Package: amavisd-new Version: 1:2.11.0-6.1 Severity: important Hi,
As part of a new server setup, I have installed amavisd-new. Since it is running in a different host than the MX, I have set up TLS between every part of the system, but amavis fails to connect back to the MX, with the following error: (!!)Upgrading socket to TLS failed (in ssl_upgrade): hostname verification failed\n After some investigation, I found that amavis is not using the IO::Socket::SSL library correctly. The default (and reasonable) SSL parameters for the client TLS connection are: %smtp_tls_client_options = ( SSL_verifycn_scheme => 'smtp', ); When the `$tls_security_level_out` variable is set to 'may' or 'encrypt', the socket is upgraded to TLS using the `start_SSL` method and the options set by the user but without any way for the library to determine the hostname of the server, and therefore its identity can't be verified. The documentation for the `SSL_verifycn_name` option of the `start_SSL` method states (https://metacpan.org/pod/IO::Socket::SSL#SSL_verifycn_name): SSL_verifycn_name Set the name which is used in verification of hostname. If SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try to use SSL_hostname or PeerHost and PeerAddr settings and fail if no name can be determined. If SSL_verifycn_scheme is not set it will use a default scheme and warn if it cannot determine a hostname, but it will not fail. Using PeerHost or PeerAddr works only if you create the connection directly with IO::Socket::SSL->new, if an IO::Socket::INET object is upgraded with start_SSL the name has to be given in SSL_verifycn_name or SSL_hostname. The solution for this is pretty simple: `SSL_verifycn_name` has to be set by the calling function using the same hostname used to connect the TCP socket in the first place. A workaround is to pass this option manually in the configuration, but that fails to work if there is more than one SSL target (for example, different hostnames for `notify_method` and `forward_method`). -- System Information: Debian Release: 10.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages amavisd-new depends on: ii adduser 3.118 ii debconf [debconf-2.0] 1.5.71 ii file 1:5.35-4+deb10u1 ii init-system-helpers 1.56+nmu1 ii libarchive-zip-perl 1.64-1 ii libberkeleydb-perl 0.55-2 ii libconvert-tnef-perl 0.18-1 ii libconvert-uulib-perl 1:1.5~dfsg-1+b1 pn libdigest-md5-perl <none> ii libio-stringy-perl 2.111-3 ii libmail-dkim-perl 0.54-1 ii libmailtools-perl 2.18-1 pn libmime-base64-perl <none> ii libmime-tools-perl 5.509-1 ii libnet-libidn-perl 0.12.ds-3+b1 ii libnet-server-perl 2.009-1 ii libunix-syslog-perl 1.1-3+b1 ii lsb-base 10.2019051400 ii pax 1:20190224-1 ii perl [libtime-hires-perl] 5.28.1-6+deb10u1 ii perl-modules-5.24 [libarchive-tar-perl] 5.24.1-3+deb9u6 Versions of packages amavisd-new recommends: pn altermime <none> ii libnet-patricia-perl 1.22-1+b5 ii ripole 0.2.0+20081101.0215-3 Versions of packages amavisd-new suggests: ii apt-listchanges 3.19 ii arj 3.10.22-18 ii cabextract 1.9-1 pn clamav <none> ii clamav-daemon 0.102.4+dfsg-0+deb10u1 ii cpio 2.12+dfsg-9 pn dspam <none> ii lhasa 0.3.1-3 pn libauthen-sasl-perl <none> ii libdbi-perl 1.642-1+deb10u1 ii libmail-dkim-perl 0.54-1 pn libnet-ldap-perl <none> pn libsnmp-perl <none> pn libzeromq-perl <none> ii lzop 1.03-4+b1 ii nomarch 1.4-3+b2 ii p7zip 16.02+dfsg-6 pn rpm <none> ii spamassassin 3.4.2-1+deb10u2 ii unrar 1:5.6.6-1 -- Configuration Files: /etc/amavis/conf.d/05-node_id changed [not included] /etc/amavis/conf.d/15-content_filter_mode changed [not included] /etc/amavis/conf.d/50-user changed [not included] /etc/init.d/amavis changed [not included] -- no debconf information