SSL SMTP works on one machine, not the other

[jlixfeld]

I have two DA 1.33.7 boxes. My mail client is able to send mail to one machine over SSL SMTP, but not the other and it's really baffling me.

The config for working machine looks like this:

[root@app1 /etc]# grep tls /etc/exim.conf
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
tls_advertise_hosts = *
#auth_over_tls_hosts = *
[root@app1 /etc]# ls -al /etc/exim.cert
-rwxr-xr-x  1 root  wheel  952 May 28 20:45 /etc/exim.cert
[root@app1 /etc]# ls -al /etc/exim.key 
-rwxr-xr-x  1 root  wheel  891 May 28 20:45 /etc/exim.key
[root@app1 /etc]#

Config for the non-working machine is functionally identical; right down to the certificates that I copied from the working machine to the non-working machine in an attempt to resolve the issue.

[root@hosting1 etc]# grep tls /etc/exim.conf
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
tls_advertise_hosts = *
#auth_over_tls_hosts = *
#auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} 
#tls_on_connect_ports = 587
#tls_try_verify_hosts = *
#tls_verify_certificates = /etc
[root@hosting1 etc]# ls -al /etc/exim.key
-rwxr-xr-x 1 mail mail 891 Sep 27 23:28 /etc/exim.key
[root@hosting1 etc]# ls -al /etc/exim.cert
-rwxr-xr-x 1 root root 952 Sep 27 23:28 /etc/exim.cert
[root@hosting1 etc]#

Before I copied the certificates over from the working machine, I also tried to rebuild the certificates as per http://help.directadmin.com/item.php?id=245 to no avail.

exim -d output below. Any ideas?

14430 Connection request from 192.168.100.191 port 60827
14430 search_tidyup called
14487 sender_fullhost = [192.168.100.191]
14487 sender_rcvhost = [192.168.100.191]
14487 Process 14487 is handling incoming connection from [192.168.100.191]
14487 checking for IP options
14487 no IP options found
14487 host in host_lookup? yes (matched "*")
14487 looking up host name for 192.168.100.191
14430 1 SMTP accept process running
14430 Listening...
14487 DNS lookup of 191.100.168.192.in-addr.arpa (PTR) succeeded
14487 IP address lookup yielded blackbox.office.foo.ca
14487 gethostbyname looked up these IP addresses:
14487   name=blackbox.office.foo.ca address=192.168.100.191
14487 checking addresses for blackbox.office.foo.ca
14487   192.168.100.191 OK
14487 sender_fullhost = blackbox.office.foo.ca [192.168.100.191]
14487 sender_rcvhost = blackbox.office.foo.ca ([192.168.100.191])
14487 set_process_info: 14487 handling incoming connection from blackbox.office.foo.ca [192.168.100.191]
14487 host in host_reject_connection? no (option unset)
14487 host in sender_unqualified_hosts? no (option unset)
14487 host in recipient_unqualified_hosts? no (option unset)
14487 host in helo_verify_hosts? no (option unset)
14487 host in helo_try_verify_hosts? no (option unset)
14487 host in helo_accept_junk_hosts? no (option unset)
14487 SMTP>> 220 hosting1.foohosts.ca ESMTP Exim 4.67 Sun, 27 Sep 2009 23:31:15 -0400
14487 Process 14487 is ready for new message
14487 smtp_setup_msg entered
14487 SMTP<< EHLO blackbox.office.foo.ca
14487 sender_fullhost = blackbox.office.foo.ca [192.168.100.191]
14487 sender_rcvhost = blackbox.office.foo.ca ([192.168.100.191])
14487 set_process_info: 14487 handling incoming connection from blackbox.office.foo.ca [192.168.100.191]
14487 host in pipelining_advertise_hosts? yes (matched "*")
14487 host in auth_advertise_hosts? yes (matched "*")
14487 host in tls_advertise_hosts? yes (matched "*")
14487 SMTP>> 250-hosting1.foohosts.ca Hello blackbox.office.foo.ca [192.168.100.191]
14487 250-SIZE 20971520
14487 250-PIPELINING
14487 250-AUTH PLAIN LOGIN
14487 250-STARTTLS
14487 250 HELP
14487 SMTP<< STARTTLS
14487 tls_certificate file /etc/exim.cert
14487 tls_privatekey file /etc/exim.key
14487 Initialized TLS
14487 required ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
14487 host in tls_verify_hosts? no (option unset)
14487 host in tls_try_verify_hosts? no (option unset)
14487 SMTP>> 220 TLS go ahead
14487 Calling SSL_accept
14487 SSL info: before/accept initialization
14487 SSL info: before/accept initialization
14487 SSL info: SSLv3 read client hello A
14487 SSL info: SSLv3 write server hello A
14487 SSL info: SSLv3 write certificate A
14487 SSL info: SSLv3 write server done A
14487 SSL info: SSLv3 flush data
14487 SSL info: SSLv3 read client certificate A
14487 LOG: MAIN
14487   TLS error on connection from blackbox.office.foo.ca [192.168.100.191] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
14487 TLS failed to start
14487 LOG: smtp_connection MAIN
14487   SMTP connection from blackbox.office.foo.ca [192.168.100.191] closed by EOF
14487 search_tidyup called
14430 child 14487 ended: status=0x0
14430 0 SMTP accept processes now running
14430 Listening...
14430 Connection request from 192.168.100.191 port 60840
14430 search_tidyup called
14488 sender_fullhost = [192.168.100.191]
14488 sender_rcvhost = [192.168.100.191]
14488 Process 14488 is handling incoming connection from [192.168.100.191]
14488 checking for IP options
14488 no IP options found
14488 host in host_lookup? yes (matched "*")
14488 looking up host name for 192.168.100.191
14430 1 SMTP accept process running
14430 Listening...
14488 DNS lookup of 191.100.168.192.in-addr.arpa (PTR) succeeded
14488 IP address lookup yielded blackbox.office.foo.ca
14488 gethostbyname looked up these IP addresses:
14488   name=blackbox.office.foo.ca address=192.168.100.191
14488 checking addresses for blackbox.office.foo.ca
14488   192.168.100.191 OK
14488 sender_fullhost = blackbox.office.foo.ca [192.168.100.191]
14488 sender_rcvhost = blackbox.office.foo.ca ([192.168.100.191])
14488 set_process_info: 14488 handling incoming connection from blackbox.office.foo.ca [192.168.100.191]
14488 host in host_reject_connection? no (option unset)
14488 host in sender_unqualified_hosts? no (option unset)
14488 host in recipient_unqualified_hosts? no (option unset)
14488 host in helo_verify_hosts? no (option unset)
14488 host in helo_try_verify_hosts? no (option unset)
14488 host in helo_accept_junk_hosts? no (option unset)
14488 SMTP>> 220 hosting1.foohosts.ca ESMTP Exim 4.67 Sun, 27 Sep 2009 23:31:15 -0400
14488 Process 14488 is ready for new message
14488 smtp_setup_msg entered
14488 SMTP<< EHLO blackbox.office.foo.ca
14488 sender_fullhost = blackbox.office.foo.ca [192.168.100.191]
14488 sender_rcvhost = blackbox.office.foo.ca ([192.168.100.191])
14488 set_process_info: 14488 handling incoming connection from blackbox.office.foo.ca [192.168.100.191]
14488 host in pipelining_advertise_hosts? yes (matched "*")
14488 host in auth_advertise_hosts? yes (matched "*")
14488 host in tls_advertise_hosts? yes (matched "*")
14488 SMTP>> 250-hosting1.foohosts.ca Hello blackbox.office.foo.ca [192.168.100.191]
14488 250-SIZE 20971520
14488 250-PIPELINING
14488 250-AUTH PLAIN LOGIN
14488 250-STARTTLS
14488 250 HELP
14488 SMTP<< STARTTLS
14488 tls_certificate file /etc/exim.cert
14488 tls_privatekey file /etc/exim.key
14488 Initialized TLS
14488 required ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
14488 host in tls_verify_hosts? no (option unset)
14488 host in tls_try_verify_hosts? no (option unset)
14488 SMTP>> 220 TLS go ahead
14488 Calling SSL_accept
14488 SSL info: before/accept initialization
14488 SSL info: before/accept initialization
14488 SSL info: SSLv3 read client hello A
14488 SSL info: SSLv3 write server hello A
14488 SSL info: SSLv3 write certificate A
14488 SSL info: SSLv3 write server done A
14488 SSL info: SSLv3 flush data
14488 SSL info: SSLv3 read client certificate A
14488 LOG: MAIN
14488   TLS error on connection from blackbox.office.foo.ca [192.168.100.191] (SSL_accept): error:00000000:lib(0):func(0):reason(0)
14488 TLS failed to start
14488 LOG: smtp_connection MAIN
14488   SMTP connection from blackbox.office.foo.ca [192.168.100.191] closed by EOF
14488 search_tidyup called
14430 child 14488 ended: status=0x0
14430 0 SMTP accept processes now running
14430 Listening...

 

[jlixfeld]

Solved

It looks like this only happens on Mac OS X mail clients (specifically on 10.6.1). I tested with Thunderbird and it worked fine. I tested with OE and it worked fine.

The fix was to explicitly trust the certificate in Mac OS X.