Your message dated Sun, 22 Sep 2019 16:39:34 -0400
with message-id <44835138.hTNgrI2xAn@l5580>
and subject line Re: postfix: haproxy proxy protocol and TLS don't work together
has caused the Debian Bug report #815079,
regarding postfix: haproxy proxy protocol and TLS don't work together
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
815079: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815079
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: postfix
Version: 2.11.3-1
Severity: normal
Tags: upstream patch
Control: fixed -1 3.0.3-1
Dear Maintainer,
There is a bug in the HAProxy PROXY protocol implementation in postfix
that breaks smtpd_tls_wrappermode when used with
smtpd_upstream_proxy_protocol.
The bug was fixed upstream in 2.11.7 and 3.0. The attached patch fixes
this for 2.11.3. Please consider fixing this in Jessie as well.
Regardsn
Apollon
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, mips
Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages postfix depends on:
ii adduser 3.113+nmu3
ii cpio 2.11+dfsg-4.1
ii debconf [debconf-2.0] 1.5.58
ii dpkg 1.18.4
ii libc6 2.21-8
ii libdb5.3 5.3.28-11
ii libsasl2-2 2.1.26.dfsg1-14+b1
ii libsqlite3-0 3.10.2-1
ii libssl1.0.2 1.0.2f-2
ii lsb-base 9.20160110
ii netbase 5.3
ii ssl-cert 1.0.37
Versions of packages postfix recommends:
ii python 2.7.11-1
Versions of packages postfix suggests:
ii bsd-mailx [mail-reader] 8.1.2-0.20160123cvs-2
ii dovecot-core [dovecot-common] 1:2.2.18-2+b1
ii icedove [mail-reader] 38.5.0-1+b1
ii libsasl2-modules 2.1.26.dfsg1-14+b1
ii mailutils [mail-reader] 1:2.99.99-1
ii mutt [mail-reader] 1.5.24-1+b1
pn postfix-cdb <none>
pn postfix-doc <none>
pn postfix-ldap <none>
pn postfix-mysql <none>
pn postfix-pcre <none>
pn postfix-pgsql <none>
ii procmail 3.22-25
ii resolvconf 1.78
pn sasl2-bin <none>
pn ufw <none>
-- debconf-show failed
>From e3fd69788f7009aaace8f0733d6a568a297645da Mon Sep 17 00:00:00 2001
From: Apollon Oikonomopoulos <[email protected]>
Date: Thu, 18 Feb 2016 15:09:01 +0200
Subject: [PATCH] Fix TLS handshake after HAProxy PROXY header
This is fixed in postfix 2.11.7:
20150923
Bugfix (introduced: 20120531-617): the Postfix SMTP server
used a larger-than-1 VSTREAM buffer to read the HAProxy
connection hand-off information. This broke TLS wrappermode,
as the TLS helo packet would end up in the plaintext VSTREAM
buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c.
See also:
http://postfix.1071664.n5.nabble.com/smtpd-upstream-proxy-protocol-smtpd-tls-wrappermode-td79550.html
---
src/smtpd/smtpd_haproxy.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/smtpd/smtpd_haproxy.c b/src/smtpd/smtpd_haproxy.c
index 599e3ed..c6a954e 100644
--- a/src/smtpd/smtpd_haproxy.c
+++ b/src/smtpd/smtpd_haproxy.c
@@ -103,6 +103,14 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state)
*/
#define ENABLE_DEADLINE 1
+ /*
+ * While reading HAProxy handshake information, don't buffer input beyond
+ * the end-of-line. That would break the TLS wrappermode handshake.
+ */
+ vstream_control(state->client,
+ VSTREAM_CTL_BUFSIZE, 1,
+ VSTREAM_CTL_END);
+
smtp_stream_setup(state->client, var_smtpd_uproxy_tmout, ENABLE_DEADLINE);
switch (io_err = vstream_setjmp(state->client)) {
default:
@@ -139,6 +147,13 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state)
state->port = mystrdup(smtp_client_port.buf);
/*
+ * Enable normal buffering.
+ */
+ vstream_control(state->client,
+ VSTREAM_CTL_BUFSIZE, VSTREAM_BUFSIZE,
+ VSTREAM_CTL_END);
+
+ /*
* Avoid surprises in the Dovecot authentication server.
*/
state->dest_addr = mystrdup(smtp_server_addr.buf);
--
2.7.0
--- End Message ---
--- Begin Message ---
Marking done since this is fixed in all regular support Debian releases.
Scott K
--- End Message ---