Pkg exim4 users - Apr 2006 - Exim4 with Exchange and TLS doesn''t work

Hi all :-)

I hope this list is more appropriate than the normal user lists (if not
give me a hint) for exim related problems.

I setup a server running Debian stable with latest updates as smarthost
for a lan and I use SMTP AUTH for relay control and TLS for encryption.
Both work fine using another exim or for example Thunderbird as second
peer (connecting and AUTH itself).

But I have one M$ Exchange wich needs to talk to my exim server. Using
plaintext logins everything works, but I don''t really like this - and
CRAM-MD5 isn''t supported by Exchange AFAIK. So I enabled TLS, but this
doesn''t work and in mainlog lines like the following two appear:

2006-04-12 12:54:38 TLS recv error on connection from
p54850177.dip0.t-ipconnect.de [84.133.1.119]: A TLS packet with
unexpected length was received.

2006-04-12 12:54:38 TLS send error on connection from
p54850177.dip0.t-ipconnect.de [84.133.1.119]: The specified session has
been invalidated for some reason.

Software used:

exim4-daemon-heavy_4.50-8_i386.deb
M$ Exchange 2000 SP3 SBE

I searched google but only found some hints about GnuTLS, but nothing in
special.

Does anyone know this problem and has any hints? One solution is to
setup another MTA in the Exchange lan as gateway or not to use TLS at
all. Or use more Exchange servers...no!

Maybe compiling exim against OpenSSL for testing? I looked through the
sources and found EDITME.exim4-light.diff:

 # Uncomment these settings if you are using GnuTLS
-# USE_GNUTLS=yes
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+USE_GNUTLS=yes
+TLS_LIBS=-lgnutls

But I think there is a good reason for using GnuTLS, istn''t it? And is
it possible to compile against OpenSSL by just changing these lines?

Thanks for any help and ideas,
Jan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 275 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20060413/e3a5a65c/signature.pgp

[You need to be subscribed to post. I manually approved this message.]

On Thu, Apr 13, 2006 at 08:46:44AM +0200, Jan Kesten
wrote:
> I setup a server running Debian stable with latest updates as smarthost
> for a lan and I use SMTP AUTH for relay control and TLS for encryption.
> Both work fine using another exim or for example Thunderbird as second
> peer (connecting and AUTH itself).
> 
> But I have one M$ Exchange wich needs to talk to my exim server.
So you want that Exchange box to authenticate as a client against your
exim server?
> Using plaintext logins everything works, but I don''t really like
this
> - and CRAM-MD5 isn''t supported by Exchange AFAIK. So I enabled
TLS,
> but this doesn''t work and in mainlog lines like the following two
> appear:
> 
> 2006-04-12 12:54:38 TLS recv error on connection from
> p54850177.dip0.t-ipconnect.de [84.133.1.119]: A TLS packet with
> unexpected length was received.
> 
> 2006-04-12 12:54:38 TLS send error on connection from
> p54850177.dip0.t-ipconnect.de [84.133.1.119]: The specified session has
> been invalidated for some reason.
> 
> Software used:
> 
> exim4-daemon-heavy_4.50-8_i386.deb
> M$ Exchange 2000 SP3 SBE
Kneejerk response: Do you have enough entropy on your exim system?

Does Microsoft have an TLS command line client which you could use to
find out whether the system is able to do proper TLS? Or does Windows
have something like strace where you could look what exactly the
exchange is doing?

Can the exchange box deliver successfully to your exim over TLS if you
allow it to relay via IP address temporarily for testing?
> Does anyone know this problem and has any hints? One solution is to
> setup another MTA in the Exchange lan as gateway or not to use TLS at
> all. Or use more Exchange servers...no!
> 
> Maybe compiling exim against OpenSSL for testing? I looked through the
> sources and found EDITME.exim4-light.diff:
> 
>  # Uncomment these settings if you are using GnuTLS
> -# USE_GNUTLS=yes
> -# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
> +USE_GNUTLS=yes
> +TLS_LIBS=-lgnutls
> 
> But I think there is a good reason for using GnuTLS, istn''t it?
And is
> it possible to compile against OpenSSL by just changing these lines?
If you compile it yourself, it might be worth to try the later
packages from unstable, which both have a more current exim and have
an option to easily switch to OpenSSL via a debian/rules setting.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Hi Marc!
> [You need to be subscribed to post. I manually approved this message.]
Am I not? I subscribed yesterday and confirmed already?
I''ll check this :-)
> So you want that Exchange box to authenticate as a client against your
> exim server?
Yes - the Exchange server sits inside the lan and is using my external
exim as smarthost. TLS is only needed to provide secure connections and
not for authenticating (i.e. the Exchange box doesn''t have a
certificate
of it''s own - authentication is done via SMTP-AUTH using exims passwd
file - this is working fine when using unencrypted connetions).
> Kneejerk response: Do you have enough entropy on your exim system?
I think I have since connections via tls are possible with another exim
or MUA supporting smtp via tls at the same time. Only connections from
the Exchange box fail.
> Does Microsoft have an TLS command line client which you could use to
> find out whether the system is able to do proper TLS? Or does Windows
> have something like strace where you could look what exactly the
> exchange is doing?
Very good question - I simply don''t know since I don''t use M$
if I must
not (I would be very happy if I''m allowed to replace Exchange).
> Can the exchange box deliver successfully to your exim over TLS if you
> allow it to relay via IP address temporarily for testing?
This was one idea I had and I told the admin of the Exchange server to
use IP, but it seems that Exchange does not support IP instead of
hostnames (or he and I don''t know how).
> If you compile it yourself, it might be worth to try the later
> packages from unstable, which both have a more current exim and have
> an option to easily switch to OpenSSL via a debian/rules setting.
Gnah, I should have known that earlier - now I created an EDITME file
myself from the stable tree. Not just really simple but not difficult at
all. It''s compiling now and I''ll report if that worked.

Thanks for quick response,
Jan



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 275 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20060413/2b142f3a/signature.pgp

Hi again :-)
> Gnah, I should have known that earlier - now I created an EDITME file
> myself from the stable tree. Not just really simple but not difficult at
> all. It''s compiling now and I''ll report if that worked.
So, new exim package compiled, now with OpenSSL - and it worked directly
without changing anything else.

Since I''m curious I looked and found how Exchange will support IP
adresses and told the admin of that box (Exchange seems to be unable to
recognize IP adresses, you must enclose them in []). Tried out and it
works with my new package. Uninstalled that and replaced with the old
one - worked also.

Now I''m trying to reproduce the error.

Cheers,
Jan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 275 bytes
Desc: OpenPGP digital signature
Url :
http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20060413/64cb3fc0/signature.pgp