Re: exim4 - tls errors [SOLVED]
Kamil Jońca wrote: > deloptes writes: > >> Kamil Jońca wrote: >> >>> kjo...@poczta.onet.pl (Kamil Jońca) writes: >>> >>> some background >>> 1. with exim 4.87 tls_advertise_hosts defaults to *. >>> 2. also MAIN_TLS_ADVERTISE_HOSTS (main/03_exim4-config_tlsoptions) >>> 3. to get rid this message (excet to create certificate) >>> tls_advertise_hosts should be _empty_. >>> >>> so set >>> --8<---cut here---start->8--- >>> MAIN_TLS_ADVERTISE_HOSTS= "" >>> --8<---cut here---end--->8--- >>> works. >>> >>> Yes, I should read exim documentation earlier. :) >>> >>> KJ >>> >> >> This is not exactly correct. As statedbefore setting >> MAIN_TLS_ENABLE=false should skip the whole block of settings related to >> SSL/TLS. No idea why you should touch the supplementary config files. > > Because I do not want to disable tls completly - I want to use tls whe > exim acts as client. But I do not want tls when my clients connect to > exim.(Its a home machine configured to use smarthosts) > > KJ > OK, but in this case you keep MAIN_TLS_ENABLE=true and look in that below in /etc/exim4/exim4.conf.template it means that if you add the variable MAIN_TLS_ADVERTISE_HOSTS in the beginning of your conf.template with MAIN_TLS_ADVERTISE_HOSTS = "" it would handle it as not set and set to *. # Defines what hosts to 'advertise' STARTTLS functionality to. The # default, *, will advertise to all hosts that connect with EHLO. .ifndef MAIN_TLS_ADVERTISE_HOSTS MAIN_TLS_ADVERTISE_HOSTS = * .endif tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS if this is your case it might be worth talking to the exim4 folks and perhaps raise a CR based on your case regards
Re: exim4 - tls errors [SOLVED]
deloptes writes: > Kamil Jońca wrote: > >> kjo...@poczta.onet.pl (Kamil Jońca) writes: >> >> some background >> 1. with exim 4.87 tls_advertise_hosts defaults to *. >> 2. also MAIN_TLS_ADVERTISE_HOSTS (main/03_exim4-config_tlsoptions) >> 3. to get rid this message (excet to create certificate) >> tls_advertise_hosts should be _empty_. >> >> so set >> --8<---cut here---start->8--- >> MAIN_TLS_ADVERTISE_HOSTS= "" >> --8<---cut here---end--->8--- >> works. >> >> Yes, I should read exim documentation earlier. :) >> >> KJ >> > > This is not exactly correct. As statedbefore setting MAIN_TLS_ENABLE=false > should skip the whole block of settings related to SSL/TLS. > No idea why you should touch the supplementary config files. Because I do not want to disable tls completly - I want to use tls whe exim acts as client. But I do not want tls when my clients connect to exim.(Its a home machine configured to use smarthosts) KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html We are so fond of each other because our ailments are the same. -- Jonathan Swift
Re: exim4 - tls errors [SOLVED]
Kamil Jońca wrote: > kjo...@poczta.onet.pl (Kamil Jońca) writes: > > some background > 1. with exim 4.87 tls_advertise_hosts defaults to *. > 2. also MAIN_TLS_ADVERTISE_HOSTS (main/03_exim4-config_tlsoptions) > 3. to get rid this message (excet to create certificate) > tls_advertise_hosts should be _empty_. > > so set > --8<---cut here---start->8--- > MAIN_TLS_ADVERTISE_HOSTS= "" > --8<---cut here---end--->8--- > works. > > Yes, I should read exim documentation earlier. :) > > KJ > This is not exactly correct. As statedbefore setting MAIN_TLS_ENABLE=false should skip the whole block of settings related to SSL/TLS. No idea why you should touch the supplementary config files. regards
Re: exim4 - tls errors [SOLVED]
kjo...@poczta.onet.pl (Kamil Jońca) writes: some background 1. with exim 4.87 tls_advertise_hosts defaults to *. 2. also MAIN_TLS_ADVERTISE_HOSTS (main/03_exim4-config_tlsoptions) 3. to get rid this message (excet to create certificate) tls_advertise_hosts should be _empty_. so set --8<---cut here---start->8--- MAIN_TLS_ADVERTISE_HOSTS= "" --8<---cut here---end--->8--- works. Yes, I should read exim documentation earlier. :) KJ -- http://wolnelektury.pl/wesprzyj/teraz/ Answer a fool according to his folly, lest he be wise in his own conceit. -- Proverbs, 26:5
Re: exim4 - tls errors [partially solved]
Kamil Jońca wrote: > A I missing something? its not clear if you tried to set to false, but I assume yes. I also assume you restarted after setting the option to false/true in main/03_exim4-config_tlsoptions you have this # TLS/SSL configuration for exim as an SMTP server. # See /usr/share/doc/exim4-base/README.Debian.gz for explanations. .ifdef MAIN_TLS_ENABLE # Defines what hosts to 'advertise' STARTTLS functionality to. The # default, *, will advertise to all hosts that connect with EHLO. .ifndef MAIN_TLS_ADVERTISE_HOSTS MAIN_TLS_ADVERTISE_HOSTS = * .endif ... ... ... So either I have some older exim version or something is wrong there, but unvisible because most of us use TLS. Setting MAIN_TLS_ENABLE=false should skip the whole block of settings. regards
Re: exim4 - tls errors [partially solved]
deloptes writes: > > Try to disable TLS > > MAIN_TLS_ENABLE = false > > in /etc/exim4/exim4.conf.template Wrong. It was not defined, and this caused all tls_* options were unset (tls_advertise_hosts in particular) nevermind. 1. I used /usr/share/doc/exim4-base/examples/exim-gencert to generate certs. and set MAIN_TLS_ENABLE=true and seems to work. 2. I tried also set MAIN_TLS_ENABLE=true and tls_advertise_hosts = !* but still were warnings. A I missing something? KJ -- http://wolnelektury.pl/wesprzyj/teraz/ When a fellow says, "It ain't the money but the principle of the thing," it's the money. -- Kim Hubbard
Re: exim4 - tls errors
Hi KJ, depending on which configuration scheme is used for exim4 (splitted config or not) the file to be changed is different. So either edit both locations (/etc/exim4/exim4.conf.template and a file in /etc/exim4/conf.d) or make sure which scheme is used. To find out command grep -A2 'exim4/use_split_config' /var/cache/debconf/config.dat and see what the line beginning with "Value:" says. After configuration changes don't forget to execute "update-exim4.conf" as root. The default configuration has tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS and MAIN_TLS_ADVERTISE_HOSTS = * See /etc/exim4/exim4.conf.template and /etc/exim4/conf.d/main/03_exim4-config_tlsoptions. Maybe there are local modifications in your configuration files. Then the update should've stored new config files with ".dpkg-dist" or something added to their normal names. Regards, jvp.
Re: exim4 - tls errors
* Kamil Jońca [2016-04-11 06:43 +0200]: > tls_advertise_host = !* I've tls_advertise_hosts = * and it works. Elimar -- On the keyboard of life you have always to keep a finger at the escape key;-)
Re: exim4 - tls errors
Hi, Kamil Jońca wrote: > > I recently upgraded my box and now I got > > --8<---cut here---start->8--- > Warning: No server certificate defined; TLS connections will fail. > Suggested action: either install a certificate or change > tls_advertise_hosts option > --8<---cut here---end--->8--- > with every mail I sent (but mails are delivered) Sure it's delivered because it's just a warning > I tried to set > > --8<---cut here---start->8--- > tls_advertise_host = !* > --8<---cut here---end--->8--- > or remove it completely but with no success. > How can I get rid of this message? (Assuming I'm too lazy to create self > signed cert for this?) > > KJ Try to disable TLS MAIN_TLS_ENABLE = false in /etc/exim4/exim4.conf.template regards
exim4 - tls errors
I recently upgraded my box and now I got --8<---cut here---start->8--- Warning: No server certificate defined; TLS connections will fail. Suggested action: either install a certificate or change tls_advertise_hosts option --8<---cut here---end--->8--- with every mail I sent (but mails are delivered) I tried to set --8<---cut here---start->8--- tls_advertise_host = !* --8<---cut here---end--->8--- or remove it completely but with no success. How can I get rid of this message? (Assuming I'm too lazy to create self signed cert for this?) KJ -- http://stopstopnop.pl/stop_stopnop.pl_o_nas.html Flame on! -- Johnny Storm
Re: exim4 TLS errors
Camaleón writes: > On Wed, 07 Mar 2012 09:29:15 -0700, Joe Pfeiffer wrote: > >> Monday my exim4 server began reporting errors trying to deliver email to >> a number of sites, as follows: > > (...) > >> 2012-03-07 09:04:44 1S5JM2-0001iQ-Rz ** m...@creepinglunacy.com R=dnslookup >> T=remote_smtp: SMTP error from remote mail server after MAIL FROM: >> SIZE=1432: host creepinglunacy.com >> [199.85.212.11]: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1) > > (...) > > Just a quick note on the above error. The remote host expected a valid > domain name at the "helo" command stage and closed the communication with > your server. I would check how this variable is set in your Exim. Thank you! I'd been discounting that message, since the only place I ever saw it was following the unexpected TLS packet length so I was assuming it was a cascade error. When I saw your message I went to verify my assumption before responding -- and guess what My exim4 configuration was sending the local hostname of my server (babs), rather than the name by which external DNS knows my domain (pfeifferfamily.net). That seems to have been the problem. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1b62eg54qs@pfeifferfamily.net
Re: exim4 TLS errors
On Wed, 07 Mar 2012 09:29:15 -0700, Joe Pfeiffer wrote: > Monday my exim4 server began reporting errors trying to deliver email to > a number of sites, as follows: (...) > 2012-03-07 09:04:44 1S5JM2-0001iQ-Rz ** m...@creepinglunacy.com R=dnslookup > T=remote_smtp: SMTP error from remote mail server after MAIL FROM: > SIZE=1432: host creepinglunacy.com > [199.85.212.11]: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1) (...) Just a quick note on the above error. The remote host expected a valid domain name at the "helo" command stage and closed the communication with your server. I would check how this variable is set in your Exim. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jj8a01$ujn$2...@dough.gmane.org
exim4 TLS errors
Monday my exim4 server began reporting errors trying to deliver email to a number of sites, as follows: 2012-03-07 09:04:42 1S5JM2-0001iQ-Rz <= jos...@pfeifferfamily.net U=pfeiffer P=local S=398 2012-03-07 09:04:44 1S5JM2-0001iQ-Rz TLS error on connection to creepinglunacy.com [199.85.212.11] (recv): A TLS packet with unexpected length was received. 2012-03-07 09:04:44 1S5JM2-0001iQ-Rz TLS error on connection to creepinglunacy.com [199.85.212.11] (send): The specified session has been invalidated for some reason. 2012-03-07 09:04:44 1S5JM2-0001iQ-Rz ** m...@creepinglunacy.com R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM: SIZE=1432: host creepinglunacy.com [199.85.212.11]: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1) 2012-03-07 09:04:45 1S5JM5-0001iV-0U <= <> R=1S5JM2-0001iQ-Rz U=Debian-exim P=local S=1392 2012-03-07 09:04:45 1S5JM2-0001iQ-Rz Completed 2012-03-07 09:05:37 1S5JM5-0001iV-0U => pfeiffer R=procmail T=procmail_pipe 2012-03-07 09:05:37 1S5JM5-0001iV-0U Completed I don't believe this is happening with every TLS-enabled server I try to send email to, since I also have entries like: 2012-03-07 08:00:04 1S5ILU-Xu-3Q <= board-boun...@lcctnm.org H=localhost (babs.wb.pfeifferfamily.net) [127.0.0.1] P=esmtp S=1355 id=mailman.0.1331132402.2099.bo...@lcctnm.org 2012-03-07 08:00:06 1S5ILU-Xu-3Q => board-ow...@lcctnm.org R=dnslookup T=remote_smtp H=mx.lcctnm.org [66.96.142.50] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 DN="C=US,O=RTFM\, Inc.,OU=Widgets Division,CN=localhost" 2012-03-07 08:00:06 1S5ILU-Xu-3Q Completed (I'm assuming the X=TLS etc in the second line of this example means TLS is being used on this connection) Other people are successfully sending email to several of the sites giving me trouble. I've tried: Updating the various exim4 and libgnutils related packages to the newest versions in the testing repository (of course) Backing off to the oldest exim4 and libgnutils versions I could find Backing off my ca-certificates package to the oldest one in the repositories (which seems to date to 2009), since I found a couple of old bugs related to too many entries in ca-certificates. Installing rng-utils using /dev/urandom as an entropy source, since I came across one thread suggesting insufficient entropy could be the cause (when it didn't make any difference, I took it out again). Switching from exim4-daemon-light (which I'd been using before) to exim4-daemon-heavy. None of this seems to have made the slightest difference. Does anybody have any other suggestions for something to try? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1bfwdk5q90@pfeifferfamily.net