Thank you, Wietse! I‘m glad that you could reproduce it with that mail address I provided and fix it immediately. Good to know that it made it into the next release just in time and possibly prevented widespread issues with the TLSRPT implementation.
Best, Ömer > Am 16.02.2025 um 19:12 schrieb Wietse Venema via Postfix-users > <postfix-users@postfix.org>: > > Omer Guven narrowed down the problem to one speicific email address > in the SANS emaiol security test message: > >>>> measurem...@mail-mtasts-rn-mult-ivv.measurement.email-security-scans.org > > I was able reproduce a crash sending mail to that address, without > needing any smtp_tls_policy_maps plugin stuff. > > Logging: > Feb 16 12:50:13 wzv postfix/qmgr[137286]: 4Ywtbn0HJSzCfhg: > from=<r...@porcupine.org>, size=261, nrcpt=1 (queue active) > Feb 16 12:50:16 wzv postfix/smtp[137584]: server certificate verification > failed for > tls-invalid.measurement.email-security-scans.org[195.191.197.90]:25: > certificate has expired > Feb 16 12:50:16 wzv postfix/qmgr[137286]: warning: private/smtp socket: > malformed response > Feb 16 12:50:16 wzv postfix/master[98891]: warning: process > /usr/libexec/postfix/smtp.valgrind pid 137581 exit status 139 > > Valgrind: > ==137584== at 0x492B6C1: vbuf_print (vbuf_print.c:266) > ==137584== by 0x49315B1: vstring_vsprintf (vstring.c:637) > ==137584== by 0x4922F6E: msg_vprintf (msg_output.c:167) > ==137584== by 0x4922842: vmsg_info (msg.c:210) > ==137584== by 0x492281A: msg_info (msg.c:204) > ==137584== by 0x4889697: trw_report_failure (tlsrpt_wrapper.c:564) > ==137584== by 0x4879BDE: tls_log_verify_error (tls_verify.c:316) > ==137584== by 0x487D779: verify_x509 (tls_client.c:370) > > This appears the result of a typo in the TLRPT client adapter: > > tls_verify.c: > 314 #ifdef USE_TLSRPT > 315 if (tlsrpt) > 316 trw_report_failure(tlsrpt, TLSRPT_CERTIFICATE_EXPIRED, > 317 /* additional_info= */ (char *) 0, > 318 /* failure_code= */ (char *) 8); > 319 #endif > > Where the '8' should be '0'. On my system the two look too similar. > > And now it passes: > > Feb 16 13:00:08 wzv postfix/qmgr[137286]: 4Ywtbn0HJSzCfhg: > from=<r...@porcupine.org>, size=261, nrcpt=1 (queue active) > Feb 16 13:00:11 wzv postfix/smtp[140478]: server certificate verification > failed for > tls-invalid.measurement.email-security-scans.org[195.191.197.90]:25: > certificate has expired > Feb 16 13:00:11 wzv postfix/smtp[140478]: TLSRPT: status=failure, > domain=mail-mtasts-rn-mult-ivv.measurement.email-security-scans.org, > receiving_mx=tls-invalid.measurement.email-security-scans.org[195.191.197.90], > failure_type=certificate_expired > Feb 16 13:00:11 wzv postfix/smtp[140478]: Untrusted TLS connection > established to > tls-invalid.measurement.email-security-scans.org[195.191.197.90]:25: TLSv1.3 > with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 > server-signature RSA-PSS (4096 bits) server-digest SHA256 > Feb 16 13:00:11 wzv postfix/smtp[140478]: 4Ywtbn0HJSzCfhg: Server certificate > not verified > Feb 16 13:00:12 wzv postfix/smtp[140478]: certificate verification failed for > tls-force.measurement.email-security-scans.org[195.191.197.89]:25: untrusted > issuer /C=US/O=Internet Security Research Group/CN=ISRG Root X1 > Feb 16 13:00:12 wzv postfix/smtp[140478]: TLSRPT: status=failure, > domain=mail-mtasts-rn-mult-ivv.measurement.email-security-scans.org, > receiving_mx=tls-force.measurement.email-security-scans.org[195.191.197.89], > failure_type=validation_failure, > failure_reason=unable_to_get_local_issuer_certificate > Feb 16 13:00:12 wzv postfix/smtp[140478]: Untrusted TLS connection > established to > tls-force.measurement.email-security-scans.org[195.191.197.89]:25: TLSv1.3 > with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 > server-signature RSA-PSS (4096 bits) server-digest SHA256 > Feb 16 13:00:12 wzv postfix/smtp[140478]: 4Ywtbn0HJSzCfhg: > to=<measurem...@mail-mtasts-rn-mult-ivv.measurement.email-security-scans.org>, > relay=tls-force.measurement.email-security-scans.org[195.191.197.89]:25, > delay=599, delays=596/1.5/2.1/0, dsn=4.7.5, status=deferred (Server > certificate not verified) > > There are no other instances of this typo in Postfix source code. > > Wietse > > --- /var/tmp/postfix-3.10-20250215/src/tls/tls_verify.c 2024-09-22 > 09:34:08.000000000 -0400 > +++ ./src/tls/tls_verify.c 2025-02-16 12:57:23.637983443 -0500 > @@ -315,7 +315,7 @@ > if (tlsrpt) > trw_report_failure(tlsrpt, TLSRPT_CERTIFICATE_EXPIRED, > /* additional_info= */ (char *) 0, > - /* failure_code= */ (char *) 8); > + /* failure_code= */ (char *) 0); > #endif > break; > case X509_V_ERR_INVALID_PURPOSE: > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
