Score:1

Exim Smarthost setup works in starttls but not in smtps

cn flag

I have setup my exim4 as a local mta with smarthost delivery (debian 10 vm) following this guide: Exim on DebianWiki

If my smarthost is expecting a ssl connection (smtp over ssl) it does not work.

When a local web application sends an email to localhost:25, it remains stuck in the queue; if i try to force deliver it, this happens:

root@testbug:~# date && exim -v -M 1nrqKZ-0003Ji-WE
Fri 20 May 2022 10:33:50 AM CEST
delivering 1nrqKZ-0003Ji-WE
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it [62.149.128.218]:465 ... connected

=========== stuck for a few seconds ===========

  SMTP(close)>>
LOG: MAIN
  H=smtps.aruba.it [62.149.128.218]: Remote host closed connection in response to initial connection
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it [62.149.156.218]:465 ... connected

=========== stuck for a few seconds ===========

  SMTP(close)>>
LOG: MAIN
  H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
LOG: MAIN
  == [email protected] R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection

This is the log for that:

root@testbug:~# tail -3 /var/log/exim4/mainlog
2022-05-20 10:35:31 1nrqKZ-0003Ji-WE H=smtps.aruba.it [62.149.128.218]: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE == [email protected] R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection

Please note that server accepts ssl connections:

root@testbug:~# openssl s_client -connect smtps.aruba.it:465
CONNECTED(00000003)
depth=2 C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
[...]
No client certificate CA names sent
[...]
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
[...]
---
220 smtpdh08.ad.aruba.it Aruba Outgoing Smtp  ESMTP server ready

If i switch to a different smarthost server smtp.mydomain.it, run by the same provider (so i use the same credentials to authenticate vs the smarthost) on port 25 with starttls, things run smoothly, emails are delivered (in starttls) as i restart exim:

2022-05-20 10:42:48 exim 4.92 daemon started: pid=4015, -q30m, listening for SMTP on [127.0.0.1]:25 [::1]:25
2022-05-20 10:42:48 Start queue run: pid=4017
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE => [email protected] R=smarthost T=remote_smtp_smarthost H=smtp.mydomain.it [62.149.128.203] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="C=IT,ST=Bergamo,L=Ponte San Pietro,O=Aruba S.p.A.,CN=*.aruba.it" A=plain C="250 2.0.0 ryDgn51y1TRWPryDinATBj mail accepted for delivery"
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE Completed
2022-05-20 10:42:51 End queue run: pid=4017

You can see the email is correctly delivered in starttls:

root@testbug:~# ngrep -qt -dany port 25
interface: any
filter: ( port 25 ) and (ip || ip6)

T 2022/05/20 10:42:48.900722 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #4
  220 smtpdh13.ad.aruba.it Aruba Outgoing Smtp  ESMTP server ready..

T 2022/05/20 10:42:48.900903 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #5
  EHLO testbug.mydomain.it..

T 2022/05/20 10:42:49.025487 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #7
  250-smtpdh13.ad.aruba.it hello [MY.SRV.IP.ADDR], pleased to meet you..250-HELP..250-AUTH LOGIN PLAIN..250-SIZE 524288000..250-ENHANCEDSTATUSCODES..250-8BITMIME..250-STARTTLS..250 OK..

T 2022/05/20 10:42:49.025702 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #8
  STARTTLS..

T 2022/05/20 10:42:49.092110 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #10
  220 2.0.0 Ready to start TLS..

T 2022/05/20 10:42:49.111151 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #11
  ....L...H..d.@"^.`I.....OU..x.N|Z..."...._@..:.........,.......+.....0...../.......5.....[...]

Can anyone point me to the right direction to investigate?

Can this be a network/ports issue? Or a certificate issue (i generate my selfsigned certificate in a slight different way and actually i don't know why need one and if this certificate is anyway validated by the server)?

Thanks a lot.

EDIT: got a more verbose output for force delivery a message: https://pastebin.com/axRsQmwy

anx avatar
fr flag
anx
The fact that the `tls_on_connect_ports` [configuration is only accessed](https://github.com/Exim/exim/search?q=on_connect_ports) through `tls_in.on_connect_ports` with no way of setting `tls_out.on_connect_ports` makes me suspect that it is only supported for incoming connections and disregarded for outbound SMTP. Exim might simply never have supported this, as it was not standard & recommended at the time the daemon-side feature was implemented.
cn flag
@anx `hosts_require_tls` parameter that is set as macro REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ( = * ) ... that is evaluated [here](https://github.com/Exim/exim/blob/9f6b3bf5187562bac4c96e3ed6a17740d01489fa/src/src/transports/smtp.c#L2879)?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.