Ubuntu
postfix package

  1. Bug #1995312
  2. Comment #13

Comment 13 for bug 1995312

Revision history for this message
Miriam EspaƱa Acebal (mirespace) wrote :

Hi all,

I was looking for the fix on postfix 3.7 version to make a patch from it, and I don't find the use of SSL_OP_IGNORE_UNEXPECTED_EOF that seems to fix issues where this behaviour arose (like the one for nginx commented above).

Also, I checked the 20210926 [1] and 20220724 [2] which are related to SSL3 on the postfix-3.7.3.HISTORY file just in case, with no luck.

Then... Are we right in saying that the postfix on Lunar fixed this issue? The answer is no.

I used the steps to reproduce from comment #10: I got the following:

#Checking environment

root@LpostfixSSL-EOF:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Lunar Lobster (development branch)
Release: 23.04
Codename: lunar

root@LpostfixSSL-EOF:~# dpkg -l | grep postfix
ii postfix 3.7.3-2 amd64 High-performance mail transport agent

root@LpostfixSSL-EOF:~# dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==============-============-====================================================
ii openssl 3.0.5-2ubuntu1 amd64 Secure Sockets Layer toolkit - cryptographic utility
root@LpostfixSSL-EOF:~#

#Reproducing the issue:

root@LpostfixSSL-EOF:~# openssl s_client --connect localhost:25 -starttls smtp
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = LpostfixSSL-EOF.lxd
verify return:1

Certificate chain
0 s:CN = LpostfixSSL-EOF.lxd
i:CN = LpostfixSSL-EOF.lxd
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 24 14:54:58 2022 GMT; NotAfter: Nov 21 14:54:58 2032 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIDFjCCAf6gAwIBAgIUYn1GqNFGey6d0kiMEMZLkjVxIo4wDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAwwTTHBvc3RmaXhTU0wtRU9GLmx4ZDAeFw0yMjExMjQxNDU0
NThaFw0zMjExMjExNDU0NThaMB4xHDAaBgNVBAMME0xwb3N0Zml4U1NMLUVPRi5s
eGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBVO9Ra4EftgYEyhL6
MG25Bm3gUyugXhlkQn9O6/fkIFvZeHb8haXoqieef51fsrcN/aBYXpUcAkLyz5sl
BW7/iA/hcn30AQc+fXO6BATykVm+mumbaQ7NgDru9xVGXPc80WpdFo6D2Pd2AkZF
f42DVcMuantKhqbr/YfUnSK9QlSaAjawpchLjfKSlOCuG3/Plaldcm4koSfq8AJD
pzR16yv8jQSVzGFAu9LdixchaPlmJ5SfgS+G+ph4yh7Dq9U+2Tdq5cO3gPCaymqn
OxkZYUhIvHcsklQnaaLjaz6z/iDRmKmKNsf7dUrHXaEI4E0iV6DPShfPQlhyBQD7
hxqJAgMBAAGjTDBKMAkGA1UdEwQCMAAwHgYDVR0RBBcwFYITTHBvc3RmaXhTU0wt
RU9GLmx4ZDAdBgNVHQ4EFgQUHHr4AEDKDE8T/RFEc5yYPWT+b0owDQYJKoZIhvcN
AQELBQADggEBAKjDbZlOZhJAu+CibgvmpDBNFvqt8rczV+eE+lUm/5HIymmGk/hz
FGwgCNfyGACQtiDEAigvwuWzWITU05gQ3DRwJSCBmUJ3VNs5RTJXd0ZHcJfoNptj
BSiwsaNIqPTd628E8OYea8sjLV7b4t5gUv+za1Vx4zLC3RfbNvoLHu3oyIyV3tGL
DVy7YoAAyYjVjoYb2/BUy2pawvT+m2iz9+6NULYq8pA0a6CyXG6B7lU0yDwBqf/A
WTBWy+2oHTNFn2mMB2JaLugO3QB7LbhBgQG/sxfNSBclblb/+zXOyAIayWmMc346
xaGmvcWx6KAgSbIWIXp9Vxz9kOCE3jg1vQw=
-----END CERTIFICATE-----
subject=CN = LpostfixSSL-EOF.lxd
issuer=CN = LpostfixSSL-EOF.lxd

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 1598 bytes and written 406 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

250 CHUNKING

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C09B711C014BDD5090B2154E9804EBD878DCC56983A07149CBF7D4647F6C5333
Session-ID-ctx:
Resumption PSK: F7A793F1C85EF15F841B5A2C3BA9BE8FE3F90FBC8039709A5FE8DE1BA7E7E7FFDC065C70DF689322963BA3457D1B7134
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 10 b7 9e 7b 13 85 76 39-85 05 f8 9d f7 2a e7 45 ...{..v9.....*.E
0010 - c8 ee 5c 6f c2 8d 50 35-6c e3 f6 77 ee 6b e1 9c ..\o..P5l..w.k..
0020 - a0 e1 a8 dd 97 32 de 65-3a 91 b0 1f 18 47 ea 3f .....2.e:....G.?
0030 - 80 65 19 47 40 a8 ae d9-f2 58 90 91 3c 9e 77 1d .e.G@....X..<.w.
0040 - 58 d9 44 c7 9c 46 90 cc-f1 7f 74 72 0a 36 62 ee X.D..F....tr.6b.
0050 - 7d 35 fe 18 32 8b b6 b3-c2 bb 01 2e 8b 4f 83 68 }5..2........O.h
0060 - d5 65 40 04 f2 5d 6b d7-53 c1 6c e3 5b 27 89 04 .e@..]k.S.l.['..
0070 - 32 da 6b 93 e3 40 dd aa-ed cb 5f 51 18 b6 b2 1a 2.k..@...._Q....
0080 - c0 33 5b 49 00 c4 40 5d-31 19 68 25 47 c5 0a 34 .3[I..@]1.h%G..4
0090 - 9c 97 39 be 2c 7f 74 92-9a 3a c6 52 3d a1 f5 25 ..9.,.t..:.R=..%
00a0 - 9c 38 16 a3 3e 22 69 8f-8b 9a f2 42 79 04 9e 03 .8..>"i....By...
00b0 - d2 78 4a ee 00 ee 6c 44-4d 99 0b 58 1c 23 36 bd .xJ...lDM..X.#6.
00c0 - 4a 6f 86 07 6e 28 58 45-f6 98 81 42 90 aa 47 06 Jo..n(XE...B..G.

```
Start Time: 1669301717
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

```

---

read R BLOCK
^C

#Checking if the error persists: YES

root@LpostfixSSL-EOF:~# grep warning /var/log/mail.log
2022-11-24T14:55:22.538539+00:00 LpostfixSSL-EOF postfix/smtpd[1968]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:../ssl/record/rec_layer_s3.c:308:

[1] https://github.com/vdukhovni/postfix/commit/16b5042185a628ea3becf00d52118987de0de77b#diff-9e014842e28d87358be8ddb3a2b7531b6f96af5e81c59fbf9af986e773ac329c

[2] https://github.com/vdukhovni/postfix/commit/17f9ea2314a4503c07f1035cfd26771f3fcd0a58