Fastmail and exim

About a month ago, Fastmail made some changes to their SSL certificates that broke exim4 relaying to their servers. After I scrambled around for a while and futilely attempted to debug the problem, they eventually just fixed it on their side. This blog post is just a quick note on some of the commands I tried, just in case they come in handy some day.

Here are some of the commands I used to try connecting to their server and view debug and certificate output:

openssl s_client -starttls smtp -crlf -connect 66.111.4.52:587
gnutls-cli --verbose --starttls -p 587 -d 4711 mail.messagingengine.com
gnutls-cli --starttls -p 587 mail.messagingengine.com
  (type STARTTLS<return> and then hit ctrl-d)

To view a certificate:

openssl x509 -in cerfile.cer -noout -text

On a different note, while trying to track down the problem, I figured out it had to do with Fastmail's Diffie–Hellman prime key being 1024 bits. There was a Debian-specific patch that set the minimum accepted by exim4 to 2048 bits. Andreas Metzler was kind enough to send me the Debian bug discussing the reasoning behind the changes.

I ended up rebuilding the exim package without the patch until they fixed the problem. It was definitely cool to play with some of the tools used for that: quilt, dch, dpkg-buildpackage.

posted: Jul 6 2012
tags: debian