exim sending mail -> "Connection timed out"

[sparek]

Grasping at straws here... Hard to diagnose something that I can't put my hands on.

You haven't by chance changed the default port that your remote_smtp router connects to?

cat /etc/exim.conf | grep -A10 "^remote_smtp:"

Or in any of the other exim include files?

grep -r "port.*=" /etc/exim* | grep -v transport | grep -v daemon_smtp_ports | grep -v tls_on_connect_ports | grep -v interface_port

I might encourage you to change the log_selector in your /etc/exim.conf to +all

perl -i -pe 'BEGIN{undef $/;} s/log_selector.*arguments/log_selector = +all/smg' /etc/exim.conf

and restart exim

systemctl restart exim

Although I kind of doubt that's going to provide any further insights.

 

[sistemio]

Thankyou sparek no ports changed, no other included files.

I have sent a support ticket. Waiting for response.

Any idea will be welcome.

thanks

 

[sistemio]

I have also this error in the exim log trying to send

2023-04-19 21:31:05 [email protected] R=lookuphost T=remote_smtp defer (-54): retry time not reached for any host for 'gmail.com'

 

[sparek]

Try clearing out your Exim connection databases:

rm -f /var/spool/exim/db/*

That will force Exim to attempt another retry for gmail.com

I'd love to know what the solution is to all of this if you ever get it fixed. I'd like to know what I'm not thinking of.

This isn't by chance an openssl issue?

openssl s_client -connect 74.125.200.27:25 -starttls smtp

Do you get a

250 SMTPUTF8

response?

 

[sistemio]

I'd love to know what the solution is to all of this if you ever get it fixed. I'd like to know what I'm not thinking of.

of course, I will write the solution as soon as I have it

[root@urano ~]# openssl s_client -connect 74.125.200.27:25 -starttls smtp
CONNECTED(00000003)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = mx.google.com
verify return:1
---
Certificate chain
0 s:/CN=mx.google.com
i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG9jCCBd6gAwIBAgIRANfFHu387TX7EpX4vdn0muEwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjMwMzI4MTY1NDMzWhcNMjMwNjIw
MTY1NDMyWjAYMRYwFAYDVQQDEw1teC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAE8xFT7rYwaDk5a1JNfRZInYoeB4GGolklqo+B/u1IqUt8w1Z6
AuYbDoF/EITm5o56SNG3GAc7NJjYGYVbxh+XHKOCBNYwggTSMA4GA1UdDwEB/wQE
AwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBQz3ZM2ebFQIQwg5t8r0o84fjp/oDAfBgNVHSMEGDAWgBSKdH+vhc3ulc09nNDi
RhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3Nw
LnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDovL3BraS5nb29nL3Jl
cG8vY2VydHMvZ3RzMWMzLmRlcjCCAoYGA1UdEQSCAn0wggJ5gg1teC5nb29nbGUu
Y29tgg9zbXRwLmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIXYWx0MS5h
c3BteC5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5nb29nbGUuY29tghdhbHQz
LmFzcG14LmwuZ29vZ2xlLmNvbYIXYWx0NC5hc3BteC5sLmdvb2dsZS5jb22CGmdt
YWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9hbHQxLmdtYWlsLXNtdHAtaW4ubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9hbHQz
LmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9hbHQ0LmdtYWlsLXNtdHAtaW4u
bC5nb29nbGUuY29tghhnbXItc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDEuZ21y
LXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQyLmdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbYIdYWx0My5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDQuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tgg1teDEuc210cC5nb29ngg1teDIuc210cC5nb29n
gg1teDMuc210cC5nb29ngg1teDQuc210cC5nb29nghVhc3BteDIuZ29vZ2xlbWFp
bC5jb22CFWFzcG14My5nb29nbGVtYWlsLmNvbYIVYXNwbXg0Lmdvb2dsZW1haWwu
Y29tghVhc3BteDUuZ29vZ2xlbWFpbC5jb22CEWdtci1teC5nb29nbGUuY29tMCEG
A1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYDVR0fBDUwMzAxoC+g
LYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL21vVkRmSVNpYTJrLmNybDCC
AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2ALNzdwfhhFD4Y4bWBancEQlKeS2xZwwL
h9zwAw55NqWaAAABhylbfeUAAAQDAEcwRQIhALL0Z1D85UdUPuhAaNO2e9eqcI7V
iYnxOSXIn674Y64bAiAC6P5ApTleL5KHQXd1xDhPxt+vaiaTcO1O4r0DT1N0OwB2
AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABhylbfacAAAQDAEcw
RQIhAPfs1hLRzl1g6nwMy/x6mZ/kGa5/9AWn3RoOQclESBdDAiBqfKL9eNvawPFe
q/MD3TJpBs55PuotmHVGt16ZCX7WAzANBgkqhkiG9w0BAQsFAAOCAQEAZoyPoT6C
9U6uaTDsktJNETeF+FY7D3IFY1KEGIoJDWs5WMCGruVlhtD7/A3R9g7kTeseVJif
p/1BCqmFxd4MqZ9qcry2QnT4EtwBHNDddK4wFp0JGwLRsv7s5QAi2Tn/ZRoBhJa1
D7YEbU8GWjDUFFEd+8EAqir3vi08gAgMMRWhU2UdFKWTt2MPYCpT1VG6khmwfaj4
yycLj1Xh/XNb5s9ZsW67N/7x94dsSG7Uf/8BDoLvUtXBxP64anlF9/0u8TPpu57E
EF/PV9Hn0h10zmggvlORLovdcOFQXm5+3ndR1DiNak52qcSu/HQmtVpUgchNeTiE
5BAIGD2nVOBmBQ==
-----END CERTIFICATE-----
subject=/CN=mx.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5423 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: D2990B69ACB937A73C23FD63E015790DAC0A0A82EDD9C2EFF0E372BD17A340CB
Session-ID-ctx:
Master-Key: B8FFCBD589CCFA6EF5A6DADB73370D8E66E021F240C160A0B0E9A233FBE9DAB8B218EE48EE55825B0DD82F9E54E83C2E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 02 70 40 32 c1 65 68 0c-82 69 70 62 14 a1 27 60 [email protected]..ipb..'`
0010 - e3 bd 6f a5 9a fb dd 66-6e 33 bb a6 f5 53 56 4e ..o....fn3...SVN
0020 - a9 a4 9d c1 37 90 75 16-48 87 c8 e8 b9 96 ca 2e ....7.u.H.......
0030 - b5 ad 19 9d 20 ba b4 02-e1 d8 76 0f 3a 51 bc e7 .... .....v.:Q..
0040 - 4b 4c 32 8d d9 5a 81 b9-10 95 16 7c 88 6d 41 08 KL2..Z.....|.mA.
0050 - b3 cf 13 c9 6f 8c dd b4-83 c1 7e 8e d1 09 2f 56 ....o.....~.../V
0060 - 8a 95 91 58 e6 08 82 b8-f9 cf 6b b6 d3 13 3d 86 ...X......k...=.
0070 - 87 24 f9 5b 45 79 61 f6-69 9f b6 e4 67 20 73 68 .$.[Eya.i...g sh
0080 - 12 65 07 cf 72 55 b9 d1-38 fc 1a 04 ab 26 9a d4 .e..rU..8....&..
0090 - 12 68 0e 03 3b fc 5c d6-b6 a1 88 0d 52 48 07 6a .h..;.\.....RH.j
00a0 - 71 cf c7 1c 0c d4 7c ad-9c 65 f9 37 7f 04 ff 18 q.....|..e.7....
00b0 - 93 21 31 3a af 48 25 46-79 68 bf b3 92 90 c6 90 .!1:.H%Fyh......
00c0 - c6 9e 1f 3b cd 2c 66 58-ac 8f 30 1f d3 8e 34 3a ...;.,fX..0...4:
00d0 - ef 49 63 7b 82 53 49 4e-ea a1 c0 ef 50 9e 31 49 .Ic{.SIN....P.1I

Start Time: 1681937273
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 SMTPUTF8

 

[sistemio]

rm -f /var/spool/exim/db/*

didn't work

That will force Exim to attempt another retry for gmail.com

the problem is with all not only gmail. The queue it's getting huge

 

[sparek]

What distribution are you using?

cat /etc/os-release

What kernel version are you running on?

uname -r

By chance does disabling TCP Window Resizing fix anything?

sysctl net.ipv4.tcp_window_scaling=0

Probably don't want to leave that disabled, to re-enable after you've verified if it fixes or doesn't fix the issue

sysctl net.ipv4.tcp_window_scaling=1

 

[sistemio]

[root@urano ~]# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

[root@urano ~]# uname -r
4.15.17-2-pve

 

[sparek]

Hmm, that would appear to be a non-standard kernel.

Did you recently update the kernel?

There was discussion about a similar issue with Debian last year, looks like that was the 5.17 kernel.

Google's TCP Fast Open Broken with Exim... - chromosphere

The Issue… After performing an update to a server I maintain (moving from Debian 10 (Buster) to Debian 11 (Bullseye), the installed version of Exim moved from 4.92.x to 4.94.2. Along with noted changes needed to ensure that the config didn’t fall foul of the restrictions around taints, I started...

www.chromosphere.co.uk

linux 5.17.1 disregarding ACK values resulting in stalled TCP connections - Jaco

I suppose it's possible this 4.15.17-2-pve kernel that you are using may have included some of that in the kernel. I just don't know where this 4.15.17-2-pve kernel came from.

Is there a particular reason why you aren't using the stock CentOS 7 kernel?

 

[sistemio]

it is a VM with LXC on proxmox. I have other LXCs running the same kernel version and working perfectly.

 

[sistemio]

Poralix SOLVED the problem in my server:

the problem was that I have in eht0 an old ip without route and exim was using this instead of eth1

 

[Richard G]

Still odd that it looked like Exim was running as root and as mail.
But good to see it's fixed now.

Thank you for sharing the solution!