About a month ago, Fastmail made some changes to their SSL certificates that broke exim4 relaying to their servers. After I scrambled around for a while and futilely attempted to debug the problem, they eventually just fixed it on their side. This blog post is just a quick note on some of the commands I tried, just in case they come in handy some day.
Here are some of the commands I used to try connecting to their server and view debug and certificate output:
openssl s_client -starttls smtp -crlf -connect 18.104.22.168:587 gnutls-cli --verbose --starttls -p 587 -d 4711 mail.messagingengine.com gnutls-cli --starttls -p 587 mail.messagingengine.com (type STARTTLS<return> and then hit ctrl-d)
To view a certificate:
openssl x509 -in cerfile.cer -noout -text
On a different note, while trying to track down the problem, I figured out it had to do with Fastmail's Diffie–Hellman prime key being 1024 bits. There was a Debian-specific patch that set the minimum accepted by exim4 to 2048 bits. Andreas Metzler was kind enough to send me the Debian bug discussing the reasoning behind the changes.
I ended up rebuilding the exim package without the patch until they fixed the problem. It was definitely cool to play with some of the tools used for that: quilt, dch, dpkg-buildpackage.