cannot use SMTP with TLS

framon

Verified User
Joined
Nov 14, 2010
Messages
12
Hi

I cannot use SMTP with TLS, when I use tenet to connect to Exim, it say that the STARTTLS is available but when using openssl client I cannot get in and got this error:

18082:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

any idea ?

--------------------------------------


# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 xxxxxx.xx ESMTP Exim 4.72 Wed, 19 Jan 2011 15:37:52 +0100
ehlo testing
250-xxxxxx.xx Hello localhost [127.0.0.1]
250-SIZE 20971520
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
quit
221 xxxxxx.xx closing connection
Connection closed by foreign host.
# openssl s_client -starttls smtp -crlf -connect localhost:587
CONNECTED(00000003)
18082:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:
 

framon

Verified User
Joined
Nov 14, 2010
Messages
12
Hi SCSI

you sure ?
in my other DA server it works ....

----------------------

$ openssl s_client -starttls smtp -crlf -connect localhost:587
CONNECTED(00000003)
depth=0 /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
verify return:1
---
Certificate chain
0 s:/C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
i:/C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICkT.............
-----END CERTIFICATE-----
subject=/C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
issuer=/C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost
---
No client certificate CA names sent
---
SSL handshake has read 1069 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 187C6DA7B25B17F930....
Session-ID-ctx:
Master-Key: 945E9C3D7743606FD1.....
Key-Arg : None
Krb5 Principal: None
Start Time: 1295452080
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 HELP
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
Check your /etc/exim.conf maybe you have different ones.

The first 10 lines should tell you what version you have.
 

framon

Verified User
Joined
Nov 14, 2010
Messages
12
I recently used ELS, I can remeber If I set enforce SSL v3 to yes.

How Can I check if it is a ssl version problem ?
 

framon

Verified User
Joined
Nov 14, 2010
Messages
12
Check your /etc/exim.conf maybe you have different ones.

The first 10 lines should tell you what version you have.

you right, Ive different versions, the strange thing is that the one that is not working explicitly mention openssl when I try to test the exim.conf

The working -------------------------------------

# /usr/sbin/exim -C /etc/exim.conf -bV
Exim version 4.67 #1 built 22-Apr-2007 19:51:05
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (January 7, 2007)
Support for: crypteq iconv() Perl OpenSSL move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 8



The not working ---------------------------------

# exim -C /etc/exim.conf -bV
Exim version 4.72 #1 built 13-Dec-2010 01:25:49
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (January 7, 2007)
Support for: crypteq Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 4
OpenSSL compile-time version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
OpenSSL runtime version: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Configuration file is /etc/exim.conf
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
While I definitely suggest my newest SpamBlocker configuration (more information here [nobaloney.net]), it appears you've got two copies of exim running. That's what you've got to find and fix.
Code:
# whereis exim
Jeff
 

scsi

Verified User
Joined
Aug 19, 2008
Messages
4,695
I thought he was comparing how 2 different servers were not 2 exims on the same box.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
It's very reasonable you're right. But in case you aren't, I thought I'd add my post.

Thanks, scsi.

Jeff
 
Top