SSLDEBUG at the highest level will show something like that in maillog.txt Aug-3-21 16:53:15 [Worker_1] Worker_1 wakes up Aug-3-21 16:53:15 [Worker_1] Info: Worker_1 got connection from MainThread Aug-3-21 16:53:15 [Worker_1] Connected: session:114507858 a.b.c.d:52084 > e.f.g.h:25 > 127.0.0.1:325 Aug-3-21 16:53:16 [Worker_1] a.b.c.d [SMTP Reply] 220 mail.thockar.com is ready - using ASSP 2.6.6(21202) Aug-3-21 16:53:16 [Worker_1] a.b.c.d [SMTP Reply] 250 HELP Aug-3-21 16:53:16 [Worker_1] a.b.c.d info: got STARTTLS request from a.b.c.d Aug-3-21 16:53:16 [Worker_1] a.b.c.d [SMTP Reply] 220 Ready to start TLS - go on Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1620: start handshake Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1061: starting sslifying Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> -1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> -1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> 1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1157: handshake done, socket ready
and for web connections for example Aug-3-21 16:59:23 [Main_Thread] Info: SSLCertVerify - SSLWEBCertVerifyCB: callback returned: 1 Aug-3-21 16:59:23 [Main_Thread] Info: SSLCertVerify - SSLWEBCertVerifyCB: callback returned: 1 Aug-3-21 16:59:23 [Main_Thread] Info: (1) person 'Thomas Eckardt' located in 'DE//', email address '', logged in as 'root' Aug-3-21 16:59:23 [Main_Thread] Info: SSLCertVerify - SSLWEBCertVerifyCB: callback returned: 1 Aug-3-21 16:59:23 [Main_Thread] Adminuser root authenticated for admin connection for page / using a valid certificate owned by Thomas Eckardt , Aug-3-21 16:59:23 [Main_Thread] Admin connection from user root on host a.b.c.d:53757; page:/; session-ID:3c791f4f2ab58119fc9d109ed978f6e1; ConTimeoutDebug generates the con....txt files in the debug folder. These files show, what was going on in the connection until the timeout was reached. Exclude these IP's from SSL-failed-Cache* (noBanFailedSSLIP) - may help (there is no need to restart assp !) the SSL-failed cache can be cleared or manipulated using the left menu in the GUI -> below 'internal Caches' (scroll to the bottom) gentoo: One of the systems I maintain is running a gentoo (what a horror OS!). ASSP autoupdates to the latest public available dev version. This system runs without a single manual intervention for months now. Assp does a service autorestart ones in a week. How ever, system components, perl and perl modules are still untouched for over 18 months. for the records: after reseting all STATS a week ago on my prod windows system, I got no timeouts - even not a single one from the big mailers. SMTP SSL-Port-Connections Timeout: 0 0 SMTP STARTTLS-Connections Timeout: 0 0 perl modules in use: IO::Poll 1.45 IO::Select 1.45 IO::Socket::INET6 not installed IO::Socket::SSL 2.071 Net::SSLeay 1.90 OpenSSL 1.1.1i OpenSSL-lib 1.1.1i 8 Dec 2020 system info: Server OS: Windows Server 2016 Perl Version: 5.032001 physical-memory: 20479 MB free physical-memory: 8781 MB total virtual-memory: 24319 MB free virtual-memory: 8528 MB assp-process-memory: current: 3690 MB min: 999 MB max: 6967 MB Number of CPU's: 6 ASSP Version: (dev) 2.6.6 build 21202 Thomas Von: "William L. Thomson Jr." <wlt...@o-sinc.com> An: "For Users of ASSP" <assp-user@lists.sourceforge.net> Datum: 03.08.2021 16:42 Betreff: Re: [Assp-user] STARTTLS - connection randomly timeout (outlook imap error) On Tue, 3 Aug 2021 12:53:29 +0200 Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > > This will not help. ASSP uses standard libs for SSL/TLS > (IO::Socket::SSL -> Net::SSLeay -> openssl-lib ! Would newer versions of that cause issue? Or maybe other perl related stuff. I have updated perl but not much else, and perl atm is a total mess in Gentoo. Sadly, main perl guy passed away, and the others are trying to step in, but its not a good situation. However, it does not seem to affect any other aspects of ASSP, so would be pretty odd to just affect a few sometimes, with those few being big emailers. I cannot track down this issue relating to any specific update or period of time for updates. > >It is not good situation at production server. > > If openssl was upgraded, I recommend to read the release notes. If > postfix was upgraded, .. the same. Such readings and upgrade planing > are done by an IT-department before system upgrades are done! > If you have any doubt about upcoming problems, all upgrades needs to > be tested in a test environment BEFORE they are going in to > production mode. I have run ASSP for several decades, never seen any issues like this, and seems semi sporadic as emails do come through at times, but the majority do not. I have done a lot of major upgrades on the systems ASSP runs on, gentoo being rolling. > IMHO - most of these problems are related to the usage of self signed > certificates, outdated certificates, unchained certificates, missing > intermediate certificates in chains, allowed weak cipher suites, > allowed weak SSL protocols, too weak RSA keys I do believe they are increasing things on the other end, at first I thought maybe TLS 1.3, so I patched and updated qmail. But I have two different setups going, patched qmail for TLS 1.3, and the older TLS patched qmail, and both exhibit the same, so I am not confident it is the MTA at all, seems like ASSP or some underlying perl/openssl issue maybe. > openssl as well as postfix (and many other products) are working hard > to secure their applications. Some or all of the above faults may > lead in to more and more problems with every new software release. > Most times there are temporary workarounds available (openssl.cnf , > master.cnf .....), if the default security is increased in new > releases. Notice: peers using new software releases may reject > connection to or from older releases, because of the availability of > "unsecure" communication options! So, the workarounds may not solve > all your problems. It is possible, but seems odd that it would affect only some, and some of the time. It seems like there is something happening or not happening as part of the connection establishment. > > SSLDEBUG and ConTimeoutDebug may help to get some more information > from assp. What options will increase output here? I have increased SSLDebug but not changing these messages. This shows the issue, this is from Google/Gmail. Also seems to only affect TLS-in/TLS-out, but that does work from other providers. Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d TLS-Connection idle for 180 secs - timeout Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d [SMTP Status] 451 Connection timeout, try later Aug 3 03:08:24 mail assp.pl[1373]: [Worker_3] [TLS-in] [TLS-out] 2607:f8b0:4864:20::73d disconnected: session:7FDE3DC448A0 2607:f8b0:4864:20::73d - processing time > btw.: I use certificates from letsencrypt and I never had any SSL/TLS > problems. I update the perl modules at least once a week from CPAN. > openssl is upgraded once in a year (together with the new perl > version). I use every time the (my) latest assp development version > on my production system. I also use letsencrypt, I have for a few years, certs are auto renewed monthly. This issue started about 3-4 months back. First with Amazon and Google, and then others, eBay, Microsoft/Outlook, and others. I think ~25% or more of the email is not arriving in general, and from those providers, more like 80% or more is not arriving. I really hope this can be resolved someway. I would hate to not run ASSP, I have not lived that way for a very very long time. No clue what an alternative to ASSP might be, or the potential issues, etc. ASSP replaced a horrendous Spamassassin+ other stuff back in the day that used a ridiculous amount of memory and CPU per email. ASSP has been a godsend! Thanks for keeping it going Thomas!!! -- William L. Thomson Jr. _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
