A TLS fatal alert has been received with exim4 in debian 9

Question

I am trying to configure my server to send mail and I receive an "TLS fatal alert" error every time I try to send mail.

I have followed the steps indicated in this post related to my problem to try to overcome the problem, but it finally gives me the error that I describe:

apt install gnutls-bin
cd /etc/exim4/
certtool --generate-privkey --outfile exim.key
certtool --generate-request --load-privkey exim.key --outfile exim.csr

• Common name: gestiondecorreos.es

• the rest I leave it blank(enter)

• url: http://www.cacert.org/

• login to CACert => click on "Server Certificates" => New

• It will ask you to paste in the certificate request: I paste the content of the exim.csr file.

• CACert will ask you to confirm the hostname.

• After that it will show a certificate in the resulting web page. Put the certificate in a new file named exim.crt

  cd /etc/exim4/ chgrp Debian-exim exim.key chmod g+r exim.key vim /etc/exim4/conf.d/main/000_local (new file)

• and insert inside:

  MAIN_LOG_SELECTOR=+tls_cipher +tls_peerdn MAIN_TLS_ENABLE=t

  update-exim4.conf /etc/init.d/exim4 restart

I try to connect to my mail server by tls:

gnutls-cli -s -p 587 gestiondecorreos.es
ehlo gestiondecorreos.es
starttls
^D (ctr+d)

• the error result:

---

*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', issuer `EMAIL=eguz*****@gmail.com,CN=server.example.com,OU=IT,O=Vesta Control Panel,L=San Francisco,ST=California,C=US', serial 0x0086e738bec1714309, RSA key 4096 bits, signed using RSA-SHA256, activated `2020-02-04 15:42:00 UTC', expires `2021-02-03 15:42:00 UTC', key-ID `sha256:6095e39dc286060d74d300f494814744d803ad2f5c55587ca38a2d7ed2b58194'
   Public Key ID:
      sha1:5f4b******************
      sha256:6095****************
   Public key's random art:
      +--[ RSA 4096]----+
      |        ..o    .o|
      |       .   o   +.|
      *******************
      |             .oo.|
      +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed

---

I dont know why appear CN=server.example.com like subject.

The /var/log/exim4/mainlog file said:

TLS error on connection from lixxxxxx.members.linode.com ([127.0.0.1]) [xxxxxxxxxxx] (gnutls_handshake): A TLS fatal alert has been received.

In my linode-vps the main domain is gestiondecorreos.es and orbelanet.com is another domain i am running smtp tests on.

Thanks in advance! Mikel

Answer 1

attempted solution:

• Change hostname (in vestacp): (server => gestiondecorreos.es, my main domain in server ):

  /usr/local/vesta/bin/v-change-sys-hostname gestiondecorreos.es

• installing letsencrypt in gestiondecorreos.es:

/usr/local/vesta/bin/v-add-letsencrypt-domain 'admin' gestiondecorreos.es '' 'yes'

• apply the ssl certificate installed in the previous step in vesta, exim and dovecot:

/usr/local/vesta/bin/v-update-host-certificate admin gestiondecorreos.es

• add "update_hostname_ssl='yes'" in /usr/local/vesta/conf/vesta.conf:

  echo "UPDATE_HOSTNAME_SSL='yes'" >> /usr/local/vesta/conf/vesta.conf

This will tell Vesta to update SSL to Vesta, Exim and dovecot daemons every time when SSL is renewed. This will happen automatically

the solution

• when recreating, with the previous steps, the exim.key, exim.csr and exim.crt files and performing the tls mail service test with gnutls-cli -s -p 587 gestiondecorreos.es this time it does not give an error, everything OK.

• but when trying to send a new email it gives us the following error:

  H=lixxxxxxxx.linode.com ([127.0.0.1]) [172.xxxxxxxxxx] X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no rejected MAIL <xxxx@xxxxxxxx>: Helo name contains a ip address (HELO was [127.0.0.1]) and not is valid

• the solution has I keep disabling the following lines in /etc/exim4/exim4.conf:

\# deny condition = ${if eq{$sender_helo_name}{}}
\# message = HELO required before MAIL

\# drop message = Helo name contains a ip address (HELO was $sender_helo_name) and not is valid
\# condition = ${if match{$sender_helo_name}{\N((\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8}))\N}{yes}{no}}
\# condition = ${if match {${lookup dnsdb{>: defer_never,ptr=$sender_host_address}}\}{$sender_helo_name}{no}{yes}}
\# delay = 45s

\# drop condition = ${if isip{$sender_helo_name}}
\# message = Access denied - Invalid HELO name (See RFC2821 4.1.3)

• restart exim4:

  service exim4 restart

And now I can send email without problem!