I have setup my exim4 as a local mta with smarthost delivery (debian 10 vm) following this guide: Exim on DebianWiki

If my smarthost is expecting a ssl connection (smtp over ssl) it does not work.

When a local web application sends an email to localhost:25, it remains stuck in the queue; if i try to force deliver it, this happens:

root@testbug:~# date && exim -v -M 1nrqKZ-0003Ji-WE
Fri 20 May 2022 10:33:50 AM CEST
delivering 1nrqKZ-0003Ji-WE
R: smarthost for name.surname@gmail.com
T: remote_smtp_smarthost for name.surname@gmail.com
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it []:465 ... connected

=========== stuck for a few seconds ===========

  H=smtps.aruba.it []: Remote host closed connection in response to initial connection
Transport port=25 replaced by host-specific port=465
Connecting to smtps.aruba.it []:465 ... connected

=========== stuck for a few seconds ===========

  H=smtps.aruba.it []: Remote host closed connection in response to initial connection
  == name.surname@gmail.com R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it []: Remote host closed connection in response to initial connection

This is the log for that:

root@testbug:~# tail -3 /var/log/exim4/mainlog
2022-05-20 10:35:31 1nrqKZ-0003Ji-WE H=smtps.aruba.it []: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE H=smtps.aruba.it []: Remote host closed connection in response to initial connection
2022-05-20 10:37:11 1nrqKZ-0003Ji-WE == name.surname@gmail.com R=smarthost T=remote_smtp_smarthost defer (-18) H=smtps.aruba.it []: Remote host closed connection in response to initial connection

Please note that server accepts ssl connections:

root@testbug:~# openssl s_client -connect smtps.aruba.it:465
depth=2 C = IT, L = Milan, O = Actalis S.p.A./03358520967, CN = Actalis Authentication Root CA
No client certificate CA names sent
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
220 smtpdh08.ad.aruba.it Aruba Outgoing Smtp  ESMTP server ready

If i switch to a different smarthost server smtp.mydomain.it, run by the same provider (so i use the same credentials to authenticate vs the smarthost) on port 25 with starttls, things run smoothly, emails are delivered (in starttls) as i restart exim:

2022-05-20 10:42:48 exim 4.92 daemon started: pid=4015, -q30m, listening for SMTP on []:25 [::1]:25
2022-05-20 10:42:48 Start queue run: pid=4017
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE => name.surname@gmail.com R=smarthost T=remote_smtp_smarthost H=smtp.mydomain.it [] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no DN="C=IT,ST=Bergamo,L=Ponte San Pietro,O=Aruba S.p.A.,CN=*.aruba.it" A=plain C="250 2.0.0 ryDgn51y1TRWPryDinATBj mail accepted for delivery"
2022-05-20 10:42:51 1nrqKZ-0003Ji-WE Completed
2022-05-20 10:42:51 End queue run: pid=4017

You can see the email is correctly delivered in starttls:

root@testbug:~# ngrep -qt -dany port 25
interface: any
filter: ( port 25 ) and (ip || ip6)

T 2022/05/20 10:42:48.900722 -> MY.SRV.IP.ADDR:47932 [AP] #4
  220 smtpdh13.ad.aruba.it Aruba Outgoing Smtp  ESMTP server ready..

T 2022/05/20 10:42:48.900903 MY.SRV.IP.ADDR:47932 -> [AP] #5
  EHLO testbug.mydomain.it..

T 2022/05/20 10:42:49.025487 -> MY.SRV.IP.ADDR:47932 [AP] #7
  250-smtpdh13.ad.aruba.it hello [MY.SRV.IP.ADDR], pleased to meet you..250-HELP..250-AUTH LOGIN PLAIN..250-SIZE 524288000..250-ENHANCEDSTATUSCODES..250-8BITMIME..250-STARTTLS..250 OK..

T 2022/05/20 10:42:49.025702 MY.SRV.IP.ADDR:47932 -> [AP] #8

T 2022/05/20 10:42:49.092110 -> MY.SRV.IP.ADDR:47932 [AP] #10
  220 2.0.0 Ready to start TLS..

T 2022/05/20 10:42:49.111151 MY.SRV.IP.ADDR:47932 -> [AP] #11

Can anyone point me to the right direction to investigate?

Can this be a network/ports issue? Or a certificate issue (i generate my selfsigned certificate in a slight different way and actually i don't know why need one and if this certificate is anyway validated by the server)?

Thanks a lot.

EDIT: got a more verbose output for force delivery a message: https://pastebin.com/axRsQmwy

Sandro B.
  • 66
  • 6
  • The fact that the `tls_on_connect_ports` [configuration is only accessed](https://github.com/Exim/exim/search?q=on_connect_ports) through `tls_in.on_connect_ports` with no way of setting `tls_out.on_connect_ports` makes me suspect that it is only supported for incoming connections and disregarded for outbound SMTP. Exim might simply never have supported this, as it was not standard & recommended at the time the daemon-side feature was implemented. – anx May 20 '22 at 15:33
  • @anx `hosts_require_tls` parameter that is set as macro REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS ( = * ) ... that is evaluated [here](https://github.com/Exim/exim/blob/9f6b3bf5187562bac4c96e3ed6a17740d01489fa/src/src/transports/smtp.c#L2879)? – Sandro B. May 20 '22 at 22:14

0 Answers0