I quite commonly see undelivered mail to bounce@tweet.twitter.com on the outgoing mail queue. (DSNs and out-of-office replies with empty senders - so not critical mail.)
(The Twitter mail is recieved by en25.com/eloqua.net which is infrastructure for "Oracle Eloqua Marketing Cloud".)
This isn’t a new issue, but I thought I’d drop a note in public about it.
If I run exim4 -v -M on a delivery attempt I can see that it disconnects immediately after attempting to establish a STARTTLS session, so falls back to retrying without TLS.
SMTP<< 220 P01SNJ018.eloqua.net Microsoft ESMTP MAIL Service, Version: 10.0.14393.4169 ready at Tue, 10 Jan 2023 05:50:33 -0500
SMTP>> EHLO foo.example.com
SMTP<< 250-P01SNJ018.eloqua.net Hello [10.32.120.102]
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
SMTP>> STARTTLS
SMTP<< 220 2.0.0 SMTP server ready
SMTP(close)>>
TLS session: (gnutls_handshake): Key usage violation in certificate has been detected.: delivering unencrypted to H=mail.en25.com [209.167.231.14] (not in hosts_require_tls)
But, the server won't accept a bounce on an unencrypted connection.
SMTP<< 220 P01SNJ015.eloqua.net Microsoft ESMTP MAIL Service, Version: 10.0.14393.4169 ready at Tue, 10 Jan 2023 05:50:34 -0500
SMTP>> EHLO foo.example.com
SMTP<< 250-P01SNJ015.eloqua.net Hello [10.32.120.104]
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
SMTP>> MAIL FROM:<> SIZE=2451
SMTP>> RCPT TO:<bounce@tweet.twitter.com>
SMTP>> BDAT 2092 LAST
SMTP<< 530 5.7.0 Must issue a STARTTLS command first
SMTP<< 530 5.7.0 Must issue a STARTTLS command first
SMTP>> QUIT
SMTP(close)>>
The mailserver is the Ubuntu 20.04 exim4-daemon-heavy (4.93-13ubuntu1.7) using libgnutls (3.6.13-2ubuntu1.7)
I can see using TLS debug tools that the certificate isn't signed. But certificate errors aren't uncommon for mail servers, and it doesn't usually impede delivery.
echo QUIT | gnutls-cli --starttls-proto=smtp -p 25 --no-ca-verification mail.en25.computs the following in stderr
|<1>| Peer's certificate does not allow digital signatures. Key usage violation detected.
*** Fatal error: Key usage violation in certificate has been detected.If I pull out the X.509 Key Usage section
echo QUIT | gnutls-cli --starttls-proto=smtp -p 25 --no-ca-verification --insecure --save-cert=/dev/stdout mail.en25.com | certtool -i Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Key encipherment.
Data encipherment.Checking against servers I know will accept STARTTLS, such as smtp.google.com
Key Usage (critical):
Digital signature.
Key Purpose (not critical):
TLS WWW Server.and a server with a standard letsencrypt cert
Key Usage (critical):
Digital signature.
Key encipherment.
Key Purpose (not critical):
TLS WWW Server.
TLS WWW Client.I can see that they have "Digital signature" in the X.509 key usage section.
Given other servers, eg ones using OpenSSL, will establish a connection regardless, is the hard requirement for "Digital signature" in the key usage the correct behaviour?
And, given plaintext fallback, is there any way to switch this off without recompiling?