Marc Haber wrote:
So you only have ssl_on_connect_port=465 in your exim configuration
and no other port number? And you get a clear text banner when you
connect to tcp/25 or tcp/587? And you get a banner when you use
gnutls-cli -p 465 _without_ the -s option?
www:/tmp# grep ssl_on_connect_port /var/lib/exim4/config.autogenerated
- so no ssl_on_connect_port entry in my config...
But I do have the following:
www:/tmp# grep 587 /var/lib/exim4/config.autogenerated
tls_on_connect_ports=465:587
www:/tmp# gnutls-cli -p 465 127.0.0.1
Resolving '127.0.0.1'...
Connecting to '127.0.0.1:465'...
- Successfully sent 0 certificate(s) to server.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate does NOT match '127.0.0.1'.
# valid since: Thu Oct 25 21:11:06 EST 2007
# expires at: Sun Oct 22 22:11:06 EST 2017
# fingerprint: F6:9D:DB:E5:BC:EA:59:CC:F4:81:0A:D1:56:81:11:1E
# Subject's DN: CN=mail.affinityvision.com.au
# Issuer's DN: CN=Affinity Vision Australia Pty Ltd
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: DHE RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
220 mail.affinityvision.com.au ESMTP Exim 4.63 Sat, 05 Jan 2008 21:23:56
+1100
I understand, but it _seems_ that OpenSSL works whilst GnuTLS
doesn't....
yes, and if we don't find out why, it's going to stay this way. I find
it worth trying to find out where the issue with GnuTLS is, and GnuTLS
upstream has become very responsive and motivated in the last few
weeks (btw, I really really appreciate that).
So do I really appreciate it!
I must admit that I have lost the overview over this bug report. If I
recall correctly, Simon is running an incredimail evaluation copy
under wine and can do any debugging on the library side that might be
possible. If I recall correctly, again, he has found out that
incredimail negotiates an obsolete version of SSL whose ciphers can
easily be broken and might be inable to negotiatate a better version.
Under these circumstances, I remember him writing, it might be better
not to use encryption at all.
Interesting, but I cam at it a bit later. I have a client whom I want to
host DNS and email for, but he wants to use IM and that is the only blocking
factor. He isn't interested in using any other email program, but given
that IM is actually quite popular, it is going to continue to be a problem
if it isn't sorted.
Kind Regards
AndrewM
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
