On Tue, 3 Aug 2021 12:53:29 +0200 Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > > This will not help. ASSP uses standard libs for SSL/TLS > (IO::Socket::SSL -> Net::SSLeay -> openssl-lib !
Would newer versions of that cause issue? Or maybe other perl related stuff. I have updated perl but not much else, and perl atm is a total mess in Gentoo. Sadly, main perl guy passed away, and the others are trying to step in, but its not a good situation. However, it does not seem to affect any other aspects of ASSP, so would be pretty odd to just affect a few sometimes, with those few being big emailers. I cannot track down this issue relating to any specific update or period of time for updates. > >It is not good situation at production server. > > If openssl was upgraded, I recommend to read the release notes. If > postfix was upgraded, .. the same. Such readings and upgrade planing > are done by an IT-department before system upgrades are done! > If you have any doubt about upcoming problems, all upgrades needs to > be tested in a test environment BEFORE they are going in to > production mode. I have run ASSP for several decades, never seen any issues like this, and seems semi sporadic as emails do come through at times, but the majority do not. I have done a lot of major upgrades on the systems ASSP runs on, gentoo being rolling. > IMHO - most of these problems are related to the usage of self signed > certificates, outdated certificates, unchained certificates, missing > intermediate certificates in chains, allowed weak cipher suites, > allowed weak SSL protocols, too weak RSA keys I do believe they are increasing things on the other end, at first I thought maybe TLS 1.3, so I patched and updated qmail. But I have two different setups going, patched qmail for TLS 1.3, and the older TLS patched qmail, and both exhibit the same, so I am not confident it is the MTA at all, seems like ASSP or some underlying perl/openssl issue maybe. > openssl as well as postfix (and many other products) are working hard > to secure their applications. Some or all of the above faults may > lead in to more and more problems with every new software release. > Most times there are temporary workarounds available (openssl.cnf , > master.cnf .....), if the default security is increased in new > releases. Notice: peers using new software releases may reject > connection to or from older releases, because of the availability of > "unsecure" communication options! So, the workarounds may not solve > all your problems. It is possible, but seems odd that it would affect only some, and some of the time. It seems like there is something happening or not happening as part of the connection establishment. > > SSLDEBUG and ConTimeoutDebug may help to get some more information > from assp. What options will increase output here? I have increased SSLDebug but not changing these messages. This shows the issue, this is from Google/Gmail. Also seems to only affect TLS-in/TLS-out, but that does work from other providers. Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d TLS-Connection idle for 180 secs - timeout Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d [SMTP Status] 451 Connection timeout, try later Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d disconnected: session:7FDE3DC448A0 2607:f8b0:4864:20::73d - processing time > btw.: I use certificates from letsencrypt and I never had any SSL/TLS > problems. I update the perl modules at least once a week from CPAN. > openssl is upgraded once in a year (together with the new perl > version). I use every time the (my) latest assp development version > on my production system. I also use letsencrypt, I have for a few years, certs are auto renewed monthly. This issue started about 3-4 months back. First with Amazon and Google, and then others, eBay, Microsoft/Outlook, and others. I think ~25% or more of the email is not arriving in general, and from those providers, more like 80% or more is not arriving. I really hope this can be resolved someway. I would hate to not run ASSP, I have not lived that way for a very very long time. No clue what an alternative to ASSP might be, or the potential issues, etc. ASSP replaced a horrendous Spamassassin+ other stuff back in the day that used a ridiculous amount of memory and CPU per email. ASSP has been a godsend! Thanks for keeping it going Thomas!!! -- William L. Thomson Jr. _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
