postfix dovecot tls error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
postfix (Debian) |
Fix Released
|
Unknown
|
|||
postfix (Ubuntu) |
Fix Released
|
Undecided
|
Miriam España Acebal | ||
Jammy |
Fix Released
|
Undecided
|
Miriam España Acebal | ||
Kinetic |
Fix Released
|
Undecided
|
Miriam España Acebal | ||
Lunar |
Fix Released
|
Undecided
|
Miriam España Acebal |
Bug Description
[ Impact ]
After a breaking change in OpenSSL 3, postfix users have experienced
warning messages and missed opportunities for TLS session reuse. To avoid this, upstream included this workaround that consists of turning on SSL_OP_
[ Test Plan ]
A bad scenario test case has been provided in comment #10, and after installing the proposed package for this SRU the same steps can be used for verification (like in comment #14). Therefore, the steps will be the following:
### Bad Case
#0. In a VM/container with Jammy (i.e):
# lxc launch ubuntu-daily:jammy Jpostfix
# lxc shell Jpostfix
# apt update && apt upgrade -y
# apt install postfix -y (I selected local installation)
#1. Run the connection:
# openssl s_client --connect localhost:25 -starttls smtp
#2. Interrupt the connection: Press CTrl-C
#3. Check the log for the present warning message:
# grep warning /var/log/mail.log | grep 0A000126
### Good Case
#4. Enable & install proposed package:
#cat <<EOF >/etc/apt/
# Enable Ubuntu proposed archive
deb http://
EOF
#apt update && apt upgrade -y
#5. Clean log to remove the warning message for Bad case,
returning to old log (thanks to Bryce Harrington for the hint and suggestion):
#savelog -g adm -m 640 -u syslog -c 7 /var/log/mail.log
#6. Repeat steps 1,2 and 3: no more warning messages appears
(grep returns nothing).
Also, an integration test script is present in the autopkgtests, which
have been run in a PPA and in autopkgtest.
In addition, Simon Déziel has been so kind of doing manual tests on
Jammy with satisfactory results.
[ Where problems could occur ]
This fix is part of a stable microrelase. As indicated in the PostfixUpdates MRE exception "Upstream has tight requirements for what goes into stable microreleases, QAs them with regression tests, and has a good history of not breaking anything", which doesn't imply risk-free.
In particular, they commented the following about this change in The HISTORY file: "This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks".
The autopkgtest tests checked the relationships with the versions of the available dependencies and other package-specific issues which is probably what we should focus on to mitigate possible regression scenarios.
[ Other Info ]
The package also fixes LP: #1996524 (SRU template completed there as well).
[ Original Report ]
-------
I have upgrade the mail system from 20.04 to 22.04
I am getting tls errors:
postfix/
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: postfix 3.6.4-1ubuntu1
ProcVersionSign
Uname: Linux 5.15.0-50-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
Date: Mon Oct 31 18:11:47 2022
EtcMailname: mail.mlb.org
Hostname: mail.mlb.org
PostconfMydomain: mlb.org
PostconfMyhostname: mail.mlb.org
PostconfMyorigin: mail.mlb.org
ProcEnviron:
SHELL=/bin/bash
LANG=en_US.UTF-8
TERM=xterm-
XDG_RUNTIME_
PATH=(custom, no user)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: postfix
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 165 lines (+137/-0)4 files modifieddebian/changelog (+13/-0)
debian/patches/1995312-unexpected-eof-fix.patch (+89/-0)
debian/patches/1996524-Linux6-support.patch (+33/-0)
debian/patches/series (+2/-0)
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 165 lines (+137/-0)4 files modifieddebian/changelog (+13/-0)
debian/patches/1995312-unexpected-eof-fix.patch (+89/-0)
debian/patches/1996524-Linux6-support.patch (+33/-0)
debian/patches/series (+2/-0)
Changed in postfix (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in postfix (Ubuntu Kinetic): | |
status: | New → Triaged |
Changed in postfix (Ubuntu Lunar): | |
status: | Triaged → Fix Released |
Changed in postfix (Ubuntu Jammy): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Ubuntu Kinetic): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Ubuntu Lunar): | |
assignee: | nobody → Miriam España Acebal (mirespace) |
Changed in postfix (Debian): | |
status: | Unknown → New |
Changed in postfix (Debian): | |
status: | New → Fix Released |
Changed in postfix (Ubuntu Jammy): | |
status: | Triaged → In Progress |
Changed in postfix (Ubuntu Kinetic): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
after google more about postfix and openssl 3 and see that
version 3.7 support openssl 3
URL: https:/ /www.postfix. org/announcemen ts/postfix- 3.7.0.html
Support for library APIs: OpenSSL 3.0.0, PCRE2, Berkeley DB 18.
From Release notes: /github. com/tmtm/ postfix/ blob/master/ RELEASE_ NOTES
URL: https:/
[Feature 20210926] Postfix was updated to support OpenSSL 3.0.0 API
features, and to work around OpenSSL 3.0.0 bit-rot (avoid using
deprecated API features).
It look like the version mismatch of postfix and openssl version.
From the above it look like postfix version 3.7 is first version to
support openssl 3