Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
remote MX does not support STARTTLS
exim-users at exim
Sep 22, 2020, 9:10 AM
Post #1 of 13 (1661 views)
Permalink
Hi,

a few weeks ago the GMX mail servers stopped sending mails to my server.

The GMX mailer daemon writes:
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address(es)
failed:
christian@eyrich-net.org:
remote MX does not support STARTTLS

Thing is that my mail server does support STARTTLS and also advertises
this which I verify in the Exim debug log and was also record with tshark:

20 212.227.15.19 ? 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
21 94.16.119.13 ? 212.227.15.19 SMTP 224 S:
250-mail.eyrich-net.org: Hello mout.gmx.net [212.227.15.19] | 250-SIZE
52428800 | 250-8BITMIME | 250-PIPELINING | 250-CHUNKING | 250-STARTTLS |
250-PRDR | 250 HELP
22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK] Seq=20
Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
23 94.16.119.13 ? 212.227.15.19 SMTP 114 S: 421
mail.eyrich-net.org: lost input connection

Has something like that happened to you in the past or can you reproduce
it on my server?

BTW: Yes, mails from other systems arrive without problems. So that
looks like a general GMX error to me. But GMX is a quite large provider
here in Germany and the problem persists since begin of September
now—shouldn’t somebody have noticed that?
Since I also wasn't able to contact the GMX postmaster I’m asking you
for ideas.

Regards,
Christian

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 5:49 AM
Post #2 of 13 (1661 views)
Permalink
On 22/09/2020 17:10, Christian Eyrich via Exim-users wrote:
>     20 212.227.15.19 ? 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
>     21 94.16.119.13 ? 212.227.15.19 SMTP 224 S: 250-mail.eyrich-net.org:
> Hello mout.gmx.net [212.227.15.19] | 250-SIZE 52428800 | 250-8BITMIME |
> 250-PIPELINING | 250-CHUNKING | 250-STARTTLS | 250-PRDR | 250 HELP
>     22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK] Seq=20
> Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
>     23 94.16.119.13 ? 212.227.15.19 SMTP 114 S: 421 mail.eyrich-net.org:
> lost input connection
>
> Has something like that happened to you in the past or can you reproduce
> it on my server?

Checking with telnet from one of my servers, yours looks fine
(confirming that capture you have).

I don't see much traffic from them, but we had one a couple
of days ago:

2020-09-21 03:47:09.160 +0000 1kKCnE-00HaBU-FO <= {redacted}
H=mout.gmx.com [74.208.4.200] I=[redacted]:25 P=esmtps L.-
X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=4623 DKIM={redacted}
id=CACg2628cHzfcrpyisR_b2Dy=hY-=L_kbf1dv9Dv2j_ba-mZGYQ@mail.gmail.com
for {redacted}
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 6:23 AM
Post #3 of 13 (1661 views)
Permalink
On Tue, 22 Sep 2020, Christian Eyrich via Exim-users wrote:

> Hi,
>
> a few weeks ago the GMX mail servers stopped sending mails to my server.
>
> The GMX mailer daemon writes:
> A message that you sent could not be delivered to one or more of
> its recipients. This is a permanent error. The following address(es)
> failed:
> christian@eyrich-net.org:
> remote MX does not support STARTTLS
>
> Thing is that my mail server does support STARTTLS and also advertises this
> which I verify in the Exim debug log and was also record with tshark:
>
> 20 212.227.15.19 ? 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
> 21 94.16.119.13 ? 212.227.15.19 SMTP 224 S: 250-mail.eyrich-net.org:
> Hello mout.gmx.net [212.227.15.19] | 250-SIZE 52428800 | 250-8BITMIME |
> 250-PIPELINING | 250-CHUNKING | 250-STARTTLS | 250-PRDR | 250 HELP
> 22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK] Seq=20
> Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
> 23 94.16.119.13 ? 212.227.15.19 SMTP 114 S: 421 mail.eyrich-net.org:
> lost input connection

https://www.hardenize.com/report/eyrich-net.org/1600863580 suggests your
IPv4 and IPv6 servers are fine. You don't run MTA-STS, but I find it
difficult to believe that GMX can require that.

On the other hand, from my home desktop
# telnet 94.16.119.13 25
Trying 94.16.119.13...
telnet: Unable to connect to remote host: Connection refused

so you or some intermediate firewall seems to be selectively filtering ...
(It isn't my ISP since I can do this to outher mailservers, but this
is a residential IP, so filtering it would not be unreasonable.
You don't have 212.227.15.19 in some sort of block list do you ?)

I note http://www.postfix.org/BDAT_README.html#downsides

Which version of Exim are you using ?

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 6:46 AM
Post #4 of 13 (1661 views)
Permalink
On 23/09/2020 14:23, Andrew C Aitchison via Exim-users wrote:
> I note http://www.postfix.org/BDAT_README.html#downsides

IMHO there is some bogus advice there. If Postfix's
"reject_unauth_pipelining" is not working aright
then you can't trust it to work right, barring some
CHUNKING-specific bug that bites on BDAT and does
not bite on DATA.

Also, a client not waiting for a server response to
a BDAT LAST is broken, because it cannot be sure that
a) all the data got to the server b) the server does
not do data scanning (e.g. antivirus) and rejects.
So it's far from useless, despite what that page says.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 8:59 AM
Post #5 of 13 (1661 views)
Permalink
On 22 Sep 2020, at 12:10, Christian Eyrich via Exim-users wrote:

> Hi,
>
> a few weeks ago the GMX mail servers stopped sending mails to my
> server.
>
> The GMX mailer daemon writes:
> A message that you sent could not be delivered to one or more of
> its recipients. This is a permanent error. The following
> address(es)
> failed:
> christian@eyrich-net.org:
> remote MX does not support STARTTLS
>
> Thing is that my mail server does support STARTTLS and also advertises
> this which I verify in the Exim debug log and was also record with
> tshark:
>
> 20 212.227.15.19 ? 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
> 21 94.16.119.13 ? 212.227.15.19 SMTP 224 S:
> 250-mail.eyrich-net.org: Hello mout.gmx.net [212.227.15.19] | 250-SIZE
> 52428800 | 250-8BITMIME | 250-PIPELINING | 250-CHUNKING | 250-STARTTLS
> | 250-PRDR | 250 HELP
> 22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK]
> Seq=20 Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
> 23 94.16.119.13 ? 212.227.15.19 SMTP 114 S: 421
> mail.eyrich-net.org: lost input connection
>
> Has something like that happened to you in the past or can you
> reproduce it on my server?

No. Your server seems to support TLS v1.3 and v1.2 just fine.

> BTW: Yes, mails from other systems arrive without problems. So that
> looks like a general GMX error to me.

Yes. There are 2 issues that *may* be causing trouble:

1. You don't allow any TLS versions below 1.2. While that may seem to be
a safety measure, it actually can cause problems because a client that
does not support v1.2 or v1.3 can only resort to sending in clear text.

2. Your server is soliciting client certificates and sending a list of
126 acceptable CAs. Some clients may interpret the solicitation of
client certs as a demand for a client cert, and when they cannot match a
CA on that list, will give up. Unless you are using client certs for
authentication (generally not useful on port 25) there's no reason to
solicit them.

I do not know that GMX is making the specific errors that would make
those configuration choices impair their delivery to you, but it is
possible and there's not a strong argument for either unusual choice.

> But GMX is a quite large provider here in Germany and the problem
> persists since begin of September now—shouldn’t somebody have
> noticed that?
> Since I also wasn't able to contact the GMX postmaster I’m asking
> you for ideas.

Since GMX offers free accounts, you might find it useful to get one so
that you can contact them more easily.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 10:16 AM
Post #6 of 13 (1661 views)
Permalink
On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
> 1. You don't allow any TLS versions below 1.2. While that may seem to be
> a safety measure, it actually can cause problems because a client that
> does not support v1.2 or v1.3 can only resort to sending in clear text.
>
> 2. Your server is soliciting client certificates and sending a list of
> 126 acceptable CAs. Some clients may interpret the solicitation of
> client certs as a demand for a client cert, and when they cannot match a
> CA on that list, will give up. Unless you are using client certs for
> authentication (generally not useful on port 25) there's no reason to
> solicit them.

No, neither of those - the GMX end is not even soliciting STARTTLS.
It doesn't get as far as trying a TLS handshake.

My only guess is to try disabling CHUNKING or PRDR advertisement, to see
if one of those is confusing them.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 10:36 AM
Post #7 of 13 (1661 views)
Permalink
On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote:
> On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
>> 1. You don't allow any TLS versions below 1.2. While that may seem to be
>> a safety measure, it actually can cause problems because a client that
>> does not support v1.2 or v1.3 can only resort to sending in clear text.
>>
>> 2. Your server is soliciting client certificates and sending a list of
>> 126 acceptable CAs. Some clients may interpret the solicitation of
>> client certs as a demand for a client cert, and when they cannot match a
>> CA on that list, will give up. Unless you are using client certs for
>> authentication (generally not useful on port 25) there's no reason to
>> solicit them.
> No, neither of those - the GMX end is not even soliciting STARTTLS.
> It doesn't get as far as trying a TLS handshake.
>
> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
> if one of those is confusing them.

Disable chunking, enable TLS v1.1 and are you using RSA or ECC
certificates at your end?

I found that the world+dog (facebook, google, gmail, hotmail, amazon,
apple ...) would talk to my relay servers with Sec-p521 ECC *except*
Microsoft... for some reason Microsoft will only talk to mail servers if
they are using RSA certificates - dumb if you ask me.

Mike


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 10:49 AM
Post #8 of 13 (1661 views)
Permalink
After Jeremy pointed out that they didn't even try STARTTLS, I looked
closer and noticed something odd...


On 22 Sep 2020, at 12:10, Christian Eyrich via Exim-users wrote:

> Thing is that my mail server does support STARTTLS and also advertises
> this which I verify in the Exim debug log and was also record with
> tshark:
>
> 20 212.227.15.19 ? 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
> 21 94.16.119.13 ? 212.227.15.19 SMTP 224 S:
> 250-mail.eyrich-net.org: Hello mout.gmx.net [212.227.15.19] | 250-SIZE
> 52428800 | 250-8BITMIME | 250-PIPELINING | 250-CHUNKING | 250-STARTTLS
> | 250-PRDR | 250 HELP
> 22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK]
> Seq=20 Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370

Why is your server setting the FIN flag on that packet? I'm pretty sure
that would cause anyone to hang up.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 10:56 AM
Post #9 of 13 (1661 views)
Permalink
Am 23.09.2020 um 17:59 schrieb Bill Cole via Exim-users:
Hi Bill,

> No. Your server seems to support TLS v1.3 and v1.2 just fine.

Generally I’d be happy to read. But in this case it’s a bit disappointing.

> Yes. There are 2 issues that *may* be causing trouble:
>
> 1. You don't allow any TLS versions below 1.2. While that may seem to be
> a safety measure, it actually can cause problems because a client that
> does not support v1.2 or v1.3 can only resort to sending in clear text.

I’d understand if they tried starting TLS and failing because of it. But
they disconnect before even trying.
And second GMX speaks TLS 1.3 fluently (I checked by sending to my
account at a mail provider).

I nevertheless checked by temporarily enabling v1.1 but still failed.

> 2. Your server is soliciting client certificates and sending a list of
> 126 acceptable CAs. Some clients may interpret the solicitation of
> client certs as a demand for a client cert, and when they cannot match a
> CA on that list, will give up. Unless you are using client certs for
> authentication (generally not useful on port 25) there's no reason to
> solicit them.

I was made aware about this unwanted behaviour (I only wanted to try to
verify when sending through tls_try_verify_hosts, not receiving) and
fixed it already, but to no avail.

>> But GMX is a quite large provider here in Germany and the problem
>> persists since begin of September now—shouldn’t somebody have noticed
>> that?
>> Since I also wasn't able to contact the GMX postmaster I’m asking you
>> for ideas.
>
> Since GMX offers free accounts, you might find it useful to get one so
> that you can contact them more easily.

I do have a GMX account. But one doesn't get support with a free account.

Regards,
Christian

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 11:07 AM
Post #10 of 13 (1661 views)
Permalink
On 23/09/2020 18:49, Bill Cole via Exim-users wrote:
>>     22 212.227.15.19 ? 94.16.119.13 TCP 66 41705 ? 25 [FIN, ACK]
>> Seq=20 Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
>
> Why is your server setting the FIN flag on that packet?

That's GMX's FIN.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 11:23 AM
Post #11 of 13 (1661 views)
Permalink
Am 23.09.2020 um 19:16 schrieb Jeremy Harris via Exim-users:

> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
> if one of those is confusing them.

Ok, tried that now, but didn’t help.

Regards,
Christian


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 11:37 AM
Post #12 of 13 (1661 views)
Permalink
Am 23.09.2020 um 19:36 schrieb Mike Tubby via Exim-users:
> On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote:
>> On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
>>> 1. You don't allow any TLS versions below 1.2. While that may seem to be
>>> a safety measure, it actually can cause problems because a client that
>>> does not support v1.2 or v1.3 can only resort to sending in clear text.
>>>
>>> 2. Your server is soliciting client certificates and sending a list of
>>> 126 acceptable CAs. Some clients may interpret the solicitation of
>>> client certs as a demand for a client cert, and when they cannot match a
>>> CA on that list, will give up. Unless you are using client certs for
>>> authentication (generally not useful on port 25) there's no reason to
>>> solicit them.
>> No, neither of those - the GMX end is not even soliciting STARTTLS.
>> It doesn't get as far as trying a TLS handshake.
>>
>> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
>> if one of those is confusing them.
>
> Disable chunking, enable TLS v1.1

Unfortunately already tried that in the meantime.

> and are you using RSA or ECC certificates at your end?
It’s plain old RSA 4096. But GMX doesn’t even get that far to start TLS.

Regards,
Christian

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: remote MX does not support STARTTLS [ In reply to ]
exim-users at exim
Sep 23, 2020, 11:47 AM
Post #13 of 13 (1661 views)
Permalink
Am 23.09.20 um 19:36 schrieb Mike Tubby via Exim-users:
>
>> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
>> if one of those is confusing them.
>
> Disable chunking, enable TLS v1.1 and are you using RSA or ECC
> certificates at your end?
>
>
IF it's one, it's  PRDR . I checked our cluster chunking is enabled,
PRDR not, GMX cans end mails as expected.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal