Exim4: (gnutls_handshake): timed out

I'm using Exim4 on the Debian server.

Debian:

Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

Debian kernel:

uname -a
Linux mail.index3.ru 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux

Exim:

Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
                        Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                      Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.7.1
                         Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
                       Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
                             Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
                             Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
Library version: MySQL: Compile: 100510 10.5.10 [mariadb-10.5]
                        Runtime: 100519 10.5.19
Library version: SQLite: Compile: 3.34.1
                         Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
Exim version 4.94.2 uid=0 gid=0 pid=2026121 D=10000000
configuration file is /etc/exim4/exim4.conf
log selectors = 0000cefe 39c05222 00000027
cwd=/var/log/exim4 3 args: exim -d-all+tls -bV
trusted user
admin user
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /etc/exim4/exim4.conf

Exim configuration migrated from pretty old FreeBSD. Since migration I noticed that I cannot get some emails. For example from PayPal. In the logs:

mainlog.1:2023-07-25 11:14:57 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 11:26:29 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:19:58 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:32:09 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out

Certificate validation on connect with GNU TLS CLI looks ok:

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=*.16v.ru', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0355b4c47d4aeae9f72ec986fa473c62d8e7, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-06-30 14:28:17 UTC', expires `2023-09-28 14:28:16 UTC', pin-sha256="lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI="
        Public Key ID:
                sha1:40c67fa2db46d55c5b1518327068307db2417434
                sha256:96a64ae542ea99ceecea73923190256bf74b9af5daeb44c72dd8d28fd723b4a2
        Public Key PIN:
                pin-sha256:lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 12:33:A2:92:0E:48:E7:56:A0:20:BA:08:2A:F1:1A:D3:E3:86:F6:68:1E:51:7C:49:5E:85:70:C9:41:0F:24:E2
- Options:

Exim configuration:

.ifndef SYSTEM_ALIASES_PIPE_TRANSPORT
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
.endif

CONFIG_PREFIX=/etc/exim4

hide pgsql_servers = redacted

domainlist local_domains =${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM local_domain), ':')}}

hostlist host_reject = ${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM hostreject), ':')}}

domainlist relay_to_domains = ${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relaytohosts), ':')}}

hostlist relay_from_hosts =${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relayfromhosts), ':')}}

helo_try_verify_hosts = *

acl_smtp_connect = acl_check_connect

acl_smtp_helo = acl_check_helo

acl_smtp_rcpt = acl_check_rcpt

acl_smtp_mime = acl_check_mime

acl_smtp_data = acl_check_data

av_scanner = clamd:/var/run/clamav/clamd.ctl

spamd_address = 127.0.0.1 783

exim_user = Debian-exim
exim_group = Debian-exim

never_users = root

spool_directory = /var/spool/exim4

split_spool_directory

host_lookup = *

rfc1413_query_timeout = 0s

primary_hostname = mail.index3.ru
smtp_banner = "$smtp_active_hostname $primary_hostname, ESMTP EXIM $version_number"

smtp_accept_max = 100

smtp_accept_max_per_connection = 30

smtp_connect_backlog = 100

smtp_accept_max_per_host = 100

smtp_accept_queue = 200

smtp_accept_queue_per_connection = 100

recipients_max = 16

recipients_max_reject = true

remote_max_parallel = 10

message_size_limit = 20M

return_size_limit = 70k

accept_8bitmime = true

smtp_enforce_sync = true

ignore_bounce_errors_after = 1h

timeout_frozen_after = 3d

freeze_tell = redacted

trusted_users = www-data

keep_environment =

disable_ipv6 = true

DKIM_DOMAIN                     = ${lc:${domain:$h_from:}}
DKIM_FILE                       = /etc/exim4/dkim/${lc:${domain:$h_from:}}.key
DKIM_PRIVATE_KEY = ${lookup {DKIM_SELECTOR.DKIM_DOMAIN.key} dsearch,ret=full {/etc/exim4/dkim}}
DKIM_CANON                      = simple

log_selector = \
    +all_parents \
    +connection_reject \
    +incoming_interface \
    +lost_incoming_connection \
    +received_sender \
    +received_recipients \
    +smtp_confirmation \
    +smtp_syntax_error \
    +smtp_protocol_error \
    +smtp_mailauth \
    +tls_sni \
    -queue_run

syslog_timestamp = no

allow_mx_to_ip

tls_advertise_hosts     = *
tls_privatekey          = /etc/letsencrypt/live/16v.ru-0001/privkey.pem
tls_certificate         = /etc/letsencrypt/live/16v.ru-0001/fullchain.pem
tls_require_ciphers     = ${if =={$received_port}{25}\
                           {NORMAL:%COMPAT}\
                           {SECURE128}}

tls_on_connect_ports    = 465
daemon_smtp_ports       = 25 : 465 : 587

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

begin acl

acl_check_connect:
  .include /etc/exim4/acl_connect.conf

acl_check_helo:
  accept hosts = : +relay_from_hosts
  .include /etc/exim4/acl_check_helo.conf
  accept

acl_check_data:
  accept
    authenticated = *
  .include /etc/exim4/acl_check_data.conf
  accept

acl_check_rcpt:
  accept
    hosts = :
  accept
    authenticated = *
  .include /etc/exim4/acl_check_rcpt.conf
  accept

acl_check_mime:
  warn decode = default
  deny
    message = Dont send binaries. Send sources instead.
    condition = ${if eq\
      {$mime_content_type}\
      {application/x-msdos-program}\
    {yes}{no}}

  deny
    message = Attachment has unsupported file format. Try text or PDF instead.
    condition = ${if match\
      {$mime_filename}\
      {\N.+\.(bat|btm|cmd|com|cpl|dat|dll|exe|jar|lnk|msi|pif|prf|reg|scr|vb|vbs|wav)$\N}\
    {yes}{no}}

  deny message = Sorry, noone speaks chinese here
       condition = ${if eq{$mime_charset}{gb2312}{1}{0}}

  accept

begin routers

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup pgsql{select alias from aliases where mail ='$local_part@$domain'}{$value}fail}
  user = dovecot
  group = dovecot
  file_transport = address_file
  pipe_transport = address_pipe

dnslookup:
  driver = dnslookup
  domains = !+local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

local_delivery_spam_router:
  driver = accept
  domains = +local_domains
  condition = ${if match{$h_X-Spam-Status:}{Yes}}
  transport = local_delivery_spam_transport
  no_more

localuser:
  driver = accept
  condition = ${lookup pgsql {select uid from accounts where login = '$local_part@$domain'}{yes}{no}}
  #transport = local_delivery
  transport = dovecot_delivery
  cannot_route_message ="Unknown user"

begin transports

local_delivery_spam_transport:
  driver = appendfile
  check_string = ""
  directory = ${lookup pgsql{select maildir||'/.Spam' from accounts where login = '$local_part@$domain'}{$value}fail}
  create_directory
  directory_mode = 0770
  maildir_format
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot
  mode = 0660
  no_mode_fail_narrower
  quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
  quota_warn_message = "\
        To: $local_part@domain\n\
        From: [email protected]\n\
        Subject: Ваш почтовый ящик почти заполнен\n\
        Это автоматическое сообщение почтового сервера.\n\
        Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
        новая почта не будет приходить.\n\"
  quota_warn_threshold = 75%

remote_smtp:
  driver = smtp
  dkim_domain = DKIM_DOMAIN
  dkim_selector = dkim
  dkim_private_key = DKIM_PRIVATE_KEY
  interface = 95.216.245.186

local_delivery:
  driver = appendfile
  directory = ${lookup pgsql{select maildir from accounts where login = '$local_part@$domain'}{$value}fail}
  create_directory
  directory_mode = 0770
  maildir_format
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot
  mode = 0660
  no_mode_fail_narrower
  quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
  quota_warn_message = "\
          To: $local_part@domain\n\
        From: [email protected]\n\
        Subject: Ваш почтовый ящик почти заполнен\n\
        Это автоматическое сообщение почтового сервера.\n\
        Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
        новая почта не будет приходить.\n\"
  quota_warn_threshold = 75%

dovecot_delivery:
  driver = pipe
  command =  /usr/lib/dovecot/dovecot-lda -f $sender_address -d '$local_part@$domain'
  message_prefix =
  message_suffix =
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
  log_output
  #driver = lmtp
  #socket = /var/run/dovecot/lmtp
  #batch_max = 200
  rcpt_include_affixes
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite


begin authenticators

auth_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
  server_prompts = Username:: : Password::
  server_set_id = $2

auth_login:
  driver = plaintext
  public_name = LOGIN
  server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
  server_prompts = Username:: : Password::
  server_set_id = $2

auth_cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
  server_secret = ${lookup pgsql {select password from accounts where login='$1'}{$value}fail}
  server_set_id = $1

Any ideas what PayPal doesn't like in that setup?

Have your DNS configuration checked for non-transient inconsistencies. Ideally, both the zone containing the server name, and the zone for the email domain. I suspect one of your name servers is not doing what you want, after I entered the domain mentioned in your certificate into generic tools which try to look for inconsistencies, and saw old yet differing SOA serials and contents:

• https://dnsviz.net/d/index3.ru/ZMN7pg/dnssec/
• https://zonemaster.net/en/result/b99537f7a0edf187

If a sender attempts to look up transport security settings and encounters an issue there, all sorts of weird things can happen.