[Pkg-exim4-users] Exim4 with Exchange and TLS doesn't work

Marc Haber mh+pkg-exim4-users at zugschlus.de
Thu Apr 13 07:27:30 UTC 2006 

[You need to be subscribed to post. I manually approved this message.]

On Thu, Apr 13, 2006 at 08:46:44AM +0200, Jan Kesten wrote:
> I setup a server running Debian stable with latest updates as smarthost
> for a lan and I use SMTP AUTH for relay control and TLS for encryption.
> Both work fine using another exim or for example Thunderbird as second
> peer (connecting and AUTH itself).
> 
> But I have one M$ Exchange wich needs to talk to my exim server.

So you want that Exchange box to authenticate as a client against your
exim server?

> Using plaintext logins everything works, but I don't really like this
> - and CRAM-MD5 isn't supported by Exchange AFAIK. So I enabled TLS,
> but this doesn't work and in mainlog lines like the following two
> appear:
> 
> 2006-04-12 12:54:38 TLS recv error on connection from
> p54850177.dip0.t-ipconnect.de [84.133.1.119]: A TLS packet with
> unexpected length was received.
> 
> 2006-04-12 12:54:38 TLS send error on connection from
> p54850177.dip0.t-ipconnect.de [84.133.1.119]: The specified session has
> been invalidated for some reason.
> 
> Software used:
> 
> exim4-daemon-heavy_4.50-8_i386.deb
> M$ Exchange 2000 SP3 SBE

Kneejerk response: Do you have enough entropy on your exim system?

Does Microsoft have an TLS command line client which you could use to
find out whether the system is able to do proper TLS? Or does Windows
have something like strace where you could look what exactly the
exchange is doing?

Can the exchange box deliver successfully to your exim over TLS if you
allow it to relay via IP address temporarily for testing?

> Does anyone know this problem and has any hints? One solution is to
> setup another MTA in the Exchange lan as gateway or not to use TLS at
> all. Or use more Exchange servers...no!
> 
> Maybe compiling exim against OpenSSL for testing? I looked through the
> sources and found EDITME.exim4-light.diff:
> 
>  # Uncomment these settings if you are using GnuTLS
> -# USE_GNUTLS=yes
> -# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
> +USE_GNUTLS=yes
> +TLS_LIBS=-lgnutls
> 
> But I think there is a good reason for using GnuTLS, istn't it? And is
> it possible to compile against OpenSSL by just changing these lines?

If you compile it yourself, it might be worth to try the later
packages from unstable, which both have a more current exim and have
an option to easily switch to OpenSSL via a debian/rules setting.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-users mailing list