Package: amavisd-new
Version: 1:2.11.0-6.1
Severity: important
Hi,
As part of a new server setup, I have installed amavisd-new. Since it is
running in a different host than the MX, I have set up TLS between every part
of the system, but amavis fails to connect back to the MX, with the following
error:
(!!)Upgrading socket to TLS failed (in ssl_upgrade): hostname verification
failed\n
After some investigation, I found that amavis is not using the IO::Socket::SSL
library correctly. The default (and reasonable) SSL parameters for the client
TLS connection are:
%smtp_tls_client_options = (
SSL_verifycn_scheme => 'smtp',
);
When the `$tls_security_level_out` variable is set to 'may' or 'encrypt', the
socket is upgraded to TLS using the `start_SSL` method and the options set by
the user but without any way for the library to determine the hostname of the
server, and therefore its identity can't be verified.
The documentation for the `SSL_verifycn_name` option of the `start_SSL` method
states (https://metacpan.org/pod/IO::Socket::SSL#SSL_verifycn_name):
SSL_verifycn_name
Set the name which is used in verification of hostname. If
SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try to
use SSL_hostname or PeerHost and PeerAddr settings and fail if no name can
be determined. If SSL_verifycn_scheme is not set it will use a default
scheme and warn if it cannot determine a hostname, but it will not fail.
Using PeerHost or PeerAddr works only if you create the connection directly
with IO::Socket::SSL->new, if an IO::Socket::INET object is upgraded with
start_SSL the name has to be given in SSL_verifycn_name or SSL_hostname.
The solution for this is pretty simple: `SSL_verifycn_name` has to be set by
the calling function using the same hostname used to connect the TCP socket in
the first place. A workaround is to pass this option manually in the
configuration, but that fails to work if there is more than one SSL target (for
example, different hostnames for `notify_method` and `forward_method`).
-- System Information:
Debian Release: 10.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_IE:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages amavisd-new depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.71
ii file 1:5.35-4+deb10u1
ii init-system-helpers 1.56+nmu1
ii libarchive-zip-perl 1.64-1
ii libberkeleydb-perl 0.55-2
ii libconvert-tnef-perl 0.18-1
ii libconvert-uulib-perl 1:1.5~dfsg-1+b1
pn libdigest-md5-perl <none>
ii libio-stringy-perl 2.111-3
ii libmail-dkim-perl 0.54-1
ii libmailtools-perl 2.18-1
pn libmime-base64-perl <none>
ii libmime-tools-perl 5.509-1
ii libnet-libidn-perl 0.12.ds-3+b1
ii libnet-server-perl 2.009-1
ii libunix-syslog-perl 1.1-3+b1
ii lsb-base 10.2019051400
ii pax 1:20190224-1
ii perl [libtime-hires-perl] 5.28.1-6+deb10u1
ii perl-modules-5.24 [libarchive-tar-perl] 5.24.1-3+deb9u6
Versions of packages amavisd-new recommends:
pn altermime <none>
ii libnet-patricia-perl 1.22-1+b5
ii ripole 0.2.0+20081101.0215-3
Versions of packages amavisd-new suggests:
ii apt-listchanges 3.19
ii arj 3.10.22-18
ii cabextract 1.9-1
pn clamav <none>
ii clamav-daemon 0.102.4+dfsg-0+deb10u1
ii cpio 2.12+dfsg-9
pn dspam <none>
ii lhasa 0.3.1-3
pn libauthen-sasl-perl <none>
ii libdbi-perl 1.642-1+deb10u1
ii libmail-dkim-perl 0.54-1
pn libnet-ldap-perl <none>
pn libsnmp-perl <none>
pn libzeromq-perl <none>
ii lzop 1.03-4+b1
ii nomarch 1.4-3+b2
ii p7zip 16.02+dfsg-6
pn rpm <none>
ii spamassassin 3.4.2-1+deb10u2
ii unrar 1:5.6.6-1
-- Configuration Files:
/etc/amavis/conf.d/05-node_id changed [not included]
/etc/amavis/conf.d/15-content_filter_mode changed [not included]
/etc/amavis/conf.d/50-user changed [not included]
/etc/init.d/amavis changed [not included]
-- no debconf information
