tamray_tech
asked on
Need help identifying cause and resolving TLS errors in Exim relay server
We run a relay server for member schools to provide initial filtering before passing on to each school. Our server currently has self signed certificates (not sure if that is the cause of my errors). We are getting many errors like the following in our mail log:
2015-09-24 09:19:08 TLS error on connection from (na01-bn1-obe.outbound.pro
2015-09-24 09:19:08 TLS client disconnected cleanly (rejected our certificate?)
2015-09-24 09:19:08 DNS list lookup defer (probably timeout) for savingworktocloud.com.rbl.
2015-09-24 09:19:08 TLS error on connection from (na01-bn1-obe.outbound.pro
2015-09-24 09:19:08 TLS client disconnected cleanly (rejected our certificate?)
2015-09-24 09:19:09 DNS list lookup defer (probably timeout) for 226.20.89.69.rbl.baruwa.ne
Running grep shows the following:
grep ciphers /etc/exim/exim.conf
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH
What steps would I need to take to eliminate these errors.
2015-09-24 09:19:08 TLS error on connection from (na01-bn1-obe.outbound.pro
2015-09-24 09:19:08 TLS client disconnected cleanly (rejected our certificate?)
2015-09-24 09:19:08 DNS list lookup defer (probably timeout) for savingworktocloud.com.rbl.
2015-09-24 09:19:08 TLS error on connection from (na01-bn1-obe.outbound.pro
2015-09-24 09:19:08 TLS client disconnected cleanly (rejected our certificate?)
2015-09-24 09:19:09 DNS list lookup defer (probably timeout) for 226.20.89.69.rbl.baruwa.ne
Running grep shows the following:
grep ciphers /etc/exim/exim.conf
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL : !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH
What steps would I need to take to eliminate these errors.
ASKER
I found the reason for the errors come from mail servers wanting to connect via sslv3, which we do not support, because of vulnerabilities. I am not clear if that means the message will never be delivered or if it will renegotiate with a different cipher. Any ideas how best to resolve the problem?
ASKER
Resolved it by adding the following to exim.conf
openssl_options = +no_sslv2 +no_sslv3
completely disables sslv3
openssl_options = +no_sslv2 +no_sslv3
completely disables sslv3
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for tamray_tech's comment #a41003686
for the following reason:
Resolved issue
Accepted answer: 0 points for tamray_tech's comment #a41003686
for the following reason:
Resolved issue
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Better to use OpenSSL s_client to determine further reason via testing the command to the exim smtp server, such as : openssl s_client -connect $your_ip:$your port