1

I have a Debian8 server running exim4 that sends outgoing mail by smarthost through NameCheap's mail.privateemail.com smtp server - or at least it use to. After a recent update, the server no longer accepts connections on port 25. I've reconfigured exim to use port 587 but can't send any mail.

The problem appears to occur during the STARTTLS handshaking. Initial connection succeeds, the server sends its 220 response, the exim client sends its ELHO command, and the server offers the 250 STARTTLS option. At that point, instead of replying with STARTTLS and establishing the secure connection, exim begins to send the message headers. To this the server sends a 530 "Must issue a STARTTLS command first" and the message delivery attempt aborts. Here is a snippet from the debug output from forcing delivery of a frozen message with exim -d -M:

Transport port=25 replaced by host-specific port=587
Connecting to mail.privateemail.com [198.54.122.60]:587 ... connected
waiting for data on socket
read response data: size=32
  SMTP<< 220 PrivateEmail.com Mail Node
198.54.122.60 in hosts_avoid_esmtp? no (option unset)
  SMTP>> EHLO efserver.hellonull.com
waiting for data on socket
read response data: size=22
  SMTP<< 250-STARTTLS
         250 OK
198.54.122.60 in hosts_require_tls? no (option unset)
198.54.122.60 in hosts_avoid_pipelining? no (option unset)
not using PIPELINING
198.54.122.60 in hosts_require_auth? no (option unset)
  SMTP>> MAIL FROM:<>
waiting for data on socket
read response data: size=41
  SMTP<< 530 Must issue a STARTTLS command first
ok=0 send_quit=1 send_rset=1 continue_more=0 yield=0 first_address is not NULL
  SMTP>> QUIT

Everything was working previously on port 25. Additionally, I am able to send outgoing mail using IceDove configured to use the same server, port, and STARTTLS. Can anyone explain why exim seems to be ignoring the STARTTLS offering from the server?

ecellingsworth
  • 101

2 Answers2

2

You can fix this by adding a hosts_require_tls option with the smarthost in the list to your configuration. This will cause Exim to send the STARTTLS command to establish a TLS connection. However, the hosts_avoid_tls option may override that setting.

You may want to try using port 465 (SSMTP). T It is documented as supported for incoming traffic. It does support for outgoing traffic. I've tested defining a smarthost as example.com:ssmtp instead of example.com.

BillThor
  • 28,293
  • 3
  • 39
  • 70
1

I'm happy to report the problem is fixed. The problem appears to have been with NameCheap's privateemail service. I went to work on this again today and after a dpkg-reconfigure exim4-config using the same settings as before, I am able to send outgoing mail through mail.privateemail.com:587. I didn't need to change any special options in the exim config. The SMTP conversation shows that the privateemail.com server is now responding normally to the SMTP connection. I assume an update by NameCheap resolved the issue.

SMTP>> EHLO efserver.hellonull.com
SMTP<< 250-MTA-08.privateemail.com
    250-PIPELINING
    250-SIZE 81788928
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
SMTP>> AUTH PLAIN ********************************************
SMTP<< 235 2.7.0 Authentication successful
ecellingsworth
  • 101