2

Good Evening,

first time posting. This forum and it has helped me many many times.

I was looking to for some advice / views on a problem I’m having.

The server is relatively old, Debian 6 to be exact but upgrading right isn’t an immediate option due to some essential legacy applications (I’m looking into containing some of these via docker in future)

Outgoing emails have always been sent using Exim using our isp smarhost through an email account, authenticated IP address and by encrypted password. This has always worked just fine. However due to email volumes we have had to look into moving away from our isp and to a dedicated relay provider.

Our new relay host is authenticated by IP and can be set up to use TLS. After making the switch via exim’s dpkg-reconfigure things work, often for a few hours. Then I get delayed mail and the following type of error messages.

10:15:12 TLS error on connection to relayhost [relay ip] (recv): A TLS packet with unexpected length was received.   
10:15:12 Remote host relayhost [relayip] closed connection in response to MAIL FROM:<our email> SIZE=2136

I admit here my knowledge of Exim is limited and I usually turn to sites like this for advice

I have tried making a file /etc/exim4/conf.d/main/00_localmacros, and adding

gnutls_compat_mode=true
gnutls_require_protocols=NORMAL:%COMPAT:-VERS-TLS1.1:-VERS-TLS1.2

This worked for a while.

I get the feeling I’m missing something quite fundamental about TLS here. Our relay host have suggested rebuilding exim from source, they will offer technical support on that at a cost in the new year.

For now I have reverted back to the isp method. Any opinions and or advise would be greatly appreciated.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
John
  • 21
  • 1
  • Upgrade that machine five years ago. I'm not sure if it's even supportable today. Also remember that Debian does not have a very long lifecycle; if this is important to you, you probably should be using another distribution. – Michael Hampton Dec 25 '20 at 00:37
  • You are of course right. The systems do need to be upgraded, that is an upcoming project. The software was written some time ago so my research there is towards docker and or apt adapt. That however, is a story for a different time. Generally, would you concur with my relay host's advice of rebuilding exim? Another idea was to relay the mail que from the legacy server to another (newer) system. – John Dec 25 '20 at 17:05
  • The problem is that you're rebuilding it against the old versions of whatever TLS library (openssl, gnutls, etc) that came with that old version of Debian, so it's not likely to help. – Michael Hampton Dec 25 '20 at 19:36
  • I see what you mean. This evening I've had some level of success by adding the gnutls_compat_mode=true part to the main section off the off the config template exim4.conf.template Once i run the update conf thing (something I keep forgetting after changes!) I'm seeing its written to the autogenerated config and i'm getting a more positive looking main log. I don't think this has closed the issue as I've got this far before. It can fall over again with TLS errors. But i plan to test this config further. It could be the stopgap I need while looking at a full upgrade. – John Dec 25 '20 at 20:29

0 Answers0