Hi all, I was working on the same case for a bug open in Ubuntu https://bugs.launchpad.net/debian/+source/postfix/+bug/1995312 (It was reported to Debian also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011040 ) when using postfix when openssl3. I developed a solution similar to Viktor's proposed in this thread. Still, I doubted if it was affecting only the server-side, client-side or both, although I would opt toward both, as an abrupt disconnection can happen in both ways... but as I said, it was a thing I want to share here for discussion and advice, also proposing if you could pick one of the proposed fixes in future patches or releases to solve the bugs (as I didn't see it in the incoming postfix 3.8 either).
I put the setting of the SSL_OP_IGNORE_UNEXPECTED_EOF in the function tls_bug_bits (src/tls/tls_misc.c) used by both client and server connections: --- a/src/tls/tls_misc.c +++ b/src/tls/tls_misc.c @@ -1355,6 +1355,9 @@ long tls_bug_bits(void) * options just in case. */ bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE; +#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF + bits |= SSL_OP_IGNORE_UNEXPECTED_EOF; +#endif return (bits); } I tested this fix in Ubuntu Jammy (potsfix 3.6.4-1ubuntu1), Ubuntu Kinetic (potsfix3.6.4-1ubuntu2 ) and also 23.04 (our on-development version, postfix 3.7.3-4) and I'll document that in the Ubuntu bug. I really appreciate any help you can provide and many thanks for considering my request. On Tue, Jun 14, 2022 at 5:17 PM Demi Marie Obenour <demioben...@gmail.com> wrote: > On 6/10/22 08:55, Gerben Wierda wrote: > > > >> On 10 Jun 2022, at 13:17, Wietse Venema <wie...@porcupine.org> wrote: > >> > >> Wietse Venema: > >>> Gerben Wierda: > >>>> > >>>>> On 10 Jun 2022, at 02:30, Wietse Venema <wie...@porcupine.org> > wrote: > >>>>> > >>>>> Gerben Wierda: > >>>>>> What is happening here? (mail is delivered, I?m just curious) > >>>>>> > >>>>>> Jun 09 23:37:39 mail postfix/postscreen[4294]: CONNECT from > [146.185.52.133]:10400 to [192.168.2.66]:25 > >>>>>> Jun 09 23:37:45 mail postfix/postscreen[4294]: PASS NEW > [146.185.52.133]:10400 > >>>>>> Jun 09 23:37:45 mail smtp/smtpd[4296]: connect from > ims-smtp133.persgroep-ops.net[146.185.52.133] > >>>>>> Jun 09 23:37:46 mail smtp/smtpd[4296]: CC868E75AA1E: client= > ims-smtp133.persgroep-ops.net[146.185.52.133] > >>>>>> Jun 09 23:37:47 mail postfix/cleanup[4300]: CC868E75AA1E: > message-id=< > 220609233739.sim_40lt1wa1poje3tjw6hnmtvk29xxj_ghn7vvejgut3cs3hljfekzafd9hipabzz8ro0vetlr2qj0j2ddp9oie2u%2bfuro...@ims-smtp133.persgroep-ops.net > > > >>>>>> Jun 09 23:37:48 mail postfix/qmgr[8801]: CC868E75AA1E: from=< > nore...@mail.trouw.nl>, size=34628, nrcpt=1 (queue active) > >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: warning: TLS library > problem: error:0A000126:SSL routines::unexpected eof while > reading:ssl/record/rec_layer_s3.c:309: > >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: disconnect from > ims-smtp133.persgroep-ops.net[146.185.52.133] ehlo=2 starttls=1 mail=1 > rcpt=1 data=1 commands=6 > >>>>>> > >>>>> > >>>>> Did you look for 0A000126 with a web search engine? > >>>> > >>>> Yes. Searched on the entire error string as well. > >>>> > >>>> But that did not give me a clue. > >>> > >>> I got: OpenSSL 3 is more strict about clients that disconnect without > >>> fully following the protocol. > >> > >> Specifically, google 0A000126, the first result is PHP issue 8369a > > > > Indeed. Interesting. I use duckduckgo (which relies on Bing afaik) and > it doesn’t find that. > > > >> which links to https://github.com/openssl/openssl/issues/11378 < > https://github.com/openssl/openssl/issues/11378>. The > >> latter had a breaking fix, backed it out for OpenSSL 1.1.1, but > >> kept it in the branch that become OpenSSL 3. > > > > So basically, the sender doesn’t properly close the SSL protocol, their > MTA is using an SSL which isn’t properly implemented. > > My understanding is that a truncation attack is never a problem in > SMTP, as a premature EOF is always an SMTP error. If this is in > fact the case, Postfix should set SSL_OP_IGNORE_UNEXPECTED_EOF to > tell OpenSSL to not treat a missing close_notify as an error. > -- > Sincerely, > Demi Marie Obenour (she/her/hers) -- Miriam España Acebal Software Engineer II - Ubuntu PublicCloud/Server Canonical Ltd.