1. Home
  2. Email
  3. Fixing Exim 4.97.1 issues with SendGrid

Fixing Exim 4.97.1 issues with SendGrid

Fixing Exim issues with SendGrid

A diagnostic guide on fixing Exim 4.97.1 issues with SendGrid

With the newest update 4.97.1 from Exim many hosting providers that use SendGrid are facing issues sending emails.

CainHosting has recently had these issues as well using SendGrid’s transactional SMTP service. In this article we’ll discuss how we diagnosed our issue, and the fix.

Exim 4.97.1 Emails Not Being Sent From Server

First notice of an issue. Using Google’s “send mail as“.

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  ******@gmail.com
    all hosts for 'gmail.com' have been failing for a long time (and retry time not reached)

 

So we head over to exim’s mainlog to diagnose.

(SSL_connect): error:00000000:lib(0):func(0):reason(0)

  SMTP>> EHLO alpha.cainhosting.com
  SMTP<< 250-smtp.sendgrid.net
         250-8BITMIME
         250-PIPELINING
         250-SIZE 31457280
         250-STARTTLS
         250-AUTH PLAIN LOGIN
         250 AUTH=PLAIN LOGIN
  SMTP>> STARTTLS
  SMTP<< 220 Begin TLS negotiation now
  SMTP(close)>>
cmdlog: '220:EHLO:250-:STARTTLS:220'
LOG: MAIN
  == ******@@gmail.com R=smart_route T=auth_relay defer (-37) H=smtp.sendgrid.net [54.146.218.5
]: TLS session: (SSL_connect): error:00000000:lib(0):func(0):reason(0)

 

An interesting error, (SSL_connect): error:00000000:lib(0):func(0):reason(0) – SSL is the issue? Quite odd since we’ve never changed any settings, however EXIM just did update, it’s possible that configs were overwritten, but we use the proper method having set the custom configurations in their respective .conf.custom files. Let’s investigate all of our EXIM configuration files further.

exim.routers.pre.conf

smart_route_forward:
    driver = manualroute
    domains = ! +local_domains
    ignore_target_hosts = 127.0.0.0/8
    condition = ${if !eq{$original_domain}{$domain}}
    condition = ${if !eq{$original_domain}{}}
    condition = "${perl{check_limits}}"
    
    transport = auth_relay_forward

    route_list = * smtp.sendgrid.net::587
    no_more

smart_route:
    driver = manualroute
    domains = ! +local_domains
    ignore_target_hosts = 127.0.0.0/8
    condition = "${perl{check_limits}}"

    transport = auth_relay

    route_list = * smtp.sendgrid.net::587
    no_more

 

Everything looks correct here, no changes have been made, using port 587 to connect to sendgrid.

exim.transports.pre.conf

auth_relay:
    driver = smtp
    port = 25
    hosts_require_auth = $host_address
    hosts_require_tls = $host_address
    headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
    interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
    helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
    hosts_try_chunking =
    hosts_try_fastopen =
.include_if_exists /etc/exim.dkim.conf

auth_relay_forward:
    driver = smtp
    port = 25
    hosts_require_auth = $host_address
    hosts_require_tls = $host_address
    headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
    interface = <; ${if exists{/etc/virtual/domainips}{${lookup{$sender_address_domain}lsearch*{/etc/virtual/domainips}}}}
    helo_data = ${if exists{/etc/virtual/helo_data}{${lookup{$sending_ip_address}iplsearch{/etc/virtual/helo_data}{$value}{$primary_hostname}}}{$primary_hostname}}
    hosts_try_chunking =
    hosts_try_fastopen =
    max_rcpt = 1
    return_path = ${srs_encode {SRS_SECRET} {$return_path} {$original_domain}}
.include_if_exists /etc/exim.dkim.conf

 

Everything is correct in this configuration file as well. Let’s check our exim.authenticators.post.conf file just to make sure nothing is wrong.

exim.authenticators.post.conf

auth_login:
    driver = plaintext
    public_name = LOGIN
    hide client_send = : apikey : SG.(rest-of-this-key-is-hidden)

 

Well, our apikey for sendgrid is correct, nothing changed so our connection should be correct.

Using openssl to connect to sendgrid

root@alpha:~# openssl s_client -connect smtp.sendgrid.net:587 -starttls smtp -tls1_3
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 215 bytes and written 274 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

 

Let’s try using openssl s_client -connect smtp.sendgrid.net:587 -starttls smtp -tls1_2

root@alpha:~# openssl s_client -connect smtp.sendgrid.net:587 -starttls smtp -tls1_2
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Author                  ity - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/reposit                  ory/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN = *.smtp.sendgrid.net
verify return:1
---
Certificate chain
 0 s:CN = *.smtp.sendgrid.net
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository                  /, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository                  /, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority                   - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority                   - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoDCCBYigAwIBAgIJAKALpX1UsFysMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIzMTEwMTEyMDMyNFoX
DTI0MTIwMjEyMDMyNFowHjEcMBoGA1UEAwwTKi5zbXRwLnNlbmRncmlkLm5ldDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1foa4nLG7ko2QK9iKZKjz2
rlp/Yr+8piYKynClSziCj/OBrZQuI6aJR5gjFfo7BQmVAmIgPbBkj2G62xij1x4p
V0UZWPtRpdot2Al6RNGuElbtJm7u0vEZdj3Uv0NrOcGYtHmSslW3AxNFQCx3dPya
MBqwqJfuCzofcHsTQ0Qg9G5Ndu7xVFa4Nfp7wusXrciLzde7CF92BDFoC+qgY/Ka
5a54jmQNuB2jwrYwZyo3oRfwZBmYoqYjhxLLjFbOxm3bGbi1npnO3ZcC0kyXJcQW
93W+k8X63sjyBC3qMCvvmgOX2G616EBQ9PufsnwEsU/jhNPnCbVkJUJcitkz4Y8C
AwEAAaOCA0gwggNEMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDA5BgNVHR8EMjAwMC6gLKAqhihodHRw
Oi8vY3JsLmdvZGFkZHkuY29tL2dkaWcyczEtMTA5OTkuY3JsMF0GA1UdIARWMFQw
SAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRl
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEE
ajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYB
BQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9y
eS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wMQYD
VR0RBCowKIITKi5zbXRwLnNlbmRncmlkLm5ldIIRc210cC5zZW5kZ3JpZC5uZXQw
HQYDVR0OBBYEFCG2Lm5+phyi4QEy02yskcvYiu5TMIIBfgYKKwYBBAHWeQIEAgSC
AW4EggFqAWgAdgDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlGcR+1mwAAAYuK
xFgyAAAEAwBHMEUCIDrtwC1dByqQXtA8uQLBdHFwyWm2cvVQSPXsl3BSAnsIAiEA
9b0rmOf5mqA048I+FZ3FJiuhU/f1RJ2ABl4CZAJCliEAdwBIsONr2qZHNA/lagL6
nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYuKxFlDAAAEAwBIMEYCIQC64yJir0dNhAON
s0nhhkJyA+srClMS8Xp6OzgAx7dHRwIhAMdhlLJbDV7SsbI0ZBvyN2aya5/rderr
6aBS5OT7D5MBAHUA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGL
isRZqAAABAMARjBEAiAcjIP0D/o39v/VM8dylVmqEcWPpXjI6HT/G2En08DqcQIg
cLuC5AKtS7qwwaR+uzD5CWORR3CGX2zFxo5aokNH4/0wDQYJKoZIhvcNAQELBQAD
ggEBAHIZNkAOlR11d4EN17bP/eyR0MH0Gox4ibY9zn0gt6NWQcf6Z2aon6ybY+RG
dIvHS+6TzblLtXtEBa/rMz3qFj1i8PHaUy3xQEgU7ALRudkWteDG6Jd7McsZCD0Q
GHANk6Idf4Wjho48nz/dF0AAdUDQGKMoRNGZBgUSa1+IODYYPchPSCYMemarQF+6
llweF0sI00Q5aWaktXAjaAfq/4BZVY442y9lYKMxLMCAx9gBQfx77+5vEjfUQC4/
yyXB4etfuTM8TbC4DuPX73kxxx+nabdnUOjOE6z3ePD9gcU1rVQU2R0CXUrZ8bRO
u53o9hkl1se5dahRFKBfQaDHNUY=
-----END CERTIFICATE-----
subject=CN = *.smtp.sendgrid.net

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/reposito                  ry/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6004 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D10B05FB169F8F2B3E0DA4C
    Session-ID-ctx:
    Master-Key: AF007A46C828F4CDB85C62E95FA2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 29 96 d1 62 9a 9d ff 5c-dc 9d bf 29 ee f8 57 ba   )..b...\...)..W.
    0010 - 59 b6 5f 91 d2 bf 42 cd-39 5b 2b 17 5a b6 9b a7   Y._...B.9[+.Z...
    0020 - e6 b7 16 81 4e 66 18 ff-d9 33 4c 92 c9 4b fa fa   ....Nf...3L..K..
    0030 - f7 e5 39 a7 47 75 40 97-aa fa 7f 97 93 65 bc 22   ..9.Gu@......e."
    0040 - 9c b1 3c 86 f4 62 c7 4a-44 b4 e1 9e 3b e4 2f 5f   ..<..b.JD...;./_
    0050 - e8 25 7f a4 aa 13 24 b3-eb 20 3b ce 1f b2 30 dd   .%....$.. ;...0.
    0060 - 69 37 00 6c 20 86 6d dd-7a 54 4a 00 1d d5 8f 11   i7.l .m.zTJ.....
    0070 - 24 9f 09 a5 a3 2b 93 bf-41 9a f2 00 10 72 43 9f   $....+..A....rC.
    0080 - 5a d5 ff 75 5c cf fc 69-74 3e 04 6a 46 12 d7 d7   Z..u\..it>.jF...
    0090 - 1b c5 49 f0 b9 8c 76 7b-e9 5a cd ee 21 73 cc 72   ..I...v{.Z..!s.r
    00a0 - db 58 ae 03 74 dc 18 a3-52 a5 80 57 55 05 9b a8   .X..t...R..WU...

    Start Time: 1711787232
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 AUTH=PLAIN LOGIN

 

Hey it works on TLSv1.2!

The Solution

EXIM 4.97.1 must be using TLSv1.3. Lets check our exim.variables.conf file.

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +no_tlsv1_2 +cipher_server_preference

 

There it is, we’ve found the issue. SendGrid does not support TLSv1.3, let’s change the openssl_options the correct way.

exim.variables.conf.custom

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 +cipher_server_preference

 

Let’s restart exim and send a test email.

root@alpha:~# systemctl restart exim

 

Test email works! Hope this article helps someone out there with this issue.

Updated on April 4, 2024

Was this article helpful?

Add A Comment