[exim] Re: Auto-respond only if file exists

On Wed, Aug 06, 2025 at 03:07:15PM +0200, Peter Thomassen via Exim-users wrote: > > This filter is not a good idea. It appears to fail to take into account > > the essential requirements of RFC3834: > > > > > > > > in particular the exception

[exim] Re: Auto-respond only if file exists

On Tue, Aug 05, 2025 at 05:53:51PM +0200, Peter Thomassen via Exim-users wrote: > A user has the following Exim filter: > > # Exim filter > if personal alias f...@example.com > then > unseen mail > subject "Automatic reply: $h_subject:" > from "f...@example.com" > extra_headers "Con

[exim] Re: stunnel

On Sat, Jun 28, 2025 at 10:23:20PM -0500, Martin McCormick via Exim-users wrote: > Andrew C Aitchison via Exim-users writes: > > I've never tried this and I may very well be wrong, but I think > > you need stunnel to listen to exim on a port of your choice > > Does the smart server provide submiss

[exim] Re: stunnel

On Sat, Jun 28, 2025 at 11:11:42PM +0100, Andrew C Aitchison via Exim-users wrote: > > When using stunnel to setup the encrypted link between this box > > and the smarthost, am I correct in assuming that exim, itself, is > > only now working with old-school plain text, talking through > > stunnel

[exim] Re: test Tue, 17 Jun 2025 15:03:44 -0500

On Wed, Jun 18, 2025 at 10:32:18AM +0100, Jeremy Harris via Exim-users wrote: > On 2025/06/18 5:31 AM, Viktor Dukhovni via Exim-users wrote: > > Jeremy, is there anything in Exim roughly equivalent to the Postfix > > "fingerprint" security level? > > With the ca

[exim] Re: test Tue, 17 Jun 2025 15:03:44 -0500

On Tue, Jun 17, 2025 at 03:03:44PM -0500, Martin McCormick via Exim-users wrote: > Many thanks to the person who noticed the exposed password You're welcome. > Persuading this large corporation to part with a few Dollars to renew > that certificate is about as likely as an Olympic ice skating co

[exim] Re: test Mon, 16 Jun 2025 17:35:47 -0500

On Tue, Jun 17, 2025 at 10:18:42AM +0100, Jeremy Harris via Exim-users wrote: > On 2025/06/17 4:11 AM, Viktor Dukhovni via Exim-users wrote: > > I am slightly surprised Exim ended up going with LOGIN rather than the > > much simpler PLAIN, perhaps this choice was made by

[exim] Re: test Mon, 16 Jun 2025 17:35:47 -0500

On Tue, Jun 17, 2025 at 08:16:22AM +0200, Cyborg via Exim-users wrote: > Am 17.06.25 um 05:11 schrieb Viktor Dukhovni via Exim-users: > > posttls-finger: < 220 begin TLS negotiation > > posttls-finger: server certificate verification failed for > > smtp.altic

[exim] Re: test Mon, 16 Jun 2025 17:35:47 -0500

On Mon, Jun 16, 2025 at 05:35:47PM -0500, Martin McCormick via Exim-users wrote: > -> AUTH LOGIN > <- 334 VXNlcm5hbWU6 > -> bWFydGluLm1Ac3VkZGVubGluay5uZXQ= > <- 334 UGFzc3dvcmQ6 > -> V2VsY29tZTE= $ ( echo VXNlcm5hbWU6 | openssl base64 -d echo UGFzc3dvcmQ6 | openssl base64 -d

[exim] TLSA record hygiene for Let's Encrypt issuer CAs

Please see: https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/thread/FUUH4KTUI5PMDD44X6JV5KLIPVRCH27P/ TL;DR: - DO publish ALL applicable intermediate CAs when any are published - DON'T publish TLSA records matching long-retired LE CAs. -- Viktor. -- ## subscription confi

[exim] Re: which openssl options are used by exim for a tls connection

On Fri, Jun 06, 2025 at 05:13:05PM +0200, Cyborg via Exim-users wrote: > Am 06.06.25 um 15:22 schrieb Viktor Dukhovni via Exim-users: > > You have to more specific, Fedora's `s_client` is*more* restrictive > > than OpenSSL upstream without the crypto-policy patches. > >

[exim] Re: which openssl options are used by exim for a tls connection

On Fri, Jun 06, 2025 at 12:46:18PM +0200, Cyborg via Exim-users wrote: > > > I pretty sure, you are right about the RSE Kx limitation , but s_client > > > should enforce that too??? > > You're still muddled. > > > > No, not any longer \o/ : Found it. No, you're still confused. > In my case, se

[exim] Re: which openssl options are used by exim for a tls connection

On Fri, Jun 06, 2025 at 11:25:11AM +0200, Cyborg via Exim-users wrote: > > > when connecting with s_client to that server, a wired connection is > > > established: > > Which specific server? > > 93.62.204.35 > > Did you actually connect to the same TCP endpoint (IP and port)? > > yeap. What I g

[exim] Re: which openssl options are used by exim for a tls connection

On Fri, Jun 06, 2025 at 09:37:27AM +0200, Cyborg via Exim-users wrote: > Exim returns: > > TLS session: (SSL_connect): error:0A00018A:SSL routines::dh key too small > > when connecting with s_client to that server, a wired connection is > established: Which specific server? > New, TLSv1.2, Cip

[exim] Re: The TLS connection was non-properly terminated.

On Thu, Jun 05, 2025 at 10:04:33AM +0300, Odhiambo Washington via Exim-users wrote: > The message should read "The TLS connection was improperly terminated.", > methinks. > > Anyway, I am not sure what I haven't done correctly because all SMTP > transactions with gmail servers end up wit this me

[exim] Re: TLS group selection (incl. post-quantum hybrids) in remote_smtp

On Thu, May 29, 2025 at 12:22:37PM +0200, Cyborg via Exim-users wrote: > > In that case, PQ > > keyshares aren't sent and STARTTLS works with "boeing.com" (still > > hangs with default TLS 1.3 connections under OpenSSL 3.5). > > anyone using tls 1.2 only servers in 2025 ( 7y after 1.3 introductio

[exim] Re: TLS group selection (incl. post-quantum hybrids) in remote_smtp

On Thu, May 29, 2025 at 12:22:10PM +0300, Viktor Ustiuhov via Exim-users wrote: > > Actually, it is not surprising at all, the issue basically boils down to > > whether the Client TLS fits in a single TCP segment or not. If it does > > the handshake completes, otherwise not TCP ACKs are received

[exim] Re: TLS group selection (incl. post-quantum hybrids) in remote_smtp

On Thu, May 29, 2025 at 11:39:54AM +0300, Viktor Ustiuhov via Exim-users wrote: > > One approach that is likely to work-around PQ-impedance is to set the > > protocol version to TLSv1.2 (fixed or ceiling). In that case, PQ > > keyshares aren't sent and STARTTLS works with "boeing.com" (still > >

[exim] Re: TLS group selection (incl. post-quantum hybrids) in remote_smtp

On Wed, May 28, 2025 at 11:05:45PM +0300, Viktor Ustiuhov via Exim-users wrote: > There has been a lot of discussion on this list about the risks of using > legacy TLS protocol versions. But what about supporting new TLS > features, such as hybrid post-quantum key exchange? > > System-wide config

[exim] Re: How to disable tls 1 and tls 1.1

On Mon, May 26, 2025 at 08:47:35PM +, Slavko via Exim-users wrote: > >(HMAC) in TLS in the context of SMTP. There are some browser-specific > >issues with CBC ciphers because TLS did MAC-then-encrypt rather than > >encrypt-then-MAC, but these required scripting many connectiosn to > >possibly

[exim] Re: How to disable tls 1 and tls 1.1

On Sun, May 25, 2025 at 07:46:00PM +, Slavko via Exim-users wrote: > >But there are no weaknesses in TLS v1.0 or v1.1 relative to v1.2 and > >1.3 that are relevant to SMTP sessions. > > Yes, i read that multiple times from various sources, but to decide > properly, we have to ask (and answer)

[exim] Re: How to disable tls 1 and tls 1.1

On Sun, May 25, 2025 at 12:54:29PM +0100, Mike Cardwell via Exim-users wrote: > > How to disable depracated protocols Tls 1 and tls 1.1 and enable only > > strong protocols > > I don't know what the generally accepted config is for SMTP TLS these > days, but bear in mind that a connecting MTA may

[exim] Re: Exim as smtp client. Bad certificate ?

On Thu, Jan 09, 2025 at 11:14:38PM +0100, Gandalf Corvotempesta via Exim-users wrote: > but i've seen the exact error enabling the debug log, so the real error is > available in some way. Wrong end of the connection. Only the sender of a TLS alert knows the details of why the alert was sent. T

[exim] Re: Why does this mail fail sender verification?

On Wed, Jan 08, 2025 at 09:59:38AM +1000, Martin D Kealey via Exim-users wrote: > Bill Cole said: > > > > returning a null MX (MX 0 ".") with unbound locally if the upstream > > server is responding NXDOMAIN on a MX query. > > > > This will cause loss of mail. > > > > I hear this from time to t

[exim] Re: mysql_servers syntax for ipv6-only database server

On Fri, Nov 15, 2024 at 12:05:29AM +, Jeremy Harris via Exim-users wrote: > On 12/11/2024 11:47, Jeremy Harris via Exim-users wrote: > >   This is a bug; feel free to raise one.  The problem will be fixing it > >   in some way that is back-compatible. > > The syntax design really needs a tot

[exim] Re: Personalize MX

On Wed, Oct 23, 2024 at 12:22:50PM +0200, Leonardo Boselli via Exim-users wrote: > To be more specific: for certain domains i have to give a "special > treatment" so for example use only lowest MX, o using only IPv4 or IPv6 > connections. It is unclear whether when you say "lowest MX" you mean to

[exim] Re: Exim attempting retries in rapid succession without delay?

On Thu, Oct 10, 2024 at 10:45:08PM +0100, Andrew C Aitchison via Exim-users wrote: > > > I posted this problem as an exim bug, but it was immediately dismissed > > because the MTA rejection response indicates a temporary problem, so > > apparently retrying 4 more times inside a second to differe

[exim] Re: DANE with certificate errors

On Thu, Sep 12, 2024 at 03:32:36PM +0200, Kai Bojens via Exim-users wrote: > I have a very simple question: why would Exim notify about Certificate > errors in regard to DANE/TLS but continue to send the mails anyway? And how > do I stop this behaviour? > > DANE attempt failed; TLS connection to

[exim] Re: autoreply and DKIM signature ?

On Thu, Aug 15, 2024 at 08:26:06AM +0100, Julian Bradfield via Exim-users wrote: > > No. Alignment, etc., is DMARC not DKIM. Absent a DMARC policy for > > the "From:" domain, any the DKIM signature allows the receiving system > > to use the "d=" value as a key into a reputation system, but quest

[exim] Re: autoreply and DKIM signature ?

On Thu, Aug 15, 2024 at 08:36:19AM +0200, Cyborg via Exim-users wrote: > > Because of the <> envelope-from, how can the proper sender-domain > > (and dkim key) be found on the sending host ? > > To answere your original question:  you don't do this. > > You send the auto-reply with the correct m

[exim] Re: autoreply and DKIM signature ?

On Wed, Aug 14, 2024 at 08:25:30PM +0100, Julian Bradfield via Exim-users wrote: > > I do not agree. > > The DKIM RFC says that anyone can sign a message. > > Yes, but it also says very clearly that it's up to the Identity > Assessor to decide what, if any, trust to place in a message signed by >

[exim] Re: sender verification details

On Fri, Aug 09, 2024 at 03:52:05PM +0200, Slavko via Exim-users wrote: > Ahoj, > > Dňa Fri, 9 Aug 2024 15:16:17 +0200 Jan Ingvoldstad via Exim-users > napísal: > > > Please remember that in the absence of MX records, A record lookup(s) > > will be performed for email delivery. > > more precise,

[exim] Re: sender verification details

On Wed, Aug 07, 2024 at 09:12:57AM +0100, Jeremy Harris via Exim-users wrote: > On 06/08/2024 21:16, Ian Z via Exim-users wrote: > > Does non-callout sender verification of nonlocal addresses, in the case of > > a dnslookup router, determine the MX host of the sender domain? > > No (and there coul

[exim] Re: sender verification details

On Wed, Aug 07, 2024 at 10:23:38AM +0300, Evgeniy Berdnikov via Exim-users wrote: > On Tue, Aug 06, 2024 at 01:16:29PM -0700, Ian Z via Exim-users wrote: > > Does non-callout sender verification of nonlocal addresses, in the case of > > a dnslookup router, determine the MX host of the sender domai

[exim] Re: exim don't speak to google any more!

On Tue, Jul 30, 2024 at 01:17:00PM +0100, Jeremy Harris via Exim-users wrote: > On 30/07/2024 12:52, Andrew C Aitchison via Exim-users wrote: > > *If* I extended the config to allow admins to set the OpenSSL option > > SSL_OP_IGNORE_UNEXPECTED_EOF (and an equivalent gnutls option if I can > > find 

[exim] Re: exim don't speak to google any more!

On Mon, Jul 29, 2024 at 09:44:17AM +0100, Bernard Quatermass via Exim-users wrote: > > Exim really should be updated to ignore OpenSSL's truncation > > detection, I don't recall whether that even already happened and the > > OP is running an older version? > > I rather think postfix is the codeb

[exim] Re: exim don't speak to google any more!

On Mon, Jul 29, 2024 at 09:25:21AM +0200, Francois Sauterey via Exim-users wrote: > The response was : > > TLS Negotiation failed: FAILED_PRECONDITION: starttls error (71): > 54099363978240:error:1410:SSL > routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE:third_party/openssl/boringss

[exim] Re: exim don't speak to google any more!

On Mon, Jul 29, 2024 at 03:24:35AM +, Thomas Krichel via Exim-users wrote: > > Exim really should be updated to ignore OpenSSL's truncation detection, > > I don't recall whether that even already happened and the OP is running > > an older version? > > root@tagol~# exim --version | head -1 >

[exim] Re: exim don't speak to google any more!

On Sun, Jul 28, 2024 at 05:56:33PM +0100, Jeremy Harris via Exim-users wrote: > > BUT in the log, I get the following message: > > > >  H=gmail-smtp-in.l.google.com [142.251.16.26] TLS error on > > connection (recv): The TLS connection was non-properly terminated. > > Google is violating stan

[exim] DANE TLSA records for exim.org?

Until roughly today, at least the primary MX host for "exim.org" had DANE TLSA records. Today, they're gone (I hope temporarily). And ideally (subject to real world constraints, and all that), it would even be could for the secondary MX to be signed and have TLSA RRs. ; NOERROR AD=1 exim

[exim] Re: GnuTLS and Dane-Problem finally solved

On Sat, Jul 13, 2024 at 09:46:25PM +0200, Wolfgang via Exim-users wrote: > and all others helping me, to find the problem with my exim not able to > deliver to the > https://blog.lindenberg.one/EmailSecurityTest . It sure looks to my expert eyelike you've still failed to identify the reason for

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

On Mon, Jul 08, 2024 at 03:22:50PM +, Slavko via Exim-users wrote: > >I checked into that already also. First I used my own nameserver, where the > >output just looks as > >yours. > > dig +noall +stats +comment -t mx et.lindenberg.one | grep -E '^;; > > (flags|SERVER):' > > ;; flags: qr rd

[exim] Re: no SNI used, when sending TLS secured messages out

On Mon, Jul 08, 2024 at 03:20:40PM +0200, Wolfgang via Exim-users wrote: > Hello, > Why is exim not using SNI for every TLS connection, which got established? > SNI is helpful even far > away from DANE for message routing, multiplexing MX and other stuff. Historically, there wasn't a well-defin

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

On Mon, Jul 08, 2024 at 03:02:35PM +0200, Wolfgang via Exim-users wrote: > >Perhaps the issue is as mundane as you not having a local validating > >resolver in /etc/resolv.conf, so that the destination domain looks > >unsigned to Exim? Can you post the output of: > > >$ dig +noall +stats +com

[exim] Re: Debug TLS/DANE problems

On Sun, Jul 07, 2024 at 06:34:21PM +0200, Wolfgang via Exim-users wrote: > > > Actual debug output from the Exim system. I pointed out how best > > to do that on the 2nd (assuming that the Exim system is the > > accepting end for the connection). > > > [ In case it's an outbound connection at

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

On Sun, Jul 07, 2024 at 03:59:30PM +0100, Jeremy Harris via Exim-users wrote: > On 07/07/2024 14:31, Viktor Dukhovni via Exim-users wrote: > > So is sure seems like Exim DANE with GnuTLS fails to set the TLSA base > > domain as the SNI name, while the Exim with OpenSSL does take c

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

On Sun, Jul 07, 2024 at 09:36:48AM +0100, Jeremy Harris via Exim-users wrote: > Basics such as who the actors are in the connection, with which roles > (that last item because of the confusion in the message I > responded to yesterday). The connection is to "mx06.et.lindenberg.one" on port 25. W

[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

On Sat, Jul 06, 2024 at 09:44:58PM +0100, Jeremy Harris via Exim-users wrote: > Actually, you don't know whether the option was forced. Only the result on > the > connection - which you have not described how you evaluated. A "tshark" analysis of the connection should be able to reveal all, sin

[exim] Re: Follow-Up: Debug TLS/DANE problems / GnuTLS?

On Fri, Jul 05, 2024 at 02:01:38PM +0200, Wolfgang via Exim-users wrote: > I am much more familar with openssl, but debian-exim is linked against > gnu-tls, so I started digging in gnttls binary tools also. > Unfortunately gnutls-cli is far less capable, that the openssl cli > tools. I started t

[exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails

On Tue, Jul 02, 2024 at 03:51:38PM +0200, Wolfgang via Exim-users wrote: > > Otherwise, any MX host with a Let's Encrypt certificate could > > impersonate any other such host. > > I don't get this: Even, when either the CN nor an additional SAN matches, I > see no risk > for impersonating, as th

[exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails

On Sun, Jun 30, 2024 at 11:32:58PM +0200, Wolfgang via Exim-users wrote: > I have problems connecting DANE configured hosts, when the MX has a > correct TLSA-RR but an valid certificate (letsencrypt) with the wrong > CN. This is required and expected behaviour. See: https://datatracker.ietf.

[exim] More changes (2024-06-06) at Let's Encrypt affecing DANE-TA(2) TLSA records

On Fri, Dec 08, 2023 at 02:01:30PM -0500, Viktor Dukhovni wrote: > It now turns out that they will also be switching to new underlying > intermediate CAs. So you'll a random choice of *new* issuers. > > > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQ

[exim] Re: SSL Certificates

On Wed, Mar 20, 2024 at 06:17:48AM +0100, Niels Kobschätzki via Exim-users wrote: > Use https://whatsmychaincert.com/, put in your certificate and get a file > with a correct full chain with or without root back. This is prone to accidental pasting of one's private keys into the webform. A sa

[exim] Re: SSL Certificates

On Tue, Mar 19, 2024 at 09:45:37PM -0700, Ian Z via Exim-users wrote: > On Tue, Mar 19, 2024 at 11:40:05PM -0400, Jerry Stuckle via Exim-users wrote: > > > I got a free SSL certificate but am having problems implementing it. > > It came as certificate.crt and private.key. It also contained > > ca

[exim] Re: restricted characters in address

On Sun, Mar 10, 2024 at 07:53:40PM +, Julian Bradfield via Exim-users wrote: > Of course, there is still the question as to why any form of source > routing should be enabled in a default configuration of anything, > given its almost total obsoleteness. > (I could imagine source routing being

[exim] Re: restricted characters in address

On Sun, Mar 10, 2024 at 09:49:14AM +, Julian Bradfield via Exim-users wrote: > That would be a configuration problem for that site - not a reason to > stop your users replying to perfectly valid addresses. > > > And by the way, by default Postfix still supports % and ! addresses: > > > >

[exim] Re: restricted characters in address

On Sat, Mar 09, 2024 at 09:26:39PM +, Julian Bradfield via Exim-users wrote: > Secondly, is there really any reason nowadays for restricting % and ! ? > > The last time I saw a % address was in 1995, and the last time I saw a > ! address was in 1994. (And of course, when I did see them, they

[exim] DANE: ATTENTION: Let's Encrypt drops DST X3 from default chain, breaking "depth 2" ISRG "2 1 1" TLSA records...

As of roughly the start of this month, the DANE survey at is seeing a steady stream of validation failures for MX hosts that rely only on: _25._tcp.mail.domain.example. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 [ Some also

[exim] Re: undefined reference to `SSL_get0_chain_certs' error on compile

On Sat, Dec 16, 2023 at 09:44:59AM +, Ian B via Exim-users wrote: > In the meantime I think I've just got it working ok with exporting > LD_LIBRARY_PATH and CC=gcc -std=gnu99 -lrt -I/usr/local/ssl/ > -L/usr/local/ssl/lib -Wl,-rpath,/usr/local/ssl/lib (not even sure those are > correct just atm

[exim] Re: undefined reference to `SSL_get0_chain_certs' error on compile

On Fri, Dec 15, 2023 at 12:26:53PM +, Ian B via Exim-users wrote: > Just wanted to say thanks, I got this all working after the full install. > > (I've compiled a later release of openssl into /usr/local/ssl and created > /etc/ld.so.conf.d/openssl.conf with the lib in there, followed by ldconf

[exim] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.

My previous post on this topic noted that covered Let's Encrypt are planning to *randomise* the choice of intermediate issuer CA used with each renewal. It now turns out that they will also be switching to new underlying intermediate CAs. So you'll a random choice of *new* issuers. https:/

[exim] Re: Exim hates CNAMEs, not IPv6

On Fri, Dec 01, 2023 at 12:09:44AM -0500, John R Levine via Exim-users wrote: > Oh, I see the problem. lists.exim.org is a CNAME for cumin.exim.org, > and qmail is standard compliant per RFC 1123: > > 5.2.2 Canonicalization: RFC-821 Section 3.1 > > The domain names that a Sender-

[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Sun, Nov 19, 2023 at 09:33:37PM +, Slavko via Exim-users wrote: > > * Staging a future key, that the ACME client will conditionally > >switch to, once the TLSA record is live. > > Do you mean opposite of usual certbot logic: first generate key, then > setup TLSA for it, and after that

[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Sun, Nov 19, 2023 at 01:30:29PM +0100, Slavko via Exim-users wrote: > > I don't recommend DANE-TA(2), and encourage use of DANE-EE(3) instead. > > I am far from DANE expert, but my understanding is, that DANE-TA is > good for own CAs, where one have full control on (intermediate) CA's > certs

[exim] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Thu, Nov 16, 2023 at 07:41:46PM +, Slavko via Exim-users wrote: > >If you're using Let's Encrypt as your CA and prefer to publish > >DANE-TA(2), rather than DANE-EE(3) TLSA records, please look over: > > Just curious. Enough recent certbot provides --reuse-key and --new-key > (or so) optio

[exim] Re: dnsdb loses characters (exim 4.96.2, 4.97)

On Wed, Nov 15, 2023 at 07:00:20PM +, Andrew C Aitchison via Exim-users wrote: > On Wed, 15 Nov 2023, Victor Ustugov via Exim-users wrote: > > > Hello > > > > This is a real case. > > > > Let's resolve the TXT record of the perrigo.com domain. > > > > # pkg info -E exim > > exim-4.96.2 > >

[exim] TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Wed, Nov 15, 2023 at 12:17:50AM -0500, Viktor Dukhovni wrote: > It must be that Let's Encrypt finally stopped by default including that > cross certificate in their chains. As pointed out helpfully by Geert Hendrickx on the postfix-users list: > They plan to stop providing the cross-signed "l

[exim] TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

The DANE/DNSSEC survey () has seen a recent spike in the number of MX hosts whose "2 1 1" TLSA records no longer match their certificate chain. The records in question all shar the same digest value, for various TLSA base domains: _25._tcp.mx1.example. IN TLSA

[exim] Re: Fixing or disabling TLS for internal network hosts

On Sat, Oct 07, 2023 at 09:53:25PM -0700, AC via Exim-users wrote: > As for misunderstanding the error, perhaps it could be modified to better > explain which side is causing the message since I obviously assumed that a > message in the server logs indicated the server had a problem absent any > o

[exim] Re: Fixing or disabling TLS for internal network hosts

On Sat, Oct 07, 2023 at 08:52:24PM -0700, AC via Exim-users wrote: > The error message on the main server is: > TLS error on connection from [host] (recv): A TLS fatal alert has been > received.: Certificate is bad You've misunderstood the message. TLS "alerts" are errors reported to the local T

[exim] Re: Is sender verification possible on a server that is used as a smarthost?

On Wed, Oct 04, 2023 at 09:36:12PM +0200, Mario Emmenlauer wrote: > > Rather than leak user@.domain forms out to the public > > Internet, explain and solve the real problem that not masquerading > > all users behind the primary domain is supposed to solve??? > > So for me, the exim email system o

[exim] Re: Is sender verification possible on a server that is used as a smarthost?

On Wed, Oct 04, 2023 at 12:49:29PM -0400, Chris Siebenmann via Exim-users wrote: > > But does that mean that in turn, each of these subdomains would need > > to be added as a local domain in exim on mydomain.org? Are there any > > downsides with that? It seems a bit wrong that mydomain.org has loc

[exim] Re: Is sender verification possible on a server that is used as a smarthost?

On Wed, Oct 04, 2023 at 02:11:27PM +0200, Mario Emmenlauer via Exim-users wrote: > Also, I'd like to have unique mailnames for each desktop, like > .mydomain.org, to better identify where the mail originated > from. But these domains do not really exist, they would be "fake" > mailnames to identif

[exim] Re: Exim Zero Day?

On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote: > I have seen the security side as debian release manager for quite many > software products. And I doubt much that postfix would do it much > different. Coordinated release of security updates is standard industry prac

[exim] Re: RFC822 Date format.

On Mon, Sep 25, 2023 at 03:21:20AM -, Jasen Betts via Exim-users wrote: > On 2023-09-25, Jasen Betts via Exim-users wrote: > > I want to add a Resent-Date: header. Is there any way to access this > > RFC822 timestamp using simple string expansion? > > so far this is my best candidate: > >

[exim] Re: TLS error on connection (recv): The TLS connection was non-properly terminated.

On Wed, Sep 13, 2023 at 04:43:46PM +0100, Jeremy Harris via Exim-users wrote: > On 13/09/2023 16:31, Viktor Dukhovni via Exim-users wrote: > > So long as the delivery completed, > > That's not relevant here. It does... eventually. FWIW, I meant the *specific* delive

[exim] Re: TLS error on connection (recv): The TLS connection was non-properly terminated.

On Wed, Sep 13, 2023 at 09:33:36AM +0100, Jeremy Harris via Exim-users wrote: > "non-properly terminated" means the far end didn't do a proper TLS close > sequence. It's unfortunately common. However, combined with the 30s stall, > worth checking on. Get a delivery run with debug; look for the

[exim] Re: OpenSSL 3 under FreeBSD

On Tue, Sep 12, 2023 at 08:16:12AM +0300, Lena--- via Exim-users wrote: > FreeBSD port of openssl 1.1.1 had an update yesterday, it says: > > Final version of OpenSSL 1.1.1, this port will upgrade to > 3.0 (LTS) with a next commit. > > Does somebody use Exim with openssl 3 under FreeBSD already?

[exim] Re: Please avoid TLSA records matching retired issuing CAs.

On Mon, Jul 17, 2023 at 10:11:08AM +0200, Niels Dettenbach via Exim-users wrote: > helpful for pro-actively watching / monitoring different aspects of a > DANE / TLSA setup per Nagios (as "compatible" monitoring systems): > https://github.com/matteocorti/check_ssl_cert > > which is very flexible

[exim] Please avoid TLSA records matching retired issuing CAs.

[ Also posted to dane-us...@list.sys4.de ] There are still ~250 MX hosts with DANE TLSA records that match the retired X3 or X4 Let's Encrypt CAs. Perhaps also other retired CAs, but these are the ones I'm tracking at: https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Please take care t

[exim] Re: exim spitting out "bad certificate" log lines

On Thu, Jul 13, 2023 at 10:30:06PM +0300, Evgeniy Berdnikov via Exim-users wrote: > On Thu, Jul 13, 2023 at 11:11:31AM -0400, Viktor Dukhovni via Exim-users > wrote: > > Perhaps the OpenSSL library could change the message to be: > > > > "TLS fatal alert from

[exim] Re: exim spitting out "bad certificate" log lines

On Thu, Jul 13, 2023 at 04:43:42PM +0200, Cyborg via Exim-users wrote: > >> "TLS error (SSL_read): error:0A000412:SSL routines::sslv3 alert bad > >> certificate" > > This is the correct log message. > > If the chain of events is like we expect it to be, that the client tries > to validate the ce

[exim] Re: exim spitting out "bad certificate" log lines

On Thu, Jul 13, 2023 at 04:50:44PM +0200, Cyborg via Exim-users wrote: > > If the issue is observed on the MX host for your domain, note that its > > certificate chains up to the already expired "DST Root CA X3": > > where do you see an expired cert here?  Or did you mean "soon to be > reaching

[exim] Re: exim spitting out "bad certificate" log lines

On Thu, Jul 13, 2023 at 10:21:02AM +0200, Cyborg via Exim-users wrote: > 2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL > routines::sslv3 alert bad certificate If the issue is observed on the MX host for your domain, note that its certificate chains up to the already expired "DST R

[exim] Re: exim spitting out "bad certificate" log lines

On Thu, Jul 13, 2023 at 10:21:02AM +0200, Cyborg via Exim-users wrote: > Since 08:15 CEST Exim is spitting out these errors: > > 2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL > > routines::sslv3 alert bad certificate This is reported by OpenSSL to the local application (Exim serv

[exim] Re: fake helo at connect

On Mon, Jun 19, 2023 at 02:02:49PM +0300, Myhaylo Golub via Exim-users wrote: > Some host provides fake information after connect. > > telnet mail.hostname. 25 > Trying *.*.*.*... > Connected to mail.hostname. > Escape character is '^]'. > 220-mx.mail.hostname ESMTP Postfix > 220 mx.mail.hostname