tlsproxy failed / flooded log

[A. Schulze]

Hello,
today I enabled smtp_tls_connection_reuse on some production server.
after approx. an hour and ~70 reused SMTP connections, tlsproxy on two  
machines logged this:

...
Sep  6 09:03:52 idvmailout03 postfix/tlsproxy[18637]: DISCONNECT  
[213.23.92.204]:25
Sep  6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS  
library problem: error:1409F07F:SSL routines:ssl3_write_pending:bad  
write retry:ssl/record/rec_layer_s3.c:1131:
Sep  6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
Sep  6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
Sep  6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
...

...
Sep  6 09:03:47 idvmailout04 postfix/tlsproxy[22852]: DISCONNECT  
[77.75.78.42]:25
Sep  6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS  
library problem: error:1409F07F:SSL routines:ssl3_write_pending:bad  
write retry:ssl/record/rec_layer_s3.c:1131:
Sep  6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
Sep  6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
Sep  6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS  
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown  
while in init:ssl/ssl_lib.c:2077:
...

that continue until the logfile occupied all diskspace with up to 15k  
lines per second


After I enabled smtp_tls_connection_reuse, there was only one tlsproxy process

Sep  6 08:26:21 idvmailout04 postfix/tlsproxy[21687]: CONNECT to  
[80.67.18.126]:25
Sep  6 08:28:19 idvmailout04 postfix/tlsproxy[21687]: DISCONNECT  
[193.158.9.202]:25

Sep  6 08:28:25 idvmailout04 postfix/tlsproxy[21832]: CONNECT to  
[176.9.125.207]:25
Sep  6 08:31:19 idvmailout04 postfix/tlsproxy[21832]: DISCONNECT  
[64.233.166.27]:25


but very fast postfix begun to spawn two instances overlapping


Sep  6 08:30:43 idvmailout04 postfix/tlsproxy[21961]: CONNECT to  
[104.47.4.36]:25
Sep  6 08:32:05 idvmailout04 postfix/tlsproxy[21961]: DISCONNECT  
[193.143.77.14]:25

Sep  6 08:31:25 idvmailout04 postfix/tlsproxy[22024]: CONNECT to  
[194.8.120.225]:25
Sep  6 08:32:48 idvmailout04 postfix/tlsproxy[22024]: DISCONNECT  
[185.15.192.56]:25

Sep  6 08:32:55 idvmailout04 postfix/tlsproxy[22075]: CONNECT to  
[95.130.253.60]:25
Sep  6 08:36:18 idvmailout04 postfix/tlsproxy[22075]: DISCONNECT  
[91.220.42.201]:25

these are the nondefault options for tlsproxy
tls_high_cipherlist =  
HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS:!ARIA
tls_medium_cipherlist = aNULL:-aNULL:CHACHA20:HIGH:MEDIUM:+RC4:@STRENGTH
tls_preempt_cipherlist = yes

interesting:
# postconf tls_fast_shutdown_enable
postconf: warning: tls_fast_shutdown_enable: unknown parameter

http://www.postfix.org/postconf.5.html#tls_fast_shutdown_enable say  
nothing about a specific postfix version number is required for this  
parameter
but http://www.postfix.org/tlsproxy.8.html do say,  
tls_fast_shutdown_enable is available in 3.4.6
also, it' a very new feature:  
http://www.postfix.org/announcements/postfix-3.4.6.html

# postconf mail_version
mail_version = 3.4.6

A grep in the source also found "tls_fast_shutdown" without "_enable"

# postconf tls_fast_shutdown
tls_fast_shutdown = yes

Looks, like the documentation is incorrect. But may that be related to  
the problem?
postconf -Mf and postfonf -f attached.
Just disabled smtp_tls_connection_reuse again...

Andreas
relay      unix  -       -       y       -       -       smtp
    -o smtp_fallback_relay=
    -o syslog_name=postfix/${service_name}
flush      unix  n       -       y       1000?   0       flush
trace      unix  -       -       y       -       0       bounce
verify     unix  -       -       y       -       1       verify
proxymap   unix  -       -       -       -       -       proxymap
anvil      unix  -       -       y       -       1       anvil
scache     unix  -       -       y       -       1       scache
discard    unix  -       -       y       -       -       discard
tlsmgr     unix  -       -       y       1000?   1       tlsmgr
retry      unix  -       -       y       -       -       error
pickup     unix  n       -       y       60      1       pickup
cleanup    unix  n       -       y       -       0       cleanup
qmgr       unix  n       -       y       300     1       qmgr
rewrite    unix  -       -       y       -       -       trivial-rewrite
bounce     unix  -       -       y       -       0       bounce
defer      unix  -       -       y       -       0       bounce
showq      unix  n       -       y       -       -       showq
error      unix  -       -       y       -       -       error
smtp       unix  -       -       y       -       -       smtp
lmtp       unix  -       -       y       -       -       lmtp
proxywrite unix  -       -       -       -       1       proxymap
dnsblog    unix  -       -       y       -       0       dnsblog
tlsproxy   unix  -       -       y       -       0       tlsproxy
submissions unix -       -       y       -       -       smtp
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes
    -o syslog_name=postfix/${service_name}
postlog    unix-dgram n  -       -       -       1       postlogd
smtp       inet  n       -       y       -       -       smtpd
    -o smtpd_tls_security_level=none
address_verify_map = btree:${data_directory}/verify_cache
address_verify_negative_refresh_time = 30m
address_verify_sender = address-verify
alias_maps =
allow_percent_hack = no
append_at_myorigin = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 2d
bounce_template_file = ${config_directory}/bounce.cf
compatibility_level = 2
defer_transports = hold
delay_warning_time = 2h
disable_vrfy_command = yes
enable_long_queue_ids = yes
error_notice_recipient = postmaster@${mydomain}
fast_flush_domains =
header_checks = pcre:${config_directory}/header_checks
inet_protocols = all
lmtp_quote_rfc821_envelope = no
lmtp_tls_fingerprint_digest = sha1
local_header_rewrite_clients =
local_recipient_maps = ${alias_maps}
master_service_disable =
message_size_limit = 209715200
mydestination =
mydomain = example.com
mynetworks = cdb:${config_directory}/relayclients
parent_domain_matches_subdomains =
postscreen_cache_map = btree:${data_directory}/postscreen_cache
queue_minfree = 419430400
recipient_delimiter = +
relay_domains = cdb:${config_directory}/relay_domains
relay_transport = relay:intern.example.com:25
show_user_unknown_table_name = no
slow_smtp_destination_concurrency_failed_cohort_limit = 100
slow_smtp_destination_concurrency_limit = 1
slow_smtp_destination_rate_delay = 1
smtp_discard_ehlo_keyword_address_maps = 
cdb:${config_directory}/smtp_discard_ehlo_keyword_address_maps
smtp_dns_support_level = dnssec
smtp_mx_session_limit = 5
smtp_quote_rfc821_envelope = no
smtp_reply_filter = pcre:/etc/postfix/smtp_reply_filter.pcre
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/${myhostname}/trusted_cas.pem
smtp_tls_cert_file = /etc/ssl/${myhostname}/cert+intermediate.pem
smtp_tls_exclude_ciphers = 
EXPORT,LOW,MD5,aDSS,kECDHe,kECDHr,kDHd,kDHr,SEED,IDEA,RC2,RC4,3DES
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/ssl/${myhostname}/key.pem
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = kRSA,DSS
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = cdb:${config_directory}/smtp_tls_policy_maps
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_tls_session_cache
smtpd_authorized_xclient_hosts = ${myhostname}
smtpd_client_port_logging = yes
smtpd_data_restrictions = 
reject_multi_recipient_bounce,reject_unauth_pipelining,permit
smtpd_discard_ehlo_keywords = etrn,silent-discard
smtpd_hard_error_limit = ${stress?{1}:{6}}
smtpd_helo_required = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = ${macro_notbremse}, 
$(macro_default_restrictions), permit_mynetworks, reject_unauth_destination, 
permit
smtpd_reject_footer = \c, servertime=${localtime}, server=${server_name}, 
client=${client_address}
smtpd_relay_restrictions =
smtpd_sasl_path = private/saslauth_via_dovecot
smtpd_sasl_security_options = noplaintext,noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_soft_error_limit = 3
smtpd_tls_CApath = /etc/ssl/${myhostname}/trusted_cas/
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert+intermediate.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${data_directory}/dh_4096.pem
smtpd_tls_dh512_param_file = ${data_directory}/dh_512.pem
smtpd_tls_exclude_ciphers = EXPORT,LOW,MD5,SEED,IDEA,RC2,RC4,3DES
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/${myhostname}/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = kRSA,DSS
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = no
strict_rfc821_envelopes = yes
tls_high_cipherlist = 
HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS:!ARIA
tls_medium_cipherlist = aNULL:-aNULL:CHACHA20:HIGH:MEDIUM:+RC4:@STRENGTH
tls_preempt_cipherlist = yes
tls_ssl_options = no_compression,no_renegotiation
transport_maps = cdb:${config_directory}/transport_maps