Score:1

Exim4: (gnutls_handshake): timed out

je flag

I'm using Exim4 on the Debian server.

Debian:

Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

Debian kernel:

uname -a
Linux mail.index3.ru 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64 GNU/Linux

Exim:

Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Compiler: GCC [10.2.1 20210110]
Library version: Glibc: Compile: 2.31
                        Runtime: 2.31
Library version: BDB: Compile: Berkeley DB 5.3.28: (September  9, 2013)
                      Runtime: Berkeley DB 5.3.28: (September  9, 2013)
Library version: GnuTLS: Compile: 3.7.1
                         Runtime: 3.7.1
Library version: IDN2: Compile: 2.3.0
                       Runtime: 2.3.0
Library version: Stringprep: Compile: 1.33
                             Runtime: 1.33
Library version: Cyrus SASL: Compile: 2.1.27
                             Runtime: 2.1.27 [Cyrus SASL]
Library version: PCRE: Compile: 8.39
                       Runtime: 8.39 2016-06-14
Library version: MySQL: Compile: 100510 10.5.10 [mariadb-10.5]
                        Runtime: 100519 10.5.19
Library version: SQLite: Compile: 3.34.1
                         Runtime: 3.34.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
Exim version 4.94.2 uid=0 gid=0 pid=2026121 D=10000000
configuration file is /etc/exim4/exim4.conf
log selectors = 0000cefe 39c05222 00000027
cwd=/var/log/exim4 3 args: exim -d-all+tls -bV
trusted user
admin user
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /etc/exim4/exim4.conf

Exim configuration migrated from pretty old FreeBSD. Since migration I noticed that I cannot get some emails. For example from PayPal. In the logs:

mainlog.1:2023-07-25 11:14:57 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 11:26:29 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:19:58 TLS error on connection from mx2.slc.paypal.com [173.0.84.227] I=[95.216.245.186]:25 (gnutls_handshake): timed out
mainlog.1:2023-07-25 23:32:09 TLS error on connection from mx0.slc.paypal.com [173.0.84.225] I=[95.216.245.186]:25 (gnutls_handshake): timed out

Certificate validation on connect with GNU TLS CLI looks ok:

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=*.16v.ru', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x0355b4c47d4aeae9f72ec986fa473c62d8e7, RSA key 2048 bits, signed using RSA-SHA256, activated `2023-06-30 14:28:17 UTC', expires `2023-09-28 14:28:16 UTC', pin-sha256="lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI="
        Public Key ID:
                sha1:40c67fa2db46d55c5b1518327068307db2417434
                sha256:96a64ae542ea99ceecea73923190256bf74b9af5daeb44c72dd8d28fd723b4a2
        Public Key PIN:
                pin-sha256:lqZK5ULqmc7s6nOSMZAla/dLmvXa60THLdjSj9cjtKI=

- Certificate[1] info:
 - subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
 - subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is trusted.
- Description: (TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Session ID: 12:33:A2:92:0E:48:E7:56:A0:20:BA:08:2A:F1:1A:D3:E3:86:F6:68:1E:51:7C:49:5E:85:70:C9:41:0F:24:E2
- Options:

Exim configuration:

.ifndef SYSTEM_ALIASES_PIPE_TRANSPORT
SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe
.endif

CONFIG_PREFIX=/etc/exim4

hide pgsql_servers = redacted

domainlist local_domains =${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM local_domain), ':')}}

hostlist host_reject = ${lookup pgsql{SELECT array_to_string(array(SELECT domain FROM hostreject), ':')}}

domainlist relay_to_domains = ${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relaytohosts), ':')}}

hostlist relay_from_hosts =${lookup pgsql{SELECT array_to_string(array(SELECT hosts FROM relayfromhosts), ':')}}

helo_try_verify_hosts = *

acl_smtp_connect = acl_check_connect

acl_smtp_helo = acl_check_helo

acl_smtp_rcpt = acl_check_rcpt

acl_smtp_mime = acl_check_mime

acl_smtp_data = acl_check_data

av_scanner = clamd:/var/run/clamav/clamd.ctl

spamd_address = 127.0.0.1 783

exim_user = Debian-exim
exim_group = Debian-exim

never_users = root

spool_directory = /var/spool/exim4

split_spool_directory

host_lookup = *

rfc1413_query_timeout = 0s

primary_hostname = mail.index3.ru
smtp_banner = "$smtp_active_hostname $primary_hostname, ESMTP EXIM $version_number"

smtp_accept_max = 100

smtp_accept_max_per_connection = 30

smtp_connect_backlog = 100

smtp_accept_max_per_host = 100

smtp_accept_queue = 200

smtp_accept_queue_per_connection = 100

recipients_max = 16

recipients_max_reject = true

remote_max_parallel = 10

message_size_limit = 20M

return_size_limit = 70k

accept_8bitmime = true

smtp_enforce_sync = true

ignore_bounce_errors_after = 1h

timeout_frozen_after = 3d

freeze_tell = redacted

trusted_users = www-data

keep_environment =

disable_ipv6 = true

DKIM_DOMAIN                     = ${lc:${domain:$h_from:}}
DKIM_FILE                       = /etc/exim4/dkim/${lc:${domain:$h_from:}}.key
DKIM_PRIVATE_KEY = ${lookup {DKIM_SELECTOR.DKIM_DOMAIN.key} dsearch,ret=full {/etc/exim4/dkim}}
DKIM_CANON                      = simple

log_selector = \
    +all_parents \
    +connection_reject \
    +incoming_interface \
    +lost_incoming_connection \
    +received_sender \
    +received_recipients \
    +smtp_confirmation \
    +smtp_syntax_error \
    +smtp_protocol_error \
    +smtp_mailauth \
    +tls_sni \
    -queue_run

syslog_timestamp = no

allow_mx_to_ip

tls_advertise_hosts     = *
tls_privatekey          = /etc/letsencrypt/live/16v.ru-0001/privkey.pem
tls_certificate         = /etc/letsencrypt/live/16v.ru-0001/fullchain.pem
tls_require_ciphers     = ${if =={$received_port}{25}\
                           {NORMAL:%COMPAT}\
                           {SECURE128}}

tls_on_connect_ports    = 465
daemon_smtp_ports       = 25 : 465 : 587

auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

begin acl

acl_check_connect:
  .include /etc/exim4/acl_connect.conf

acl_check_helo:
  accept hosts = : +relay_from_hosts
  .include /etc/exim4/acl_check_helo.conf
  accept

acl_check_data:
  accept
    authenticated = *
  .include /etc/exim4/acl_check_data.conf
  accept

acl_check_rcpt:
  accept
    hosts = :
  accept
    authenticated = *
  .include /etc/exim4/acl_check_rcpt.conf
  accept

acl_check_mime:
  warn decode = default
  deny
    message = Dont send binaries. Send sources instead.
    condition = ${if eq\
      {$mime_content_type}\
      {application/x-msdos-program}\
    {yes}{no}}

  deny
    message = Attachment has unsupported file format. Try text or PDF instead.
    condition = ${if match\
      {$mime_filename}\
      {\N.+\.(bat|btm|cmd|com|cpl|dat|dll|exe|jar|lnk|msi|pif|prf|reg|scr|vb|vbs|wav)$\N}\
    {yes}{no}}

  deny message = Sorry, noone speaks chinese here
       condition = ${if eq{$mime_charset}{gb2312}{1}{0}}

  accept

begin routers

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup pgsql{select alias from aliases where mail ='$local_part@$domain'}{$value}fail}
  user = dovecot
  group = dovecot
  file_transport = address_file
  pipe_transport = address_pipe

dnslookup:
  driver = dnslookup
  domains = !+local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

local_delivery_spam_router:
  driver = accept
  domains = +local_domains
  condition = ${if match{$h_X-Spam-Status:}{Yes}}
  transport = local_delivery_spam_transport
  no_more

localuser:
  driver = accept
  condition = ${lookup pgsql {select uid from accounts where login = '$local_part@$domain'}{yes}{no}}
  #transport = local_delivery
  transport = dovecot_delivery
  cannot_route_message ="Unknown user"

begin transports

local_delivery_spam_transport:
  driver = appendfile
  check_string = ""
  directory = ${lookup pgsql{select maildir||'/.Spam' from accounts where login = '$local_part@$domain'}{$value}fail}
  create_directory
  directory_mode = 0770
  maildir_format
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot
  mode = 0660
  no_mode_fail_narrower
  quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
  quota_warn_message = "\
        To: $local_part@domain\n\
        From: [email protected]\n\
        Subject: Ваш почтовый ящик почти заполнен\n\
        Это автоматическое сообщение почтового сервера.\n\
        Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
        новая почта не будет приходить.\n\"
  quota_warn_threshold = 75%

remote_smtp:
  driver = smtp
  dkim_domain = DKIM_DOMAIN
  dkim_selector = dkim
  dkim_private_key = DKIM_PRIVATE_KEY
  interface = 95.216.245.186

local_delivery:
  driver = appendfile
  directory = ${lookup pgsql{select maildir from accounts where login = '$local_part@$domain'}{$value}fail}
  create_directory
  directory_mode = 0770
  maildir_format
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot
  mode = 0660
  no_mode_fail_narrower
  quota = ${lookup pgsql{select mailquota from accounts where login = '$local_part@$domain'}{$value}fail}M
  quota_warn_message = "\
          To: $local_part@domain\n\
        From: [email protected]\n\
        Subject: Ваш почтовый ящик почти заполнен\n\
        Это автоматическое сообщение почтового сервера.\n\
        Ваш почтовый ящик заполнен на 75%. После заполнения почтового ящика\n\
        новая почта не будет приходить.\n\"
  quota_warn_threshold = 75%

dovecot_delivery:
  driver = pipe
  command =  /usr/lib/dovecot/dovecot-lda -f $sender_address -d '$local_part@$domain'
  message_prefix =
  message_suffix =
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
  log_output
  #driver = lmtp
  #socket = /var/run/dovecot/lmtp
  #batch_max = 200
  rcpt_include_affixes
  delivery_date_add
  envelope_to_add
  return_path_add
  group = dovecot
  user = dovecot

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

begin rewrite


begin authenticators

auth_plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
  server_prompts = Username:: : Password::
  server_set_id = $2

auth_login:
  driver = plaintext
  public_name = LOGIN
  server_condition = ${lookup pgsql {SELECT login FROM accounts WHERE login='${quote_pgsql:$2}' AND password='${quote_pgsql:$3}'}{yes}{no}}
  server_prompts = Username:: : Password::
  server_set_id = $2

auth_cram_md5:
  driver = cram_md5
  public_name = CRAM-MD5
  server_secret = ${lookup pgsql {select password from accounts where login='$1'}{$value}fail}
  server_set_id = $1

Any ideas what PayPal doesn't like in that setup?

anx avatar
fr flag
anx
Maybe they are trying some pre-TLS1.3 stuff? Only TLS1.2 would be acceptable now, which will not work if your machine is unable to generate DH params. But it does not have to, anyway, there is little reason to use anything but [a fixed list of still-acceptable parameters](https://ssl-config.mozilla.org/#server=exim&version=4.94.2&config=intermediate&openssl=3.0&guideline=5.7).
Kirill Nikitin avatar
je flag
`/proc/sys/kernel/random/entropy_avail` has non-zero content. As I can see from tcpdump TLS in Client Hello from PayPayl is TLS 1.2 Reply from Exim is TLS 1.2 as well. But server never got a reply on Server Hello: it tries about 10 TCP retransmissions after Server Hello and than just got FIN from Client. What else this can be?
anx avatar
fr flag
anx
Mind that watching the network traffic can be misleading: The legacy version *field* in the 1.3 handshake is fixed to 1.2 for interoperability reasons, the actual version negotiation is moved to the supported version *extension*.
anx avatar
fr flag
anx
That is on a Debian-provided `5.10` series kernel? During the migration, did you copy anything not strictly exim4-related to Debian? What is the overall status of your servers, any unexpected resource usage? Please confirm that memory usage (`free -h`), fd/socket count (`sysctl fs.file-nr`) & number of active TCP connections (`ss -pent`) are negligible (I am thinking of gnuTLS leaking stuff here, happened before) Ideally, instead of replying in comments please [edit] your question to add details, most importantly **your configuration** so a comparison against Debian defaults is possible.
Kirill Nikitin avatar
je flag
Yes, this is on the 5.10 kernel. I didn't copy anything, even exim config cannot be blindly copied from old FreeBSD to new Debian because of the exim differences. So, it was only one config file (attached). Memory usage and other load parameters are not relevant. Server is not loaded at all, and if server were loaded then in `tcpdump` I would see drops or delays from exim side, and not silence from the remote side. On top of if load affects all servers, and not PayPal only. I cannot compare my config against Debian defaults since I don't have those defaults and never saw them.
uz flag
mxtoolbox.com also reports a timeout, see: https://mxtoolbox.com/SuperTool.aspx?action=smtp%3amail.index3.ru&run=toolpage
anx avatar
fr flag
anx
@Luuk mxtoolbox will not wait as long as a regular mail server would after sending SMTP commands through the successfully setup secure transport layer. The `spamd_address` being slow or misconfigured in the firewall would probably be a separate question, *after* figuring out why gnutls fails during handshake.
Kirill Nikitin avatar
je flag
@Luuk this is on purpose: obvious spammers got 15 seconds delay by the server after establishing transport layer. This is how it looks at the exim logs: `2023-08-25 10:47:27 H=keeper-us-east-1d.mxtoolbox.com [18.209.86.113] I=[95.216.245.186]:25 F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2023-08-25 10:47:27 unexpected disconnection while reading SMTP command from keeper-us-east-1d.mxtoolbox.com [18.209.86.113] I=[95.216.245.186]:25 D=16s`
Score:0
fr flag
anx

Have your DNS configuration checked for non-transient inconsistencies. Ideally, both the zone containing the server name, and the zone for the email domain. I suspect one of your name servers is not doing what you want, after I entered the domain mentioned in your certificate into generic tools which try to look for inconsistencies, and saw old yet differing SOA serials and contents:

If a sender attempts to look up transport security settings and encounters an issue there, all sorts of weird things can happen.

Kirill Nikitin avatar
je flag
I'm aware of this problem and don't have a solution for now. For some reason my DNS servers counting SOA number differently. And you cannot manually change this in DNSSEC setup. But this should affect name resolution only in worst case, and not connectivity itself as I understand. And for the MX connectivity according to the https://www.checktls.com/TestReceiver everything is fine for all domains including MTA-STS. I'll try to fix this DNS inconsistency, but not sure if this is the key of the problem.
anx avatar
fr flag
anx
@KirillNikitin I agree with your assessment that this *should not* cause that. But the error handling of the senders utilities might not be ideal. I imagine the sending daemon might enqueue and await a result from STS lookups, those failing the first attempt.. while disregarding that your server will hang up eventually.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.