Mailing List Archive

At 05:54 PM 7/4/02 , Alain Remont wrote:
>This is a multi-part message in MIME format.
>--
>[ Picked text/plain from multipart/alternative ]
>I use a Debian distro of exim 3.35
>
>What is the simplest way to tell whether TLS is built-in please?

Install the exim-tls package instead of exim. It's on the non-US mirror(s).

Regards,


Jeffrey B. Green Personal Computer Consultant - Las Vegas, Nevada
http://jbgreen.com Networking Las Vegas Since 1986

----- Original Message -----
From: "Jeff Green" <jeff@jbgreen.com>
To: "Alain Remont" <aremont@ozemail.com.au>; <exim-users@exim.org>
Sent: Friday, July 05, 2002 2:38 PM
Subject: Re: [Exim] TLS support


> At 05:54 PM 7/4/02 , Alain Remont wrote:
> >This is a multi-part message in MIME format.
> >--
> >[ Picked text/plain from multipart/alternative ]
> >I use a Debian distro of exim 3.35
> >
> >What is the simplest way to tell whether TLS is built-in please?
>
> Install the exim-tls package instead of exim. It's on the non-US
mirror(s).
>

Jeff, that is brilliant. This package did not show up on my local mirror,
but I got it off the non-US debian site. Installed it, but SSL does not seem
to work.

I telnet to port 25 and this is what I get.

<START>
220 phenomix.com.au ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 17:29:42 +1000
EHLO ALAIN
500 Unrecognized command
EHLO ALAIN
250-phenomix.com.au Hello support1 [150.203.7.51]
250-SIZE
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
500 Unsupported command.
AUTH STARTTLS
504 STARTTLS mechanism not supported
<END>

I use MS Outlook Express as the client and have SSL turned on for both the
outgoing SMPT and incoming IMAP. I cannot connect to the server with the
client. ANy ideas?...

Kind regards,

Alain

On Fri, Jul 05, 2002 at 05:36:57PM +1000, Alain Remont wrote:
> I telnet to port 25 and this is what I get.
> <START>
> 220 phenomix.com.au ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 17:29:42 +1000
> EHLO ALAIN
> 500 Unrecognized command
> EHLO ALAIN
> 250-phenomix.com.au Hello support1 [150.203.7.51]
> 250-SIZE
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
> STARTTLS
> 500 Unsupported command.
> AUTH STARTTLS
> 504 STARTTLS mechanism not supported
> <END>

Have you configured tls in your exim configuration file?

MBM

--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/

At 12:36 AM 7/5/02 , Alain Remont wrote:

...
>I telnet to port 25 and this is what I get.
>
><START>
>220 phenomix.com.au ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 17:29:42 +1000
>EHLO ALAIN
>500 Unrecognized command
>EHLO ALAIN
>250-phenomix.com.au Hello support1 [150.203.7.51]
>250-SIZE
>250-PIPELINING
>250-STARTTLS
>250 HELP
>STARTTLS
>500 Unsupported command.
>AUTH STARTTLS
>504 STARTTLS mechanism not supported
><END>
>
>I use MS Outlook Express as the client and have SSL turned on for both the
>outgoing SMPT and incoming IMAP. I cannot connect to the server with the
>client. ANy ideas?...

My first thought is that STARTTLS is not an authentication mechanism.
Authentication should be performed after the TLS session is started with
either (probably) plaintext or some other type of mechanism (MD5, etc.)
that your client supports. Off the top of my head I believe OE supports
only plaintext.

Here's the output from my Debian/Exim-TLS server:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220-ferris.jbgreen.com ESMTP Exim 3.33 #1 Fri, 05 Jul 2002 09:46:25 -0700
220 Unsolicited commercial messages are not permitted
ehlo localhost
250-ferris.jbgreen.com Hello root at localhost [127.0.0.1]
250-SIZE
250-ETRN
250-PIPELINING
250-STARTTLS
250 HELP
>STARTTLS
220 OpenSSL/0.9.6beta go ahead

At this point OpenSSL does respond, so I wonder if you have that package
installed. I would think that it's a dependent package for exim-ssl, so I
next wonder what you have for the TLS configuration options. This is mine:

# tls configuration, offer TLS to all

tls_advertise_hosts = *
tls_certificate = /etc/exim/cert.rsa
tls_privatekey = /etc/exim/private.rsa
tls_log_cipher = true

I've never tried to directly communicate with OpenSSL over telnet, but it's
likely waiting for something I can't type in by hand, so I'd go no further
in a telnet session. This is the log entry (/var/log/exim/mainlog) for the
above:

>2002-07-05 09:45:54 TLS error on connection from localhost [127.0.0.1]
(SSL_accept): error:00000000:lib(0):
func(0):reason(0)
>2002-07-05 09:46:42 TLS error on connection from localhost [127.0.0.1]
(SSL_accept): error:140760FC:SSL rou
tines:SSL23_GET_CLIENT_HELLO:unknown protocol

Until OpenSSL responds to STARTTLS in the SMTP session, something in the
package list or configuration of either package is incorrect. You might
want to tail both the mainlog and error.log while testing the process, and
turn on debugging as well.

I've not worked with client TLS sessions yet, only server to server, but
please let me know what you find, it will likely come in handy soon.

Regards,


Jeffrey B. Green Personal Computer Consultant - Las Vegas, Nevada
http://jbgreen.com Networking Las Vegas Since 1986

Jeff Green wrote:
> At 12:36 AM 7/5/02 , Alain Remont wrote:
>
> ...
>
>> I telnet to port 25 and this is what I get.
>>
>> <START>
>> 220 phenomix.com.au ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 17:29:42 +1000
>> EHLO ALAIN
>> 500 Unrecognized command
>> EHLO ALAIN
>> 250-phenomix.com.au Hello support1 [150.203.7.51]
>> 250-SIZE
>> 250-PIPELINING
>> 250-STARTTLS
>> 250 HELP
>> STARTTLS
>> 500 Unsupported command.
>> AUTH STARTTLS
>> 504 STARTTLS mechanism not supported
>> <END>

Yeah, is it compiled badly or something ? Check the Local/ in the build
directory.

STARTTLS *is* the right command, had you done this sequence in a proper
TLS environment, you'd have put exim in to it's "Security error" mode ;)
(see below).

Iain



# telnet 0 25
Trying 0.0.0.0...
Connected to 0 (0.0.0.0).
Escape character is '^]'.
220 fleet.coagulate.net ESMTP Exim. No unauthorised mail drops. Mail
submitted to this server belongs to the owner, if this is unacceptable,
do not deliver your mail here. No disclaimers, or other legal materials
attached to e-mail will be honoured. Continuation of this session
implies your acceptance of these terms. If they are unacceptable,
please disconnect NOW.
STARTTLS
220 TLS go ahead
no
ok?

554 Security failure
indeed :D
554 Security failure
Would you like some toast?
554 Security failure

On Jul 5 Alain Remont wrote:

>What is the simplest way to tell whether TLS is built-in please?

ldd /path/to/exim

----- Original Message -----
From: "Jeff Green" <jeff@jbgreen.com>
>
> Here's the output from my Debian/Exim-TLS server:
>
> # telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220-ferris.jbgreen.com ESMTP Exim 3.33 #1 Fri, 05 Jul 2002 09:46:25 -0700
> 220 Unsolicited commercial messages are not permitted
> ehlo localhost
> 250-ferris.jbgreen.com Hello root at localhost [127.0.0.1]
> 250-SIZE
> 250-ETRN
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
> >STARTTLS
> 220 OpenSSL/0.9.6beta go ahead
>

OK. Thanks for that. I tried from localhost and ..... I get the same as you!
That is STARTTLS *is* accepted and I get "OpenSSL/0.9.6beta go ahead" just
like you.

However, if I try this from a remote telnet client, I do not get through. I
get the "Command not supported" reply.

Cannot seem to find what might be amiss... After all, I pretty much followed
the standard exim-tls installation.

Will keep looking, but if you have any idea...

A

On Mon, Jul 08, 2002 at 11:47:17AM +1000,
Alain Remont <aremont@ozemail.com.au> is thought to have said:

> OK. Thanks for that. I tried from localhost and ..... I get the same as you!
> That is STARTTLS *is* accepted and I get "OpenSSL/0.9.6beta go ahead" just
> like you.
>
> However, if I try this from a remote telnet client, I do not get through. I
> get the "Command not supported" reply.
>
> Cannot seem to find what might be amiss... After all, I pretty much followed
> the standard exim-tls installation.
>
> Will keep looking, but if you have any idea...

From your previous post...

> I telnet to port 25 and this is what I get.
> <START>
> 220 phenomix.com.au ESMTP Exim 3.35 #1 Fri, 05 Jul 2002 17:29:42 +1000
> EHLO ALAIN
> 500 Unrecognized command
> EHLO ALAIN

That's very odd.

> 250-phenomix.com.au Hello support1 [150.203.7.51]
> 250-SIZE
> 250-PIPELINING
> 250-STARTTLS
> 250 HELP
> STARTTLS
> 500 Unsupported command.

This error doesn't appear in the Exim 3.35 source that I can see.

> AUTH STARTTLS
> 504 STARTTLS mechanism not supported
> <END>

Do you have a firewall or an antivirus email proxy server in front of your
Exim server that might be intercepting your STARTTLS commands. We've seen
that behavior on clients with some versions of (IIRC) NAV installed for
example.

--
--------------------------------------------------------------------
Tabor J. Wells twells@fsckit.net
Fsck It! Just another victim of the ambient morality

> OK. Thanks for that. I tried from localhost and ..... I get the same
as you!
> That is STARTTLS *is* accepted and I get "OpenSSL/0.9.6beta go ahead"
just
> like you.
>
> However, if I try this from a remote telnet client, I do not get
through. I
> get the "Command not supported" reply.
>
Besides the Firewall possibility (excellent thought, by the way), are
you the victim of a hi-jacked port 25 by whatever ISP you are using for
your remote tests? I suggest this only because your email address and
the SMTP server you are having trouble with are different:

phenomix.com.au vs. ozemail.com.au

Just a thought.

Jim Roberts
Punster Productions, Inc.

Problem solved. Norton anti-virus was the culprit! Thanks for those who
helped and suggested something about firewalls and anti-virus programs!

A


A
----- Original Message -----
From: "James P. Roberts" <punster@punsterproductions.com>
To: <exim-users@exim.org>
Cc: <aremont@ozemail.com.au>
Sent: Monday, July 08, 2002 11:16 PM
Subject: Re: [Exim] TLS support


> > OK. Thanks for that. I tried from localhost and ..... I get the same
> as you!
> > That is STARTTLS *is* accepted and I get "OpenSSL/0.9.6beta go ahead"
> just