I was looking for the fix on postfix 3.7 version to make a patch from it, and I don't find the use of SSL_OP_IGNORE_UNEXPECTED_EOF that seems to fix issues where this behaviour arose (like the one for nginx commented above).
Also, I checked the 20210926 [1] and 20220724 [2] which are related to SSL3 on the postfix-3.7.3.HISTORY file just in case, with no luck.
Then... Are we right in saying that the postfix on Lunar fixed this issue? The answer is no.
I used the steps to reproduce from comment #10: I got the following:
#Checking environment
root@LpostfixSSL-EOF:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Lunar Lobster (development branch)
Release: 23.04
Codename: lunar
root@LpostfixSSL-EOF:~# dpkg -l | grep postfix
ii postfix 3.7.3-2 amd64 High-performance mail transport agent
root@LpostfixSSL-EOF:~# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==============-============-====================================================
ii openssl 3.0.5-2ubuntu1 amd64 Secure Sockets Layer toolkit - cryptographic utility
root@LpostfixSSL-EOF:~#
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1598 bytes and written 406 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Hi all,
I was looking for the fix on postfix 3.7 version to make a patch from it, and I don't find the use of SSL_OP_ IGNORE_ UNEXPECTED_ EOF that seems to fix issues where this behaviour arose (like the one for nginx commented above).
Also, I checked the 20210926 [1] and 20220724 [2] which are related to SSL3 on the postfix- 3.7.3.HISTORY file just in case, with no luck.
Then... Are we right in saying that the postfix on Lunar fixed this issue? The answer is no.
I used the steps to reproduce from comment #10: I got the following:
#Checking environment
root@LpostfixSS L-EOF:~ # lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Lunar Lobster (development branch)
Release: 23.04
Codename: lunar
root@LpostfixSS L-EOF:~ # dpkg -l | grep postfix
ii postfix 3.7.3-2 amd64 High-performance mail transport agent
root@LpostfixSS L-EOF:~ # dpkg -l openssl Unknown/ Install/ Remove/ Purge/Hold Not/Inst/ Conf-files/ Unpacked/ halF-conf/ Half-inst/ trig-aWait/ Trig-pend /Reinst- required (Status,Err: uppercase=bad) ======= ====-== ======= =====-= ======= ====-== ======= ======= ======= ======= ======= ======= ======= = L-EOF:~ #
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii openssl 3.0.5-2ubuntu1 amd64 Secure Sockets Layer toolkit - cryptographic utility
root@LpostfixSS
#Reproducing the issue:
root@LpostfixSS L-EOF:~ # openssl s_client --connect localhost:25 -starttls smtp
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = LpostfixSSL-EOF.lxd
verify return:1
Certificate chain
0 s:CN = LpostfixSSL-EOF.lxd
i:CN = LpostfixSSL-EOF.lxd
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 24 14:54:58 2022 GMT; NotAfter: Nov 21 14:54:58 2032 GMT
Server certificate BAgIUYn1GqNFGey 6d0kiMEMZLkjVxI o4wDQYJKoZIhvcN AQEL EAwwTTHBvc3RmaX hTU0wtRU9GLmx4Z DAeFw0yMjExMjQx NDU0 xNDU0NThaMB4xHD AaBgNVBAMME0xwb 3N0Zml4U1NMLUVP Ri5s GSIb3DQEBAQUAA4 IBDwAwggEKAoIBA QDBVO9Ra4EftgYE yhL6 kQn9O6/ fkIFvZeHb8haXoq ieef51fsrcN/ aBYXpUcAkLyz5sl hcn30AQc+ fXO6BATykVm+ mumbaQ7NgDru9xV GXPc80WpdFo6D2P d2AkZF r/YfUnSK9QlSaAj awpchLjfKSlOCuG 3/Plaldcm4koSfq 8AJD Au9LdixchaPlmJ5 SfgS+G+ ph4yh7Dq9U+ 2Tdq5cO3gPCaymq n naaLjaz6z/ iDRmKmKNsf7dUrH XaEI4E0iV6DPShf PQlhyBQD7 KMAkGA1UdEwQCMA AwHgYDVR0RBBcwF YITTHBvc3RmaXhT U0wt VHQ4EFgQUHHr4AE DKDE8T/ RFEc5yYPWT+ b0owDQYJKoZIhvc N DbZlOZhJAu+ CibgvmpDBNFvqt8 rczV+eE+ lUm/5HIymmGk/ hz EAigvwuWzWITU05 gQ3DRwJSCBmUJ3V Ns5RTJXd0ZHcJfo Nptj E8OYea8sjLV7b4t 5gUv+za1Vx4zLC3 RfbNvoLHu3oyIyV 3tGL b2/BUy2pawvT+ m2iz9+6NULYq8pA 0a6CyXG6B7lU0yD wBqf/A MB2JaLugO3QB7Lb hBgQG/sxfNSBclb lb/+zXOyAIayWmM c346 WIXp9Vxz9kOCE3j g1vQw=
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwI
BQAwHjEcMBoGA1U
NThaFw0zMjExMjE
eGQwggEiMA0GCSq
MG25Bm3gUyugXhl
BW7/iA/
f42DVcMuantKhqb
pzR16yv8jQSVzGF
OxkZYUhIvHcsklQ
hxqJAgMBAAGjTDB
RU9GLmx4ZDAdBgN
AQELBQADggEBAKj
FGwgCNfyGACQtiD
BSiwsaNIqPTd628
DVy7YoAAyYjVjoY
WTBWy+2oHTNFn2m
xaGmvcWx6KAgSbI
-----END CERTIFICATE-----
subject=CN = LpostfixSSL-EOF.lxd
issuer=CN = LpostfixSSL-EOF.lxd
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1598 bytes and written 406 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_ 256_GCM_ SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
250 CHUNKING
Post-Handshake New Session Ticket arrived: 256_GCM_ SHA384 090B2154E9804EB D878DCC56983A07 149CBF7D4647F6C 5333 F841B5A2C3BA9BE 8FE3F90FBC80397 09A5FE8DE1BA7E7 E7FFDC065C70DF6 89322963BA3457D 1B7134
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_
Session-ID: C09B711C014BDD5
Session-ID-ctx:
Resumption PSK: F7A793F1C85EF15
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 10 b7 9e 7b 13 85 76 39-85 05 f8 9d f7 2a e7 45 ...{..v9.....*.E
0010 - c8 ee 5c 6f c2 8d 50 35-6c e3 f6 77 ee 6b e1 9c ..\o..P5l..w.k..
0020 - a0 e1 a8 dd 97 32 de 65-3a 91 b0 1f 18 47 ea 3f .....2.e:....G.?
0030 - 80 65 19 47 40 a8 ae d9-f2 58 90 91 3c 9e 77 1d .e.G@....X..<.w.
0040 - 58 d9 44 c7 9c 46 90 cc-f1 7f 74 72 0a 36 62 ee X.D..F....tr.6b.
0050 - 7d 35 fe 18 32 8b b6 b3-c2 bb 01 2e 8b 4f 83 68 }5..2........O.h
0060 - d5 65 40 04 f2 5d 6b d7-53 c1 6c e3 5b 27 89 04 .e@..]k.S.l.['..
0070 - 32 da 6b 93 e3 40 dd aa-ed cb 5f 51 18 b6 b2 1a 2.k..@...._Q....
0080 - c0 33 5b 49 00 c4 40 5d-31 19 68 25 47 c5 0a 34 .3[I..@]1.h%G..4
0090 - 9c 97 39 be 2c 7f 74 92-9a 3a c6 52 3d a1 f5 25 ..9.,.t..:.R=..%
00a0 - 9c 38 16 a3 3e 22 69 8f-8b 9a f2 42 79 04 9e 03 .8..>"i....By...
00b0 - d2 78 4a ee 00 ee 6c 44-4d 99 0b 58 1c 23 36 bd .xJ...lDM..X.#6.
00c0 - 4a 6f 86 07 6e 28 58 45-f6 98 81 42 90 aa 47 06 Jo..n(XE...B..G.
```
Start Time: 1669301717
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
```
---
read R BLOCK
^C
#Checking if the error persists: YES
root@LpostfixSS L-EOF:~ # grep warning /var/log/mail.log 24T14:55: 22.538539+ 00:00 LpostfixSSL-EOF postfix/ smtpd[1968] : warning: TLS library problem: error:0A000126:SSL routines: :unexpected eof while reading: ../ssl/ record/ rec_layer_ s3.c:308:
2022-11-
[1] https:/ /github. com/vdukhovni/ postfix/ commit/ 16b5042185a628e a3becf00d521189 87de0de77b# diff-9e014842e2 8d87358be8ddb3a 2b7531b6f96af5e 81c59fbf9af986e 773ac329c
[2] https:/ /github. com/vdukhovni/ postfix/ commit/ 17f9ea2314a4503 c07f1035cfd2677 1f3fcd0a58