Bug#674990: exim breaks (again?) with TLS packet with unexpected length

Andreas Metzler ametzler at downhill.at.eu.org
Thu May 31 18:42:25 UTC 2012 

On 2012-05-31 Norbert Preining <preining at logic.at> wrote:
> On Do, 31 Mai 2012, Andreas Metzler wrote:
> > > Furthermore, in the main section I have added the 
> > > 	gnutls_compat_mode=true
> > 
> > This setting should also be on the transprt. - I actually wanted to

> I think I tried that, and update-exim4.conf gave me an error...

You are right. The documentation is not correct in that respect,
gnutls_compat_mode=true is only accepted as a main configuration
option.
[...]

However, I have just installed exim4 4.77-1+b1 in my local sid chroot,
configured to use jaist.ac.jp::587 as smarthost. Of course I cannot
actually deliver, but can test connectivity.

Without hand-tuning I get this
~: echo foo | exim -f '<>' -d+all  xx at example.com
[...]
20:17:04  6076 150.65.19.12 in hosts_avoid_tls? no (option unset)
20:17:04  6076   SMTP>> STARTTLS
20:17:04  6076 waiting for data on socket
20:17:04  6076 read response data: size=14
20:17:04  6076   SMTP<< 220 Go ahead
20:17:04  6076 initializing GnuTLS as a client
20:17:04  6076 read D-H parameters from file
20:17:04  6076 initialized D-H parameters
20:17:04  6076 no TLS client certificate is specified
20:17:04  6076 initialized certificate stuff
20:17:04  6076 initialized GnuTLS session
20:17:05  6076 LOG: MAIN
20:17:05  6076   TLS error on connection to smtp.jaist.ac.jp [150.65.19.12] (gnutls_handshake): A TLS packet with unexpected length was received.
20:17:05  6076 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is not NULL
[...]

I have now set gnutls_compat_mode=true as main option and
gnutls_require_protocols=TLS1.0:SSL3 on the remote_smtp_smarthost
transport (exactly as you did, except for using non-split config):

(SID)root at argenau:/# exim4 -bP transport remote_smtp_smarthost | grep gnutls_require_pro ;  exim4 -bP | grep gnutls_compat
gnutls_require_protocols = TLS1.0:SSL3
gnutls_compat_mode


Works for me. ;-O

~: echo foo | exim -f '<>' -d+all  xx at example.com
[...]
20:25:47  6862 150.65.19.12 in hosts_avoid_tls? no (option unset)
20:25:47  6862   SMTP>> STARTTLS
20:25:47  6862 waiting for data on socket
20:25:47  6862 read response data: size=14
20:25:47  6862   SMTP<< 220 Go ahead
20:25:47  6862 initializing GnuTLS as a client
20:25:47  6862 read D-H parameters from file
20:25:47  6862 initialized D-H parameters
20:25:47  6862 no TLS client certificate is specified
20:25:47  6862 initialized certificate stuff
20:25:47  6862 adjusted protocol priorities: 2 2 1
20:25:47  6862 lowering GnuTLS security, compatibility mode
20:25:47  6862 initialized GnuTLS session
20:25:48  6862 cipher: TLS1.0:RSA_AES_256_CBC_SHA1:32
20:25:48  6862   SMTP>> EHLO argenau
20:25:48  6862 tls_do_write(ff9a673b, 14)
20:25:48  6862 gnutls_record_send(SSL, ff9a673b, 14)
20:25:48  6862 outbytes=14
20:25:48  6862 waiting for data on socket
20:25:48  6862 Calling gnutls_record_recv(f8d58f40, ff9a473b, 4096)
20:25:48  6862 read response data: size=106
20:25:48  6862   SMTP<< 250-mailrelayi.jaist.ac.jp
20:25:48  6862          250-8BITMIME
20:25:48  6862          250-SIZE 104857600
20:25:48  6862          250-AUTH PLAIN LOGIN
20:25:48  6862          250 AUTH=PLAIN LOGIN

cu andreas

More information about the Pkg-exim4-maintainers mailing list