Exim SSL error receiving emails from booking.com

[mrdave]

I'm experiencing a problem on all my servers, mail sent from booking.com give an error from Exim:

2023-03-27 15:11:52 TLS error on connection from mailout-201-r6.booking.com [37.10.30.20] (SSL_accept): ret 5

Mail sent from any other source works normally, only booking.com mailservers give this error. Tried with "intermediate" and "old" values for ssl_configuration in custombuild.

Servers are CentOs 7 boxes.

 

[ram0ng1]

I'm experiencing a problem on all my servers, mail sent from booking.com give an error from Exim:

2023-03-27 15:11:52 TLS error on connection from mailout-201-r6.booking.com [37.10.30.20] (SSL_accept): ret 5

Mail sent from any other source works normally, only booking.com mailservers give this error. Tried with "intermediate" and "old" values for ssl_configuration in custombuild.

Servers are CentOs 7 boxes.

hi

Try it:

Add:

openssl_options=+no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

In:

/etc/exim.variables.conf.custom

And run:

./build update
./build exim_conf

 

[Richard G]

Tried with "intermediate" and "old" values for ssl_configuration in custombuild.

Did you rebuild exim and exim.conf after making these changes? Probably also dovecot and dovecot.conf?

Solution above might work, but one would expect booking.com to use decent mailserver.

 

[mrdave]

It does not work, still 'ret 5' messages from booking.com.

 

[Richard G]

Seems you're not the only one.

Here's another one, exactly the same issue, did not have any problem with booking before:

problem receiving mail

I am having a problem receiving emails from a very popular domain, the problem is in the ssl, the only thing that appears in the exim log is the following: 2023-03-13 22:57:42 TLS error on connection from mailout-106-r4.booking.com [37.10.31.10]:28320 I=[x.x.x.x]:25 (SSL_accept): ret 5...

forums.cpanel.net

So it's probably an issue on booking's side.

 

[mrdave]

Yes, I already found that topic and there were no solutions there either, however the problem does not happen with Postfix or other mailservers...

 

[sparek]

What is the output of

cat /etc/exim.variables.conf | egrep "^openssl_options|^tls_require_ciphers"

on your server?

 

[mrdave]

openssl_options=+no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS

 

[sparek]

Did you restart Exim after making these changes?

systemctl restart exim

I kind of figure rebuilding the exim confs will do this.

 

[mrdave]

Obvious....

 

[sparek]

I have another server, not using DirectAdmin, that successfully accepted a message from 37.10.30.20.

That message used the ECDHE-RSA-AES256-GCM-SHA384 cipher with TLSv1.2

Which you also have in your require cipher list.

You might try adding +cipher_server_preference to your openssl_options in /etc/exim.variables.conf.custom

openssl_options = +no_sslv2 +no_sslv3 +cipher_server_preference

This will force connecting clients to negotiate a TLS cipher based on the order you have listed in tls_require_ciphers

Rewrite the exim confs after doing this

/usr/local/directadmin/custombuild/build exim_conf

 

[mrdave]

That was the initial configuration using 'intermediate' ssl config on custombuild:

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference
tls_require_ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256

The cipher is there, and if the connection is TLSV1.2 it should be allowed, but it gets the ret: 5 error.....

 

[nsc]

No need to change anything related to default SSL configuration.
The cases that we had related to this error were simply related to hostname not having a valid certificate.
After following this one:

Automatic TLS Certificate For Server Hostname | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

The problem with the '(SSL_accept): ret 5' automagically vanished away.

 

[daxasupport]

No need to change anything related to default SSL configuration.
The cases that we had related to this error were simply related to hostname not having a valid certificate.
After following this one:

Automatic TLS Certificate For Server Hostname | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

The problem with the '(SSL_accept): ret 5' automagically vanished away.

My server hostname has a valid certificate installed but the error is still there