways.co.uk Hello ollie.ringways.co.uk [10.5.1.3] 250-SIZE 104857600 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250 HELP MAIL from: [email protected] 250 OK RCPT to: [email protected] RENEGOTIATING depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = ollie2.ringways.co.uk, emailAddress = [email protected] verify return:1 data 503 valid RCPT command must precede DATA quit 221 mail.ringways.co.uk closing connection closed [root@ollie2 ~]# -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
