1

I have a Debian8 server running exim4 that sends outgoing mail by smarthost through NameCheap's mail.privateemail.com smtp server - or at least it use to. After a recent update, the server no longer accepts connections on port 25. I've reconfigured exim to use port 587 but can't send any mail.

The problem appears to occur during the STARTTLS handshaking. Initial connection succeeds, the server sends its 220 response, the exim client sends its ELHO command, and the server offers the 250 STARTTLS option. At that point, instead of replying with STARTTLS and establishing the secure connection, exim begins to send the message headers. To this the server sends a 530 "Must issue a STARTTLS command first" and the message delivery attempt aborts. Here is a snippet from the debug output from forcing delivery of a frozen message with exim -d -M:

Transport port=25 replaced by host-specific port=587
Connecting to mail.privateemail.com [198.54.122.60]:587 ... connected
waiting for data on socket
read response data: size=32
  SMTP<< 220 PrivateEmail.com Mail Node
198.54.122.60 in hosts_avoid_esmtp? no (option unset)
  SMTP>> EHLO efserver.hellonull.com
waiting for data on socket
read response data: size=22
  SMTP<< 250-STARTTLS
         250 OK
198.54.122.60 in hosts_require_tls? no (option unset)
198.54.122.60 in hosts_avoid_pipelining? no (option unset)
not using PIPELINING
198.54.122.60 in hosts_require_auth? no (option unset)
  SMTP>> MAIL FROM:<>
waiting for data on socket
read response data: size=41
  SMTP<< 530 Must issue a STARTTLS command first
ok=0 send_quit=1 send_rset=1 continue_more=0 yield=0 first_address is not NULL
  SMTP>> QUIT

Everything was working previously on port 25. Additionally, I am able to send outgoing mail using IceDove configured to use the same server, port, and STARTTLS. Can anyone explain why exim seems to be ignoring the STARTTLS offering from the server?

ecellingsworth
  • 101
  • 2
  • 4

2 Answers2

2

You can fix this by adding a hosts_require_tls option with the smarthost in the list to your configuration. This will cause Exim to send the STARTTLS command to establish a TLS connection. However, the hosts_avoid_tls option may override that setting.

You may want to try using port 465 (SSMTP). T It is documented as supported for incoming traffic. It does support for outgoing traffic. I've tested defining a smarthost as example.com:ssmtp instead of example.com.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Unfortunately that doesn't work. I entered this option under the remote_smtp_smarthost transport definition in exim4.conf.template and reconfigured exim. Now, after the server's last 250 response I get `198.54.122.60 in hosts_require_tls? yes` but then exim sends a `QUIT` command and returns the error `a TLS session is required for mail.privateemail.com [198.54.122.60], but the server did not offer TLS support`. I should have mentioned I had already tried that route. It's telling though, exim is not recognizing the server's STARTTLS offer. – ecellingsworth Jul 04 '16 at 23:08
  • @ecellingsworth What does `exim4 --version` output show. It should include `tls` in the list of `Authenicators`. Exim uses `GnuTLS`, which should be listed in the `Support for:` list. GnuTLS should have been installed as a dependency. I have verified that TLS on outgoing connections is also logged if you have enabled the selectors. This did not require setting `hosts_require_tls`, or any other TLS setting. There is a `hosts_avoid_tls` option that should block use of TLS, otherwise it seems TLS is used if STARTTLS is offered. – BillThor Jul 05 '16 at 02:16
  • Thank you for your continued help. `exim4 --version` shows `Exim version 4.84.....Support for: crypteq iconv() IPv6 GnuTLS ...`. I have nothing set for `hosts_avoid_tls`. To be sure, I commented out the lines in the config file that set the option. I agree: according to the documentation, exim should use TLS automagically whenever STARTTLS is offered. In all of the STARTTLS conversations I've seen, I've never seen a server end its offerings with `250 OK`. I wonder if that is confusing exim. – ecellingsworth Jul 06 '16 at 01:10
  • @ecellingsworth The running configuration should be `/var/lib/exim4/config.autogenerated`. In my testing Exim would use TLS whenever offered. I have the Ubuntu build "Exim version 4.86_2 #1 built 05-Apr-2016 12:21:41" using the deamon heavy package. The parsing key should be `250 `. The OK could be confusing as the response should be a list of available options. – BillThor Jul 06 '16 at 03:21
  • @ecellingsworth Did you try the SSMTP port? It works for me. Avoids the STARTTLS issue. – BillThor Jul 06 '16 at 03:28
  • Nothing unusual detected in `config.autogenerated`. Switched to daemon-heavy from daemon-light = no change. When the smarthost port is set to 465, I get a `Remote host...closed connection in response to initial connection` error immediately after connection. Something interesting: `swaks -tls -q HELO -s mail.privateemail.com:465` fails with `Remote host closed connection unexpectedly`. But, changing to `-tlsc` option to start TLS immediately on connection succeeds. Seems like exim is failing because it's not starting TLS from the get-go on port 465. – ecellingsworth Jul 07 '16 at 02:02
  • More testing with `swaks`: `swaks -tls -q HELO -s mail.privateemail.com:587` succeeds, yielding `Trying mail.privateemail.com:587... === Connected to mail.privateemail.com. <- 220 PrivateEmail.com Mail Node -> EHLO efserver.hellonull.com <- 250-STARTTLS <- 250 OK -> STARTTLS <- 220 Ready to start TLS === TLS started with cipher TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256` – ecellingsworth Jul 07 '16 at 02:04
1

I'm happy to report the problem is fixed. The problem appears to have been with NameCheap's privateemail service. I went to work on this again today and after a dpkg-reconfigure exim4-config using the same settings as before, I am able to send outgoing mail through mail.privateemail.com:587. I didn't need to change any special options in the exim config. The SMTP conversation shows that the privateemail.com server is now responding normally to the SMTP connection. I assume an update by NameCheap resolved the issue.

SMTP>> EHLO efserver.hellonull.com
SMTP<< 250-MTA-08.privateemail.com
    250-PIPELINING
    250-SIZE 81788928
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
SMTP>> AUTH PLAIN ********************************************
SMTP<< 235 2.7.0 Authentication successful
ecellingsworth
  • 101
  • 2
  • 4