Pkg exim4 users - Jul 2010 - How to get around "Must issue a STARTTLS command first"

Hi everyone,

(please cc)

I am running Debian/sid with exim4 and when trying to deliver 
emails to the local smtp server I get
	Must issue a STARTTLS command first
Now on some Debian/Exim pages I found the cryptic comment
(from http://pkg-exim4.alioth.debian.org/README/README.Debian.etch.html#TLS)
	TLS on connect is not natively supported.
Are these two things related?
Is there a way to fix that?

The documentation on this is sooo sparingly and googling didn''t bring
up anything useful for now.

Thanks a lot

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
SKEGNESS (n.)
Nose excreta of a malleable consistency.
			--- Douglas Adams, The Meaning of Liff

On Fri, Jul 30, 2010 at 06:04:29PM +0900, Norbert Preining
wrote:
> I am running Debian/sid with exim4 and when trying to deliver 
> emails to the local smtp server I get
> 	Must issue a STARTTLS command first
> Now on some Debian/Exim pages I found the cryptic comment
> (from
http://pkg-exim4.alioth.debian.org/README/README.Debian.etch.html#TLS)
> 	TLS on connect is not natively supported.
> Are these two things related?
> Is there a way to fix that?
What exactly are you trying to do?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Hi Marc,

On Fr, 30 Jul 2010, Marc Haber wrote:
> On Fri, Jul 30, 2010 at 06:04:29PM +0900, Norbert Preining wrote:
> > I am running Debian/sid with exim4 and when trying to deliver 
> > emails to the local smtp server I get
> > 	Must issue a STARTTLS command first
> > Now on some Debian/Exim pages I found the cryptic comment
> > (from
http://pkg-exim4.alioth.debian.org/README/README.Debian.etch.html#TLS)
> > 	TLS on connect is not natively supported.
> > Are these two things related?
> > Is there a way to fix that?
> 
> What exactly are you trying to do?
As I said, I am trying to deliver emails to the smtp server of my
university as it is my ISP.

I have set in
	/etc/exim4/conf.d/main/000_localmacros

DCsmarthost=smtp.host.foo.bar::587

(actually I have a lookup into /etc/smarthost with
${lookup{*}lsearch{/etc/smarthost}{$value:}{}}
plus a fall back)

but any time exim tries to send an email out via that smtp I get an 
error message telling me

...
  590885 at bugs.debian.org
    SMTP error from remote mail server after MAIL FROM:<preining at
logic.at>
SIZE=2963:
    host XXXXXXXXXX [NN.NN.NN.NN]: 530 Must issue a STARTTLS command
first


Is that clearer, or do you need more information? Other than that I 
haven''t changed anything (as far as I remmeber) from default exim4 
split config setup (receiving email, sending out via smarthost).

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
WOOLFARDISHWORTHY (n.)
A mumbled, mispronounced or misheard word in a song, speech or
play. Derived from the well-known mumbles passage in Hamlet :
                        ''...and the spurns, That patient merit of the
  unworthy takes When he himself might his quietus make With a bare
  bodkin? Who woolfardisworthy To grunt and sweat under a weary life?''

			--- Douglas Adams, The Meaning of Liff

On 07/31/2010 10:12 AM, Norbert Preining wrote:
> As I said, I am trying to deliver emails to the smtp server of my
> university as it is my ISP.
>
> I have set in
> 	/etc/exim4/conf.d/main/000_localmacros
>
> DCsmarthost=smtp.host.foo.bar::587
>
>
> but any time exim tries to send an email out via that smtp I get an
> error message telling me
>
> ...
>    590885 at bugs.debian.org
>      SMTP error from remote mail server after MAIL FROM:<preining at
logic.at>
> SIZE=2963:
>      host XXXXXXXXXX [NN.NN.NN.NN]: 530 Must issue a STARTTLS command
> first
>
You must configure exim to authenticate with the smart host. See 
http://pkg-exim4.alioth.debian.org/README/README.Debian.html#smtp-auth


-- 
   We must believe in free will. We have no choice. -Isaac B. Singer

Eduardo M KALINOWSKI
eduardo at kalinowski.com.br

On Sat, Jul 31, 2010 at 10:12:28PM +0900, Norbert Preining
wrote:
> On Fr, 30 Jul 2010, Marc Haber wrote:
> > On Fri, Jul 30, 2010 at 06:04:29PM +0900, Norbert Preining wrote:
> > > I am running Debian/sid with exim4 and when trying to deliver 
> > > emails to the local smtp server I get
> > > 	Must issue a STARTTLS command first
> > > Now on some Debian/Exim pages I found the cryptic comment
> > > (from
http://pkg-exim4.alioth.debian.org/README/README.Debian.etch.html#TLS)
> > > 	TLS on connect is not natively supported.
> > > Are these two things related?
> > > Is there a way to fix that?
> > 
> > What exactly are you trying to do?
> 
> As I said, I am trying to deliver emails to the smtp server of my
> university as it is my ISP.
> 
> I have set in
> 	/etc/exim4/conf.d/main/000_localmacros
> 
> DCsmarthost=smtp.host.foo.bar::587
> 
> (actually I have a lookup into /etc/smarthost with
> ${lookup{*}lsearch{/etc/smarthost}{$value:}{}}
> plus a fall back)
> 
> but any time exim tries to send an email out via that smtp I get an 
> error message telling me
> 
> ...
>   590885 at bugs.debian.org
>     SMTP error from remote mail server after MAIL FROM:<preining at
logic.at>
> SIZE=2963:
>     host XXXXXXXXXX [NN.NN.NN.NN]: 530 Must issue a STARTTLS command
> first
Please don''t obfuscate. It is not security relevant which server
you''re trying to authenticate to. Even worse, by obfuscating, you have
deprived me of the possibility of trying whether the server correctly
advertises its capabilities, making it harder for me to help you and
delaying your result.
> Is that clearer, or do you need more information? Other than that I 
> haven''t changed anything (as far as I remmeber) from default exim4
> split config setup (receiving email, sending out via smarthost).
Try 
echo foo | exim -d mh+pkg-exim4-users at zugschlus.de
and send the output to the list. Exim will asterisk out the password,
so there is no private data in the debug output.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Norbert Preining <preining at logic.at> wrote:
[...]
> As I said, I am trying to deliver emails to the smtp server of my
> university as it is my ISP.
> I have set in
>        /etc/exim4/conf.d/main/000_localmacros
> DCsmarthost=smtp.host.foo.bar::587
> (actually I have a lookup into /etc/smarthost with
> ${lookup{*}lsearch{/etc/smarthost}{$value:}{}}
> plus a fall back)
> but any time exim tries to send an email out via that smtp I get an 
> error message telling me
> ...
>  590885 at bugs.debian.org
>    SMTP error from remote mail server after MAIL FROM:<preining at
logic.at>
> SIZE=2963:
>    host XXXXXXXXXX [NN.NN.NN.NN]: 530 Must issue a STARTTLS command
> first
[...]

Hello,
Since exim will automatically use STARTTLS if available (unless
disabled with hosts_avoid_tls or hosts_avoid_esmtp) I suspect there is
some "smart" router/firewall in between you and the server exim is
trying to deliver to. Said router is filtering/rewriting the SMTP
dialogue, disabling SMTP. Cisco router with the "smtp fixup" setting
enabled are notorious for this behavior.
cu andreas

Hi Marc,

On Sa, 31 Jul 2010, Marc Haber wrote:
> Please don''t obfuscate. It is not security relevant which server
Sorry smtp.jaist.ac.jp::587
> Try 
> echo foo | exim -d mh+pkg-exim4-users at zugschlus.de
> and send the output to the list. Exim will asterisk out the password,
> so there is no private data in the debug output.
(First of all, good that I checked, it did *NOT*!!!! asterix out the
password. *I* did change the real passwd to ******* below:
file lookup required for smtp.jaist.ac.jp
  in /etc/exim4/passwd.client
smtp.jaist.ac.jp in "alpha.logic.tuwien.ac.at"? no (end of list)
smtp.jaist.ac.jp in "smtp.jaist.ac.jp"? yes (matched
"smtp.jaist.ac.jp")
lookup yielded: preining:********
150.65.19.12 in hosts_try_auth? yes (matched "150.65.19.12")
)


Thanks for the hint, the problem is here, I guess I don''t have to
send the full log:
initialized certificate stuff
initialized GnuTLS session
LOG: MAIN
  TLS error on connection to smtp.jaist.ac.jp [150.65.19.12] (gnutls_handshake):
A TLS packet with unexpected length was received.
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
150.65.19.12 in hosts_require_tls? no (option unset)
LOG: MAIN

Then it continues with un-protected delivery (I don''t have it
in hosts_requrire_tls fo rnow, will add it later), and 
breaks down with the known problem.

Looking up the debian BTS I see a bug related to that, so
I tried swaks and that worked:
=== Trying smtp.jaist.ac.jp:587...
=== Connected to smtp.jaist.ac.jp.
<-  220 jaist.ac.jp ESMTP mail service ready
 -> EHLO mithrandir
<-  250-mailrelayi.jaist.ac.jp
<-  250-8BITMIME
<-  250-SIZE 104857600
<-  250-AUTH PLAIN LOGIN
<-  250-STARTTLS
<-  250 AUTH=PLAIN LOGIN
 -> STARTTLS
<-  220 Go ahead
=== TLS started w/ cipher AES256-SHA
=== TLS peer subject DN="/C=JP/ST=Ishikawa/L=Nomi/OU=Center for Information
Science/O=JAPAN ADVANCED INSTITUTE OF SCIENCE AND
TECHNOLOGY/CN=smtp.jaist.ac.jp"
 ~> EHLO mithrandir
<~  250-mailrelayi.jaist.ac.jp
<~  250-8BITMIME
<~  250-SIZE 104857600
<~  250-AUTH PLAIN LOGIN
<~  250 AUTH=PLAIN LOGIN
 ~> MAIL FROM:<root at mithrandir>
<~* 530 Authentication required
 ~> QUIT
<~  221 mailrelayi.jaist.ac.jp
=== Connection closed with remote host.

but it seems that swaks uses OPenSSL (at least you
wrote that in bug 467137).


Then I tried to connect with gnutls-cli but didn''t manage:
$ gnutls-cli -s -p 587 smtp.jaist.ac.jp
Resolving ''smtp.jaist.ac.jp''...
Connecting to ''150.65.19.12:587''...

- Simple Client Mode:

220 jaist.ac.jp ESMTP mail service ready
EHLO mithrandir
- Peer has closed the GNUTLS connection
$

So now I don''t know where to go from here ...



Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
PAPPLE (vb.)
To do what babies do to soup with their spoons.
			--- Douglas Adams, The Meaning of Liff

Hi,

On Mon, Aug 02, 2010 at 10:41:24AM +0900, Norbert Preining
wrote:
> On Sa, 31 Jul 2010, Marc Haber wrote:
> > Try 
> > echo foo | exim -d mh+pkg-exim4-users at zugschlus.de
> > and send the output to the list. Exim will asterisk out the password,
> > so there is no private data in the debug output.
> 
> (First of all, good that I checked, it did *NOT*!!!! asterix out the
> password. *I* did change the real passwd to ******* below:
*argh* Sorry, I only looked into the smtp dialog and was wrongly
satisfied that I only saw asterisks there. I apologize. Good that you
checked, indeed.
> Thanks for the hint, the problem is here, I guess I don''t have to
> send the full log:
> initialized certificate stuff
> initialized GnuTLS session
> LOG: MAIN
>   TLS error on connection to smtp.jaist.ac.jp [150.65.19.12]
(gnutls_handshake): A TLS packet with unexpected length was received.
> ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not
NULL
> 150.65.19.12 in hosts_require_tls? no (option unset)
> LOG: MAIN
> 
> Then it continues with un-protected delivery (I don''t have it
> in hosts_requrire_tls fo rnow, will add it later), and 
> breaks down with the known problem.
Indeed.
> So now I don''t know where to go from here ...
Try reducing the number of accepted root certificates in the
ca-certificates package (dpkg-reconfigure).

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Hi Marc,

On Mo, 02 Aug 2010, Marc Haber wrote:
> Try reducing the number of accepted root certificates in the
> ca-certificates package (dpkg-reconfigure).
I did that, actually found some serious bugs in ca-certificates
(disabling all breaks completely, disabling all but one cert still
makes all of them end up in the .crt file).

So I have removed all but one entry in 
	/etc/ssl/certs/ca-certificates.crt
but still I get:
	(gnutls_handshake): A TLS packet with unexpected length was received.

Anything else I could try?

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
TORLUNDY (n.) Narrow but thickly grimed strip of floor between the
fridge and the sink unit in the kitchen of a rented flat.
			--- Douglas Adams, The Meaning of Liff

On Wed, Aug 04, 2010 at 03:46:32PM +0900, Norbert Preining
wrote:
> So I have removed all but one entry in 
> 	/etc/ssl/certs/ca-certificates.crt
> but still I get:
> 	(gnutls_handshake): A TLS packet with unexpected length was received.
> 
> Anything else I could try?
You could try reproducing the issue with gnutls-cli-debug and see
whether this gives any insight. I''m beginning  to run out of clues;
Andreas is much more familiar with GnuTLS than I am.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Hi Marc,
(once more, this time with log file included as list server rejected)

On Mi, 04 Aug 2010, Marc Haber wrote:
> You could try reproducing the issue with gnutls-cli-debug and see
> whether this gives any insight. I''m beginning  to run out of
clues;
Insight not much to me:
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298



Full log follows at the end

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
MOFFAT (n. tailoring term)
That part of your coat which is designed to be sat on by the person
next of you on the bus.
			--- Douglas Adams, The Meaning of Liff



|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<3>| HSK[0xd24f10]: CLIENT HELLO was send [57 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0xd24f10]: Sending Packet[0] Handshake(22) with length: 57
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 62 bytes to 0x4.
|<7>| WRITE: wrote 62 bytes to 0x4. Left 0 bytes. Total 62 bytes.
|<7>| 0000 - 16 03 02 00 39 01 00 00 35 03 02 4c 59 13 d1 a4 
|<7>| 0001 - 95 6d 7a 18 96 56 0e 2a 5d 98 07 5f 43 0d 76 47 
|<7>| 0002 - ad 5a 13 ff 94 1b 41 3f 33 b3 80 00 00 0e 00 0a 
|<7>| 0003 - 00 05 00 04 00 13 00 66 00 16 00 03 01 00 
|<4>| REC[0xd24f10]: Sent Packet[1] Handshake(22) with length: 62
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| 0000 - 32 32 30 20 6a 
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 37 bytes from 0x4
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 37 bytes from 0x4
|<7>| 0000 - 61 69 73 74 2e 61 63 2e 6a 70 20 45 53 4d 54 50 
|<7>| 0001 - 20 6d 61 69 6c 20 73 65 72 76 69 63 65 20 72 65 
|<7>| 0002 - 61 64 79 0d 0a 
|<7>| RB: Have 5 bytes into buffer. Adding 37 bytes.
|<7>| RB: Requested 8303 bytes
|<2>| ASSERT: gnutls_buffers.c:608
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<7>| 0000 - 
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:976
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2364
|<6>| BUF[HSK]: Cleared Data from buffer
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<3>| HSK[0xd24f10]: CLIENT HELLO was send [57 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0xd24f10]: Sending Packet[0] Handshake(22) with length: 57
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 62 bytes to 0x4.
|<7>| WRITE: wrote 62 bytes to 0x4. Left 0 bytes. Total 62 bytes.
|<7>| 0000 - 16 03 02 00 39 01 00 00 35 03 02 4c 59 13 d1 c9 
|<7>| 0001 - 45 c1 89 82 d9 63 11 cf 58 db 77 6e e6 68 47 26 
|<7>| 0002 - 25 cf f2 87 bf f2 8b 83 f9 6b f3 00 00 0e 00 0a 
|<7>| 0003 - 00 05 00 04 00 13 00 66 00 16 00 03 01 00 
|<4>| REC[0xd24f10]: Sent Packet[1] Handshake(22) with length: 62
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| 0000 - 32 32 30 20 6a 
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 37 bytes from 0x4
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 37 bytes from 0x4
|<7>| 0000 - 61 69 73 74 2e 61 63 2e 6a 70 20 45 53 4d 54 50 
|<7>| 0001 - 20 6d 61 69 6c 20 73 65 72 76 69 63 65 20 72 65 
|<7>| 0002 - 61 64 79 0d 0a 
|<7>| RB: Have 5 bytes into buffer. Adding 37 bytes.
|<7>| RB: Requested 8303 bytes
|<2>| ASSERT: gnutls_buffers.c:608
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<7>| 0000 - 
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:976
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2364
|<6>| BUF[HSK]: Cleared Data from buffer
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<3>| HSK[0xd24f10]: CLIENT HELLO was send [57 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0xd24f10]: Sending Packet[0] Handshake(22) with length: 57
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 62 bytes to 0x4.
|<7>| WRITE: wrote 62 bytes to 0x4. Left 0 bytes. Total 62 bytes.
|<7>| 0000 - 16 03 01 00 39 01 00 00 35 03 01 4c 59 13 d1 df 
|<7>| 0001 - 6a 7f 40 60 b7 33 02 b0 ce 7a 39 96 95 74 80 82 
|<7>| 0002 - b4 c4 97 b0 7f d8 89 19 f3 a4 b1 00 00 0e 00 0a 
|<7>| 0003 - 00 05 00 04 00 13 00 66 00 16 00 03 01 00 
|<4>| REC[0xd24f10]: Sent Packet[1] Handshake(22) with length: 62
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| 0000 - 32 32 30 20 6a 
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 37 bytes from 0x4
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 37 bytes from 0x4
|<7>| 0000 - 61 69 73 74 2e 61 63 2e 6a 70 20 45 53 4d 54 50 
|<7>| 0001 - 20 6d 61 69 6c 20 73 65 72 76 69 63 65 20 72 65 
|<7>| 0002 - 61 64 79 0d 0a 
|<7>| RB: Have 5 bytes into buffer. Adding 37 bytes.
|<7>| RB: Requested 8303 bytes
|<2>| ASSERT: gnutls_buffers.c:608
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<7>| 0000 - 
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:976
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2364
|<6>| BUF[HSK]: Cleared Data from buffer
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_3DES_EDE_CBC_SHA1
|<3>| HSK[0xd24f10]: Removing ciphersuite: ANON_DH_ARCFOUR_MD5
|<3>| HSK[0xd24f10]: Keeping ciphersuite: RSA_EXPORT_ARCFOUR_40_MD5
|<3>| HSK[0xd24f10]: CLIENT HELLO was send [55 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0xd24f10]: Sending Packet[0] Handshake(22) with length: 55
|<2>| ASSERT: gnutls_cipher.c:204
|<7>| WRITE: Will write 60 bytes to 0x4.
|<7>| WRITE: wrote 60 bytes to 0x4. Left 0 bytes. Total 60 bytes.
|<7>| 0000 - 16 03 00 00 37 01 00 00 33 03 00 4c 59 13 d1 01 
|<7>| 0001 - af ea a7 3a 9c 6b c0 ea 06 bb f8 c2 91 91 28 61 
|<7>| 0002 - 0d a2 3a d9 9c 20 87 64 93 3a 58 00 00 0c 00 0a 
|<7>| 0003 - 00 05 00 04 00 13 00 16 00 03 01 00 
|<4>| REC[0xd24f10]: Sent Packet[1] Handshake(22) with length: 60
|<7>| READ: Got 5 bytes from 0x4
|<7>| READ: read 5 bytes from 0x4
|<7>| 0000 - 32 32 30 20 6a 
|<7>| RB: Have 0 bytes into buffer. Adding 5 bytes.
|<7>| RB: Requested 5 bytes
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 37 bytes from 0x4
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 37 bytes from 0x4
|<7>| 0000 - 61 69 73 74 2e 61 63 2e 6a 70 20 45 53 4d 54 50 
|<7>| 0001 - 20 6d 61 69 6c 20 73 65 72 76 69 63 65 20 72 65 
|<7>| 0002 - 61 64 79 0d 0a 
|<7>| RB: Have 5 bytes into buffer. Adding 37 bytes.
|<7>| RB: Requested 8303 bytes
|<2>| ASSERT: gnutls_buffers.c:608
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_record.c:507
|<4>| REC[0xd24f10]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0xd24f10]: Received Packet[0] Unknown Packet(50) with length:
8298
|<7>| READ: Got 0 bytes from 0x4
|<7>| READ: read 0 bytes from 0x4
|<7>| 0000 - 
|<2>| ASSERT: gnutls_buffers.c:599
|<2>| ASSERT: gnutls_record.c:976
|<2>| ASSERT: gnutls_buffers.c:1032
|<2>| ASSERT: gnutls_handshake.c:1045
|<2>| ASSERT: gnutls_handshake.c:2364
|<6>| BUF[HSK]: Cleared Data from buffer

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1
Resolving ''smtp.jaist.ac.jp''...
Connecting to ''150.65.19.12:587''...
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.0 support... no
Checking for SSL 3.0 support... no

On 2010-08-04 Marc Haber <mh+pkg-exim4-users at zugschlus.de>
wrote:
> On Wed, Aug 04, 2010 at 03:46:32PM +0900, Norbert Preining wrote:
> > So I have removed all but one entry in 
> > 	/etc/ssl/certs/ca-certificates.crt
> > but still I get:
> > 	(gnutls_handshake): A TLS packet with unexpected length was received.
> > Anything else I could try?
> You could try reproducing the issue with gnutls-cli-debug and see
> whether this gives any insight. I''m beginning  to run out of
clues;
> Andreas is much more familiar with GnuTLS than I am.
Hello,

the server also supports ssl-smtp on 465 with eases debugging. Since
gnutls-cli --priority NORMAL:%COMPAT -p 465 smtp.jaist.ac.jp
succeeds where
gnutls-cli -p 465 smtp.jaist.ac.jp
fails I think that setting exim''s main configuration setting
gnutls_compat_mode (available since 4.70) should help you.

cu andreas

On Mi, 04 Aug 2010, Andreas Metzler wrote:
> gnutls-cli -p 465 smtp.jaist.ac.jp
> fails I think that setting exim''s main configuration setting
> gnutls_compat_mode (available since 4.70) should help you.
Thanks, that worked. Don''t know why the other didn''t. If in
any case
you need someone to test anything let me know.

Best wishes

Norbert
------------------------------------------------------------------------
Norbert Preining            preining@{jaist.ac.jp, logic.at, debian.org}
JAIST, Japan                                 TeX Live & Debian Developer
DSA: 0x09C5B094   fp: 14DF 2E6C 0307 BE6D AD76  A9C0 D2BF 4AA3 09C5 B094
------------------------------------------------------------------------
FLODIGARRY (n. Scots)
An ankle-length gabardine or oilskin tarpaulin worn by deep-sea
herring fishermen in Arbroath and publicans in Glasgow.
			--- Douglas Adams, The Meaning of Liff