On Wed, Mar 10, 2010 at 08:23:00AM -0500, Wietse Venema wrote:
> > Mar 10 04:59:46 xxxxxxx postfix/smtpd[93352]: <
> > xxxxxx.my_domain.com[192.168.1.101]: QUIT
> > Mar 10 04:59:46 xxxxxxx postfix/smtpd[93352]: >
> > xxxxxx.my_domain.com[192.168.1.101]: 221 2.0.0 Bye
> > Mar 10 04:59:46 xxxxxxx postfix/smtpd[93352]: warning:
> > network_biopair_interop: error reading 5 bytes from the network: Connection
> > reset by peer
>
> The client sends QUIT and disconnects. It's not going to wait for
> the server's "220 Bye" response. If the server were to report an
> error, there is nothing the client could do anyway.
With TLS sessions, after "QUIT" processing, the server tries to perform
a clean SSL_shutdown() of the SSL/TLS session. If the client closes
the connection without performing the SSL_shutdown(), you'll see the
above warning. From the SSL_shutdown(3) manpage:
NOTES
SSL_shutdown() tries to send the "close notify" shutdown
alert to the peer. Whether the operation succeeds or not, the
SSL_SENT_SHUTDOWN flag is set and a currently open session is
considered closed and good and will be kept in the session cache
for further reuse.
The shutdown procedure consists of 2 steps: the sending of the
"close notify" shutdown alert and the reception of the peer's
"close notify" shutdown alert. According to the TLS standard, it
is acceptable for an application to only send its shutdown alert
and then close the underlying connection without waiting for the
peer's response (this way resources can be saved, as the process
can already terminate or serve another connection). When the
underlying connection shall be used for more communications,
the complete shutdown procedure (bidirectional "close notify"
alerts) must be performed, so that the peers stay synchronized.
Another option (given that Postfix does not have a "STOPTLS" feature that
would allow re-use of the physical connection for further I/O after SSL
shutdown) is for Postfix to not do a full (bi-directional) SSL_shutdown(),
and just send the "close notify" without waiting for a peer response.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
