I have setup my exim4 as a local mta with smarthost delivery (debian 10 vm) following this guide: Exim on DebianWiki
If my smarthost is expecting a ssl connection (smtp over ssl) it does not work.
When a local web application sends an email to localhost:25, it remains stuck in the queue; if i try to force deliver it, this happens:
root@testbug:~# date && exim -v -M 1nrqKZ-0003Ji-WE
Fri 20 May 2022 10:33:50 AM CEST
delivering 1nrqKZ-0003Ji-WE
R: smarthost for [email protected]
T: remote_smtp_smarthost for [email protected]
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it [62.149.128.218]:465 ... connected
=========== stuck for a few seconds ===========
SMTP(close)>>
LOG: MAIN
H=smtps.aruba.it [62.149.128.218]: Remote host closed connection in response to initial connection
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it [62.149.156.218]:465 ... connected
=========== stuck for a few seconds ===========
SMTP(close)>>
LOG: MAIN
H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
LOG: MAIN
== [email protected] R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
This is the log for that:
root@testbug:~# tail -3 /var/log/exim4/mainlog
2022-05-20 10:35:31 1nrqKZ-0003Ji-WE H=smtps.aruba.it [62.149.128.218]: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE == [email protected] R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it [62.149.156.218]: Remote host closed connection in response to initial connection
Please note that server accepts ssl connections:
root@testbug:~# openssl s_client -connect smtps.aruba.it:465
CONNECTED(00000003)
depth=2 C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
[...]
No client certificate CA names sent
[...]
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
[...]
---
220 smtpdh08.ad.aruba.it Aruba Outgoing Smtp ESMTP server ready
If i switch to a different smarthost server smtp.mydomain.it, run by the same provider (so i use the same credentials to authenticate vs the smarthost) on port 25 with starttls, things run smoothly, emails are delivered (in starttls) as i restart exim:
2022-05-20 10:42:48 exim 4.92 daemon started: pid=4015, -q30m, listening for SMTP on [127.0.0.1]:25 [::1]:25
2022-05-20 10:42:48 Start queue run: pid=4017
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE => [email protected] R=smarthost T=remote_smtp_smarthost H=smtp.mydomain.it [62.149.128.203] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="C=IT,ST=Bergamo,L=Ponte San Pietro,O=Aruba S.p.A.,CN=*.aruba.it" A=plain C="250 2.0.0 ryDgn51y1TRWPryDinATBj mail accepted for delivery"
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE Completed
2022-05-20 10:42:51 End queue run: pid=4017
You can see the email is correctly delivered in starttls:
root@testbug:~# ngrep -qt -dany port 25
interface: any
filter: ( port 25 ) and (ip || ip6)
T 2022/05/20 10:42:48.900722 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #4
220 smtpdh13.ad.aruba.it Aruba Outgoing Smtp ESMTP server ready..
T 2022/05/20 10:42:48.900903 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #5
EHLO testbug.mydomain.it..
T 2022/05/20 10:42:49.025487 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #7
250-smtpdh13.ad.aruba.it hello [MY.SRV.IP.ADDR], pleased to meet you..250-HELP..250-AUTH LOGIN PLAIN..250-SIZE 524288000..250-ENHANCEDSTATUSCODES..250-8BITMIME..250-STARTTLS..250 OK..
T 2022/05/20 10:42:49.025702 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #8
STARTTLS..
T 2022/05/20 10:42:49.092110 62.149.128.203:25 -> MY.SRV.IP.ADDR:47932 [AP] #10
220 2.0.0 Ready to start TLS..
T 2022/05/20 10:42:49.111151 MY.SRV.IP.ADDR:47932 -> 62.149.128.203:25 [AP] #11
....L...H..d.@"^.`I.....OU..x.N|Z..."...._@..:.........,.......+.....0...../.......5.....[...]
Can anyone point me to the right direction to investigate?
Can this be a network/ports issue?
Or a certificate issue (i generate my selfsigned certificate in a slight different way and actually i don't know why need one and if this certificate is anyway validated by the server)?
Thanks a lot.
EDIT: got a more verbose output for force delivery a message: https://pastebin.com/axRsQmwy