On Mon, Sep 18, 2006 at 12:20:27PM -0700, Ross Boylan wrote:> I just activated TLS on one of my machines by running the exim-gencert > script and defining the appropriate macro. Bizarrely, this was > working for awhile, but now I''m getting > another (corn), also running Debian exim4, inside my network I get > 2006-09-18 11:07:13 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out > 2006-09-18 11:07:14 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out > > That message refers to a connection inside my network, for which I > think I''ve enabled all packets. However, I''m also getting this error > from an outside server that did manage to send TLS messages when I > first set things up yesterday. > > The only thing that''s changed is that I did a dist-upgrade after I had > things setup, and that did include libgnutls13. > > Any suggestions for diagnosis/cures? > > I''m restarting exim to see if that helps.The restart seems to have cured the problem. The logs also show the problem began just after the dist-upgrade. They also show that some remote connections were getting TLS at the same time my local machine (corn) was getting TLS errors. Odd. The connect from corn also got this error on wheat (wheat=system with TLS): 2006-09-18 11:12:13 SMTP command timeout on connection from corn.betterworld.us [192.168.40.2] 2006-09-18 11:12:14 SMTP command timeout on connection from corn.betterworld.us [192.168.40.2] By the way, should invoke-rc.d exim4 reload have been sufficient to activate TLS? That seemed not to work in my initial tests; restart did work.
I just activated TLS on one of my machines by running the exim-gencert script and defining the appropriate macro. Bizarrely, this was working for awhile, but now I''m getting another (corn), also running Debian exim4, inside my network I get 2006-09-18 11:07:13 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out 2006-09-18 11:07:14 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out That message refers to a connection inside my network, for which I think I''ve enabled all packets. However, I''m also getting this error from an outside server that did manage to send TLS messages when I first set things up yesterday. The only thing that''s changed is that I did a dist-upgrade after I had things setup, and that did include libgnutls13. Any suggestions for diagnosis/cures? I''m restarting exim to see if that helps. Thanks. Ross Boylan
On Mon, Sep 18, 2006 at 12:20:27PM -0700, Ross Boylan wrote:> I just activated TLS on one of my machines by running the exim-gencert > script and defining the appropriate macro. Bizarrely, this was > working for awhile, but now I''m getting > another (corn), also running Debian exim4, inside my network I get > 2006-09-18 11:07:13 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out > 2006-09-18 11:07:14 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed outHow much entropy do both boxes have? Is gnutls-bin installed? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
On Mon, Sep 18, 2006 at 10:01:20PM +0200, Marc Haber wrote:> On Mon, Sep 18, 2006 at 12:20:27PM -0700, Ross Boylan wrote: > > I just activated TLS on one of my machines by running the exim-gencert > > script and defining the appropriate macro. Bizarrely, this was > > working for awhile, but now I''m getting > > another (corn), also running Debian exim4, inside my network I get > > 2006-09-18 11:07:13 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out > > 2006-09-18 11:07:14 TLS error on connection from corn.betterworld.us [192.168.40.2] (gnutls_handshake): timed out > > How much entropy do both boxes have?Is there a way to measure that? They aren''t doing much, so don''t have many events that could be used for entropy.>Is gnutls-bin installed?No, on either box.
On Mon, Sep 18, 2006 at 01:24:56PM -0700, Ross Boylan wrote:> > How much entropy do both boxes have? > Is there a way to measure that?cat /proc/sys/kernel/random/entropy_avail> They aren''t doing much, so don''t have many events that could be used > for entropy. > >Is gnutls-bin installed? > No, on either box.Please try installing gnutls-bin on the box that is the one acting as SMTP server. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
On Mon, Sep 18, 2006 at 10:27:06PM +0200, Marc Haber wrote:> On Mon, Sep 18, 2006 at 01:24:56PM -0700, Ross Boylan wrote: > > > How much entropy do both boxes have? > > Is there a way to measure that? > > cat /proc/sys/kernel/random/entropy_avail4096> > > They aren''t doing much, so don''t have many events that could be used > > for entropy. > > >Is gnutls-bin installed? > > No, on either box. > > Please try installing gnutls-bin on the box that is the one acting as > SMTP server.Done. Is that something exim uses if available? It just sounds like some utilities from the package description: This package contains a commandline interface to the GNU TLS library, which can be used to set up secure ? connections from e.g. shell scripts. Do I need to restart exim? Since my last restart, I''m getting a few errors: 2006-09-18 13:20:43 TLS error on connection from xxx (gnutls_handshake): Decryption has failed. I changed the remote host to xxx above. However, the other hosts that were having problems seem to be doing OK now. Ross
On Mon, Sep 18, 2006 at 01:35:14PM -0700, Ross Boylan wrote:> On Mon, Sep 18, 2006 at 10:27:06PM +0200, Marc Haber wrote: > > On Mon, Sep 18, 2006 at 01:24:56PM -0700, Ross Boylan wrote: > > > > How much entropy do both boxes have? > > > Is there a way to measure that? > > > > cat /proc/sys/kernel/random/entropy_avail > 4096 > > > > > They aren''t doing much, so don''t have many events that could be used > > > for entropy. > > > >Is gnutls-bin installed? > > > No, on either box. > > > > Please try installing gnutls-bin on the box that is the one acting as > > SMTP server. > Done. Is that something exim uses if available? It just sounds like > some utilities from the package description: > > This package contains a commandline interface to the GNU TLS library, > which can be used to set up secure ? connections from e.g. shell > scripts. >Since installing the package (but without restarting exim) the logs show only a single TLS error. That is a repeat of the "Decryption has failed error" below. These errors all involve the same sending machine, and are for legitimate mail, not spam. The message eventually arrived via unencrypted transport.> > Do I need to restart exim? > > Since my last restart, I''m getting a few errors: > 2006-09-18 13:20:43 TLS error on connection from xxx > (gnutls_handshake): Decryption has failed. > > I changed the remote host to xxx above. However, the other hosts that > were having problems seem to be doing OK now. > > Ross
On Mon, Sep 18, 2006 at 01:35:14PM -0700, Ross Boylan wrote:> On Mon, Sep 18, 2006 at 10:27:06PM +0200, Marc Haber wrote: > > Please try installing gnutls-bin on the box that is the one acting as > > SMTP server. > Done. Is that something exim uses if available?Yes. If available, the daily cron job uses it to generate new dh_parameters while exim still uses the old set. If gnutls-bin is not available, the daily cron job will just remove the old dh_parameters and rely on exim itself re-generating them which will cause connection delays in case of entropy starvation.> Do I need to restart exim?No, it''s a matter of the daily cron job. This needs a reasonably recent post-sarge exim4. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835