Marco Kammerer
2009-Aug-06 15:36 UTC
[Pkg-exim4-users] tracking - TLS error on connection from host [x.x.x.x] (gnutls_handshake): timed out
Hello simon at josefsson.org wrote >> I am running debian etch with the normal exim (i know lenny is out an>> i should upgrade) >> >> The server acts as mx, for checking emails for spam and forwarding >> them to different mailservers. >> >> Since 1 week i read the following in /var/log/exim4/maillog >> that the TLS handshake failed >> >> http://de.pastebin.ca/1520372 > > Hi. > > Are you sure these aren''t just normal timeouts from hosts that don''t > want to complete the TLS handshake? Could be hosts probing your > machine. >no, because, they where waiting and retrying for days and they are from known hosters/providers. the interessting thing is, that the setup of this server was running since 2007-11 without any change more i will write below>> gnutls-bin is installed on the mashine >> >> i yesterday exchanged the certificate - i tought this could be a reason >> >> i made some trackings >> >> openssl s_client -connect localhost:666 >> http://de.pastebin.ca/1520365 > > Looks fine to me? >OK, so the certs should be ok?>> exim4 -bd -d+tls -oX 0.0.0.0.666 -tls-on-connect >> http://de.pastebin.ca/1520369 > > This looks you are talking TLS-over-TCP against a server that sends a > SMTP header, so the error is expected. >that output was received when connecting with openssl s_client -connect localhost:666 to the client not with a normal client .... do want to get an output of a normal client to?>> here everything works good out. >> >> if i check via >> swaks -a -tls -q AUTH -s mx4-au xxx >> http://de.pastebin.ca/1520382 > > Seems correct to me as well. > >> any hint is appreciated. >> >> i have now deactivate tls via >> MAIN_TLS_ADVERTISE_HOSTS=1.1.1.1 >> so that no advertise is done, but that is not the ideal way .... > > I think I need some more information on what you believe the error is to > be able to debug further. >mh, ok i will quess this config was running since 2007-11, so i think something changed possibilities a.) there was a change in certificated right now. Possible some certs were running out - not mine, for example one of the main certs. b.) some servers received a update of the mail software after i have disabled tls at all, these servers from here http://de.pastebin.ca/1520372 delivered the mails .... if you like i can give you a login, or you can test against the server. i can enable tls again on one of them for testing. like i wrote i have not change things since 2007, now i upgraded my self signed certificate against a normal wildcard certificate - because i tought possibly this could it be. but no improvement. Marco