Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Sat, 23 Apr 2022 18:19:19 -0700 

On Sat, Apr 23, 2022 at 09:02:09PM -0400, Wietse Venema wrote:

> The PREGREET logging for those eight craashing sessions shows that
> this client 1.2.3.4 was changing its TLS record version from 0x0303
> (\003\003) to 0x0302 (\003\002) to 0x0301 (\003\001).
> 
> Mar 28 01:33:22 <mail.info> mail.lan postfix/postscreen[7179]: PREGREET 426 
> after 0 from [1.2.3.4]:33288: \026\003\003\001\245\001\000...
> Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7186]: PREGREET 426 
> after 0 from [1.2.3.4]:33850: \026\003\003\001\245\001\000...
> Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7187]: PREGREET 347 
> after 0 from [1.2.3.4]:34124: \026\003\003\001V\001\000...
> Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7188]: PREGREET 333 
> after 0 from [1.2.3.4]:34386: \026\003\003\001H\001\000...
> Mar 28 01:33:23 <mail.info> mail.lan postfix/postscreen[7189]: PREGREET 414 
> after 0.05 from [1.2.3.4]:34506: \026\003\003\001\231\001\000...
> Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7190]: PREGREET 415 
> after 0 from [1.2.3.4]:34644: \026\003\002\001\232\001\000...
> Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7191]: PREGREET 428 
> after 0.02 from [1.2.3.4]:34772: \026\003\001\001\247\001\000...
> Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7192]: PREGREET 428 
> after 0 from [1.2.3.4]:34874: \026\003\001\001\247\001\000...
> Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7193]: PREGREET 418 
> after 0 from [1.2.3.4]:34980: \026\003\001\001\235\001\000...
> Mar 28 01:33:24 <mail.info> mail.lan postfix/postscreen[7194]: PREGREET 441 
> after 0 from [1.2.3.4]:35048: \026\003\001\001\264\001\000...
> 
> I find it hard to believe that one client changes its TLS implementation
> within a two-second time interval (assuming the time stamps are real).

One sort of client that would do that would be some sort of protocol
audit tool.  A full packet dump (PCAP file with untruncated packets)
would be useful here IMHO.

But one might also imagine a client that tries version downgrade on
handshake failure.

Also the non-crashing PREGREET logging shows much shorter TLS client
HELLO packets (~100 vs. ~400 bytes).  So definitely a different client
behaviour.

-- 
    Viktor.

Reply via email to