exim ssl sni not working, not accepting main mail accounts

B

Blieb

Verified User
Joined
Jan 19, 2022
Messages
17
Hi,

I've setup a new server a few weeks ago on Debian 11. Now I've moved some websites to them I see that exim does not work correctly.

the first problem I see is ssl only works with the main server name. It does not accept other domains which should be, because sni is enabled. Other ssl certs are not accepted. only the main one:

openssl s_client -quiet -connect mail.domain.com:465 -servername mail.domain.com
139863484908864:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1543:SSL alert number 112
Click to expand...

exim log shows:
2022-04-02 23:43:35 TLS error on connection from myhostname [myip] (SSL_accept): error:20074002:BIO routines:file_ctrl:system lib
Click to expand...

on imap it looks like it works:
openssl s_client -quiet -connect mail.domain.com:993 -servername mail.domain.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = domain.com
verify return:1
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot DA ready.
Click to expand...

the second issue that I have is that I can not sent mail via default mail account. when I just use the account name as username for smtp with correct password it says that my username/password is incorrect. Again it accepts it via imap.

What can cause the issues of this?
the exim version is 4.95

I already tried to upgrade exim and exim config. but no difference.
 
Last edited:
Blieb said:
I can not sent mail via default mail account.
Click to expand...
Blieb said:
Again it accepts it via imap.
Click to expand...
Please explain what you mean by default mail account. What do you think is the difference between default mail account and imap? Imap is just a system like pop3 to handle mail, it's not an account. So this confuses me as to what you mean by "default mail account".

Check your exim.conf and verify that it's version #4.5.37 and exim.pl is version #31.

What version of openssl are you running? Because "tlsv1 unrecognized name" often points to an older version of openssl.
Which version of DA are you running?

Did you check on this site if all is well?

SSL Server Test (Powered by Qualys SSL Labs)

A comprehensive free SSL test for your public web servers.
www.ssllabs.com
 
Richard G said:
Please explain what you mean by default mail account. What do you think is the difference between default mail account and imap? Imap is just a system like pop3 to handle mail, it's not an account. So this confuses me as to what you mean by "default mail account".

Check your exim.conf and verify that it's version #4.5.37 and exim.pl is version #31.

What version of openssl are you running? Because "tlsv1 unrecognized name" often points to an older version of openssl.
Which version of DA are you running?

Did you check on this site if all is well?

SSL Server Test (Powered by Qualys SSL Labs)

A comprehensive free SSL test for your public web servers.
www.ssllabs.com
Click to expand...

When you create a new account in direct admin for example: mydomain.nl with user mydomain. It creates a default mail account email [email protected] with login "mydomain" (same as ftp/directadmin login). but that account is not accepted via smtp.
so I can receive mail for that user imap, but can't send mail via smtp.

exim.conf: SpamBlockerTechnology* powered exim.conf, Version 4.5.37
exim.pl: #VERSION=31
openssl version: OpenSSL 1.1.1k 25 Mar 2021
direct admin version: 1.63.8

ssllabs shows rating A for domain. but that checks only https?


edit:

when I test smtp with ssl-tools.net it gives the same error (112)
Screenshot 2022-04-03 at 00.06.22.png
 
Last edited:
Blieb said:
but that account is not accepted via smtp.
Click to expand...
Yes you can, but that is a bit of a thing. Because normally you have to use the full e-mail address for that account. For the default account that is only the username before the @ so if it's [email protected] you have to use just user as login name and not [email protected] like normal.
That is also stated clearly in the docs:

System email accounts | Directadmin Docs

DirectAdmin Knowledge Base
docs.directadmin.com

This can easily be changed by changing an option, which makes it the same way to be used as a virtual email account, so with the complete email address as username, but I can't find it that quickly.

If you test with https://ssl-tools.net/mailservers you don't test smtp, you just give in the domain name there, nothing else.
The @ is already shown.

However, if you're afraid to give your domain name here, you can send me a pm if you want. Maybe I can find some cause.
It seems you're Dutch, so in pm we can also speak Nederlands if you want, I'm Dutch too.
 
I see thanks to this SNI issue, I'm unable to receive mail from google/gmail.

2022-04-15 15:58:38 TLS error on connection from mail-lf1-f47.google.com [209.85.167.47] (SSL_accept): error:20074002:BIO routines:file_ctrl:system lib
2022-04-15 15:58:55 TLS error on connection from mail-ej1-f45.google.com [209.85.218.45] (SSL_accept): error:20074002:BIO routines:file_ctrl:system lib
Click to expand...

I've searched this forum. And I only finding old issues that is fixed already in 2019. So is somebody have a idea how to debug this issue :)
 
Looks like Exim does not have access to the certificates. Directadmin gives permissions flags 640. then it fails, when I set it to 644 it works fine.

I see Exim Is running on user "mail" does this user needs to be member of the group "access" ?
 
ok, think I've fixed the sni issue now.

checking my new server the /etc/groups I see:
access:x:1002:daemon,nobody,majordomo,apache
Click to expand...

checking a other server that I installed a year ago:

access:x:1004:apache,nobody,mail,majordomo,daemon,ftp
Click to expand...

so groups mail and ftp are missing in the access group. So I've added them both it manually:

/usr/sbin/usermod -a -G access mail
/usr/sbin/usermod -a -G access ftp
Click to expand...

now everything works fine. is this a bug ? (maybe in combination with newest Debian release?)
 
Great you found the solution.
However it's very odd that this mail user wasn't present in the access group as it should be by default. These are the members of the access group and mail is amongst them.

Code: 
access:x:1003:apache,nobody,mail,majordomo,daemon,ftp,nginx

So might indeed be a bug or some other reason why this suddenly dissappeared on was not entered on the first place.

Good find! (y)
 
You must log in or register to reply here.
Back
Top