[exim] TLS with gmail started failing

Marc MERLIN via Exim-users Fri, 07 Jun 2019 09:20:07 -0700


Howdy,


I have my personal Email (merlins.org) forwarded to gmail ([email protected]) and
have had that for over 10 years for an IP that never changed (209.81.13.136)

Starting a few days ago all my Emails got rejected by gmail, with "TLS error on
connection (recv): Resource temporarily unavailable, try again."

I've been using exim4 forever, I'm reasonably sure nothing changed on my
side in the last 2-3 days that this started happening.
Any idea what this could be, and whether the problem could be on my side?

I temporarily fixed it with 'hostsavoidtls=*' which indeed turned off
TLS and allowed Email to flow again.

Is my cipher list unsuitable? cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256

Details:
Connecting to alt1.gmail-smtp-in.l.google.com [2607:f8b0:4001:c15::1a]:25 ... 
failed: Network is unreachable
LOG: MAIN
  H=alt1.gmail-smtp-in.l.google.com [2607:f8b0:4001:c15::1a] Network is 
unreachable
Connecting to alt1.gmail-smtp-in.l.google.com [74.125.129.27]:25 ... connected
  SMTP<< 220 mx.google.com ESMTP e22si2221532iog.49 - gsmtp
  SMTP>> EHLO mail1.merlins.org
  SMTP<< 250-mx.google.com at your service, [209.81.13.136]
         250-SIZE 157286400
         250-8BITMIME
         250-STARTTLS
         250-ENHANCEDSTATUSCODES
         250-PIPELINING
         250-CHUNKING
         250 SMTPUTF8
  SMTP>> STARTTLS
  SMTP<< 220 2.0.0 Ready to start TLS
  SMTP>> EHLO mail1.merlins.org
LOG: MAIN
  H=alt1.gmail-smtp-in.l.google.com [74.125.129.27] TLS error on connection 
(recv): Resource temporarily unavailable, try again.
LOG: MAIN
  H=alt1.gmail-smtp-in.l.google.com [74.125.129.27]: Remote host closed 
connection in response to EHLO mail1.merlins.org

With more debug logs enabled, I see
14:32:02  5341 74.125.141.26 in hosts_avoid_tls? no (end of list)
14:32:02  5341   SMTP>> STARTTLS
14:32:02  5341 read response data: size=30
14:32:02  5341   SMTP<< 220 2.0.0 Ready to start TLS
14:32:02  5341 74.125.141.26 in hosts_require_ocsp? no (option unset)
14:32:02  5341 74.125.141.26 in hosts_request_ocsp? yes (matched "*")
14:32:02  5341 initialising GnuTLS as a client on fd 9
14:32:02  5341 GnuTLS global init required.
14:32:02  5341 initialising GnuTLS client session
14:32:02  5341 Expanding various TLS configuration options for session 
credentials.
14:32:02  5341 TLS: no client certificate specified; okay
14:32:02  5341 Added 99 certificate authorities.
14:32:02  5341 GnuTLS using default session cipher/priority "NORMAL"
14:32:02  5341 Setting D-H prime minimum acceptable bits to 1024
14:32:02  5341 74.125.141.26 in tls_verify_hosts? no (option unset)
14:32:02  5341 74.125.141.26 in tls_try_verify_hosts? yes (matched "*")
14:32:02  5341 74.125.141.26 in tls_verify_cert_hostnames? yes (matched "*")
14:32:02  5341 TLS: server cert verification includes hostname: 
"alt4.gmail-smtp-in.l.google.com".
14:32:02  5341 TLS: server certificate verification optional.
14:32:02  5341 TLS: will request OCSP stapling
14:32:02  5341 about to gnutls_handshake
14:32:03  5341 gnutls_handshake was successful
14:32:03  5341 TLS certificate verification failed (certificate invalid): 
peerdn="C=US,ST=California,L=Mountain View,O=Google LLC,CN=mx.google.com"
14:32:03  5341 TLS verify failure overridden (host in tls_try_verify_hosts)
14:32:03  5341 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
14:32:03  5341 Have channel bindings cached for possible auth usage.
14:32:03  5341   SMTP>> EHLO mail1.merlins.org
14:32:03  5341 tls_do_write(0xbfd5f57c, 24)
14:32:03  5341 gnutls_record_send(SSL, 0xbfd5f57c, 24)
14:32:03  5341 outbytes=24
14:32:03  5341 Calling gnutls_record_recv(0xb830fa40, 0xbfd5e57c, 4096)
14:32:03  5341 LOG: MAIN
14:32:03  5341   H=alt4.gmail-smtp-in.l.google.com [74.125.141.26] TLS error on 
connection (recv): Resource temporarily unavailable, try again.
14:32:03  5341 ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 
first_address is not NULL
14:32:03  5341 tls_close(): shutting down TLS
14:32:03  5341 LOG: MAIN
14:32:03  5341   H=alt4.gmail-smtp-in.l.google.com [74.125.141.26]: Remote host 
closed connection in response to EHLO mail1.merlins.org

I do see the verification failure, but it shouldn't matter due to "TLS
verify failure overridden (host in tls_try_verify_hosts)"

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                       | PGP 7F55D5F27AAF9D08

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] TLS with gmail started failing

Reply via email to