exim4 und TLS

17/04/2016 - 14:00 von Joachim Hartmann | Report spam
Hallo ihr SMPT- pezis!
Nach dem es mir mit eurer Hilfe [s. exim4, dovecot und thunderbird] gelungen ist
mit Thunderbird auf die System-Mails zu zugreifen wollte ich nun versuchen auch
andere Emails zu empfangen. Im Heimnetzwerk klappt(e) das auch problemlos über
Port 25. Da aber auch Emails von außen angenommen werden sollen, habe ich ver-
sucht das ganze auf Port 465 und STARTTLS umzustellen und bin klàglich ge-
scheitert!
Das mehrtàgiges googlen hat mich der Lösung zwar nàher gebracht aber das Ziel
ist - für mich - noch nicht in Sicht. Ich hoffe auf eure Hilfe

Aktueller Status von exim4 [4.84.2-1]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# service exim4 status
o exim4.service - LSB: exim Mail Transport Agent
Loaded: loaded (/etc/init.d/exim4)
Active: active (running) since So 2016-04-17 09:56:41 CEST; 11ms ago
Process: 1768 ExecStop=/etc/init.d/exim4 stop (code=exited, status=0/SUCCESS)
Process: 1779 ExecStart=/etc/init.d/exim4 start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/exim4.service
+-2030 /usr/sbin/exim4 -bd -q30m
+-2031 /usr/sbin/exim4 -q

Apr 17 09:56:41 ct-Server exim4[1779]: Starting MTA: exim4.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Versuch eines Verbindungsaufbau
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# telnet myhost.dyndns.org 465
Trying 84.130.x.xx2...
Connected to myhost.dyndns.org.
Escape character is '^]'.
220 ct-Server.myhost.dyndns.org ESMTP Exim 4.84_2 Sun, 17 Apr 2016 09:57:34 +0200
EHLO myhost.dyndns.org
250-ct-Server.myhost.dyndns.org Hello p54820884.dip0.t-ipconnect.de [84.130.x.xx2]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
EHLO myhost.dyndns.org
Connection closed by foreign host.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Der Eintrag dazu in der /var/log/exim4/mainlog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2016-04-17 09:59:24 TLS error on connection from p54820884.dip0.t-ipconnect.de (myhost.dyndns.org) [84.130.x.xx2] (gnutls_handshake): An unexpected TLS packet was received.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prüfung der Konfiguration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# exim -C /var/lib/exim4/config.autogenerated -bV
Exim version 4.84_2 #2 built 13-Mar-2016 17:47:19
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prüfung der Zertifikate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
9#~# openssl x509 -noout -text -in /etc/exim4/exim.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 10802394886874817666 (0x95e9d0ea83ab6482)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CÞ, ST=NDS, CN=myhost.dyndns.org
Validity
Not Before: Apr 16 17:48:48 2016 GMT
Not After : Apr 16 17:48:48 2019 GMT
Subject: CÞ, ST=NDS, CN=myhost.dyndns.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:.
#~# openssl rsa -noout -text -in /etc/exim4/exim.key
Private-Key: (2048 bit)
modulus:
00:.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Die Berechtigungen im Verzeichnis /etc/exim4/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5#~# dir /etc/exim4/
insgesamt 124
drwxr-xr-x 3 root root 4096 2016-04-17 09:55 .
drwxr-xr-x 124 root root 12288 2016-04-15 09:11 ..
drwxr-xr-x 9 root root 4096 2016-01-12 16:54 conf.d
-rw-r--r-- 1 root root 162 2016-04-17 10:50 exim4.conf.localmacros
-rw-r--r-- 1 root root 77382 2016-04-16 19:05 exim4.conf.template
-rw-r-- 1 root Debian-exim 1082 2016-04-16 19:48 exim.crt
-rw-r-- 1 root Debian-exim 1704 2016-04-16 19:48 exim.key
-rw-r-- 1 root Debian-exim 104 2016-04-17 10:50 passwd
-rw-r-- 1 root Debian-exim 204 2015-02-17 18:01 passwd.client
-rw-r--r-- 1 root root 1116 2016-04-16 18:29 update-exim4.conf.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Der Versuch per openssl scheitert
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# openssl s_client -connect 192.168.xxx.xx3:456
connect: Connection refused
connect:errno1
#~# openssl s_client -connect myhost.dyndns.org:456
connect: No route to host
connect:errno3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

obwohl wohl doch eine Route zum Host besteht (/var/log/mail.log)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: auth client connected (pid&006)
Apr 17 11:42:52 ct-Server dovecot: auth: Debug: auth client connected (pid&008)
Apr 17 11:42:52 ct-Server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip.3.14.22, lip2.168.xxx.xx3, session=<ot5gEaswgwBRAw4W>
Apr 17 11:42:52 ct-Server dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip.3.14.22, lip2.168.xxx.xx3, session=<P+dgEaswowBRAw4W>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Ein Versuch mit swaks:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# swaks -tlsc -s myhost.dyndns.org -q EHLO -p 465
Trying myhost.dyndns.org:465...
Connected to myhost.dyndns.org.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
#~# swaks -tlsc -s 192.168.xxx.xx3 -q EHLO -p 465
Trying 192.168.xxx.xx3:465...
Connected to 192.168.xxx.xx3.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Und zu guter letzt dies:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# exim -bP
accept_8bitmime
acl_not_smtp =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data = acl_check_data
acl_smtp_data_prdr =
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail = acl_check_mail
acl_smtp_mailauth =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_starttls =
acl_smtp_vrfy =
add_environment =
admin_groups no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
bi_command =
bounce_message_file =
bounce_message_text =
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
bounce_sender_authentication =
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_rfc2047_length
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = smtp
daemon_startup_retries = 9
daemon_startup_sleep = 30s
delay_warning = 1d
delay_warning_condition = ${if or {{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{ match{$h_precedence:}{(?i)bulk|list|junk} }{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_again_means_nonexist =
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_dnssec_ok = -1
dns_ipv4_lookup =
dns_retrans = 0s
dns_retry = 0
dns_use_edns0 = -1
no_drop_cr
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
errors_copy =
errors_reply_to =
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extra_local_interfaces =
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell = postmaster
gecos_name = $1
gecos_pattern = ^([^,:]*)
no_gnutls_allow_auto_pkcs11
no_gnutls_compat_mode
gnutls_require_kx =
gnutls_require_mac =
gnutls_require_protocols =
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_accept_junk_hosts =
helo_allow_chars =
helo_lookup_domains = @ : @[]
helo_try_verify_hosts =
helo_verify_hosts =
hold_domains =
host_lookup = *
host_lookup_order = bydns:byaddr
host_reject_connection =
hosts_connection_nolog =
hosts_treat_as_local =
ignore_bounce_errors_after = 2d
ignore_fromline_hosts =
no_ignore_fromline_local
keep_environment =
keep_malformed = 4d
no_local_from_check
local_from_prefix =
local_from_suffix =
local_interfaces = <; 127.0.0.1.25 ; ::1.25 ; 0.0.0.0.465
local_scan_path =
local_scan_timeout = 5m
local_sender_retain
localhost_number =
log_file_path = /var/log/exim4/%slog
log_selector = +tls_peerdn
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_id_header_domain =
message_id_header_text =
message_logs
message_size_limit = 50M
no_move_frozen_messages
no_mua_wrapper
never_users openssl_options =
percent_hack_domains =
pid_file_path = /var/run/exim4/exim.pid
pipelining_advertise_hosts = *
no_prdr_enable
no_preserve_message_logs
primary_hostname = ct-Server.myhost.dyndns.org
no_print_topbitchars
process_log_path = /var/spool/exim4/exim-process.info
prod_requires_admin
qualify_domain = myhost.dyndns.org
qualify_recipient = myhost.dyndns.org
queue_domains =
queue_list_requires_admin
no_queue_only
queue_only_file =
queue_only_load queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains =
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\t}{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)\t}}}}by $primary_hostname ${if def:received_protocol {with $received_protocol}} ${if def:tls_cipher {($tls_cipher)\t}}(Exim $version_number)\t${if def:sender_address {(envelope-from <$sender_address>)\t}}id $message_exim_id${if def:received_for {\tfor $received_for}}
received_headers_max = 30
recipient_unqualified_hosts =
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
remote_sort_domains =
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = *
rfc1413_query_timeout = 5s
sender_unqualified_hosts =
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_max_per_host =
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_active_hostname =
smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_command =
smtp_etrn_serialize
smtp_load_reserve smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
smtp_ratelimit_hosts =
smtp_ratelimit_mail =
smtp_ratelimit_rcpt =
smtp_receive_timeout = 5m
smtp_reserve_hosts =
no_smtp_return_error_details
no_split_spool_directory
spool_directory = /var/spool/exim4
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_facility =
syslog_processname = exim
syslog_timestamp
system_filter =
system_filter_directory_transport =
system_filter_file_transport =
system_filter_group =
system_filter_pipe_transport =
system_filter_reply_transport =
system_filter_user =
tcp_nodelay
timeout_frozen_after = 1w
timezone =
tls_advertise_hosts = *
tls_certificate = /etc/exim4/exim.crt
tls_crl =
tls_dh_max_bits = 2236
tls_dhparam =
tls_ocsp_file =
tls_on_connect_ports =
tls_privatekey = /etc/exim4/exim.key
no_tls_remember_esmtp
tls_require_ciphers =
tls_try_verify_hosts =
tls_verify_certificates = ${if exists{/etc/ssl/certs/ca-certificates.crt}{/etc/ssl/certs/ca-certificates.crt}{/dev/null}}
tls_verify_hosts =
trusted_groups trusted_users = uucp
unknown_login =
unknown_username =
untrusted_set_sender = *
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warn_message_file =
write_rejectlog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hoffentlich nicht zu viele Infos auf einmal(?)!

Gruß aus der Stadt der CeBIT
Jochen
 

Lesen sie die antworten

#1 Marc Haber
17/04/2016 - 15:30 | Warnen spam
On Sun, 17 Apr 2016 13:56:53 +0200, Joachim Hartmann
wrote:
Nach dem es mir mit eurer Hilfe [s. exim4, dovecot und thunderbird] gelungen ist
mit Thunderbird auf die System-Mails zu zugreifen wollte ich nun versuchen auch
andere Emails zu empfangen. Im Heimnetzwerk klappt(e) das auch problemlos über
Port 25. Da aber auch Emails von außen angenommen werden sollen, habe ich ver-
sucht das ganze auf Port 465 und STARTTLS umzustellen und bin klàglich ge-
scheitert!



Port 465 vergiss mal schnell wieder, das will man nicht.

Für die Übertragung von Mails zwischen MTAs dient Port 25, für die
authentifizierte Einlieferung von Mails vom MUA beim MTA nimmt man
Port 587. Wichtig ist, dass man auf Port 587 keine Mail ohne
Authentifizierung annimmt.

Versuch eines Verbindungsaufbau
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# telnet myhost.dyndns.org 465
Trying 84.130.x.xx2...
Connected to myhost.dyndns.org.
Escape character is '^]'.
220 ct-Server.myhost.dyndns.org ESMTP Exim 4.84_2 Sun, 17 Apr 2016 09:57:34 +0200
EHLO myhost.dyndns.org
250-ct-Server.myhost.dyndns.org Hello p54820884.dip0.t-ipconnect.de [84.130.x.xx2]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
STARTTLS
220 TLS go ahead
EHLO myhost.dyndns.org
Connection closed by foreign host.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Das ist schon verkehrt,wenn man Port 465 missbrauchen möchte muss dort
_direkt_ TLS gesprochen werden (tls_on_connect_ports oder so). Das ist
aber niemals standardisiert worden. Gar nicht erst anfangen mit dem
Unsinn, inzwischen hat das selbst Microsoft kapiert.

Wenn Du SMTP mit STARTTLS sprechen möchtest, musst Du nach STARTTLS
und "220 TLS go ahead" auch TLS sprechen. Das geht mit telnet nicht,
es sei denn Du möchtest selbst verschlüsselte Bytes eintippen (man
gnutls_cli).

Der Eintrag dazu in der /var/log/exim4/mainlog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2016-04-17 09:59:24 TLS error on connection from p54820884.dip0.t-ipconnect.de (myhost.dyndns.org) [84.130.x.xx2] (gnutls_handshake): An unexpected TLS packet was received.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



ein Klartext "EHLO myhost.dyndns.org" ist halt kein gültiges TLS.

Der Versuch per openssl scheitert
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# openssl s_client -connect 192.168.xxx.xx3:456
connect: Connection refused
connect:errno1
#~# openssl s_client -connect myhost.dyndns.org:456
connect: No route to host
connect:errno3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



465 != 456

Ein Versuch mit swaks:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#~# swaks -tlsc -s myhost.dyndns.org -q EHLO -p 465
Trying myhost.dyndns.org:465...
Connected to myhost.dyndns.org.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
#~# swaks -tlsc -s 192.168.xxx.xx3 -q EHLO -p 465
Trying 192.168.xxx.xx3:465...
Connected to 192.168.xxx.xx3.
*** TLS startup failed (connect(): error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



weil dein exim fàlschlicherweise auf Port 465 erstmal Klartext-SMTP
spricht.

Du hast zusammengefasst eine Handvoll Denkfehler und eine ganze Menge
fehlendem Grundwissen kombiniert und bist dabei erstaunlich weit
gekommen. Nur leider sehr früh falsch abgebogen.

Grüße
Marc
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Ähnliche fragen