Exim gives a wrong version number error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.home.bouzou.org

I ran this command:
openssl s_client -starttls smtp -crlf -connect mail.home.bouzou.org:25

It produced this output:

Connecting to 192.168.1.252
CONNECTED(00000005)
001F320902000000:error:0A00010B:SSL routines:tls_validate_record_header:wrong version number:ssl/record/methods
/tlsany_meth.c:85:
---
no peer certificate available
---
No client certificate CA names sent
Negotiated TLS1.3 group: <NULL>
---
SSL handshake has read 264 bytes and written 1586 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

My web server is (include version): exim4

The operating system my web server runs on is (include version): Ubuntu 24.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.1.1

Additional info:
03_exim4-config_tlsoptions contains:

MAIN_TLS_CERTKEY = /etc/letsencrypt/live/mail.home.bouzou.org/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/letsencrypt/live/mail.home.bouzou.org/privkey.pem

I made sure that the Debian-exim user can access the certificate files:

sudo -u Debian-exim more /etc/letsencrypt/live/mail.home.bouzou.org/fullchain.pem

Please help

Normally port 25 does not use a certificate for TLS

What instructions are you following for exim?

It does with starttls, which is what the openssl command is using.

I don't seem to be able to connect at all to that name from my mail server, though. And it having a private IP listed in the openssl output above is a bit odd as well.

I guess I should have been clearer. Are they sure they have configured exim to reply to TLS requests on port 25?

Just setting a cert file name isn't enough. They need the proper TLS Connect configuration: 43. Encrypted SMTP connections using TLS/SSL

I see what you're saying. My memory of openssl s_client's starttls option is that it's pretty primitive, so if the server were replying to the STARTTLS command with an error message, I could see openssl trying to instead interpret it as the start of a TLS handshake and giving that error, but not showing the error the server was actually replying with.

I've forwarded the right port and enabled port 587, so you can try connecting at mail.home.bouzou.org port 587 and tell me what you think. I'm stumped at the moment. It seems to work with the self-signed certs in the /etc/exim4 directory, but not with the ones generated by certbot. I'd really like to "do the right thing"...

Thanks in advance for any advice!

BTW, the instructions I followed are the ones at eff.org, titled

From Encrypting the Web to Encrypting the Net: A Technical Deep Dive on Using Certbot to Secure your Mailserver

(not posting a link, as that got my account deactivated last time.)

Does the exim log show any more info? Should be one/more mainlog files in /var/log/exim4 directory

A --debug of openssl shows this 454 TLS currently unavailable error

0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0x581fdfd1a2e0 [0x581fdfc71670] (8192 bytes => 31 (0x1F))
0000 - 34 35 34 20 54 4c 53 20-63 75 72 72 65 6e 74 6c   454 TLS currentl
0010 - 79 20 75 6e 61 76 61 69-6c 61 62 6c 65 0d 0a      y unavailable..

I am pretty sure exim allows ECDSA certs but you might try re-issuing your cert as RSA.

PS:

I think you had a post rejected because it was ONLY a link. Such posts look like spam. Giving a link within a post with other info should be fine.