Re: [exim] missing logline, as if the delivery crashed
Am 02.06.21 um 10:23 schrieb Jeremy Harris via Exim-users: On 02/06/2021 07:49, Cyborg via Exim-users wrote: since an os upgrade of fedora, where the security policy changed, this happens to some connections: 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed You will notice, that the delivery line is missing. You're not showing a connection there; either of reception or of delivery. That the delivery "=>" line is missing, is exactly the problem here. All other valid attempts in and out have that delivery line, but this -> failed <- message, does not have one. I have never seen this happen in 15 years of exim services. It's reliably happening if a specific server How were those lines extracted from the log? manually copy and paste . I searched for error lines between <= and completed, but there are none. The "=>" is not printed to the log at all and there is no other error. Do you log connection arrivals, incoming connection terminations, Standard logs are active, so we get "<=" "=>" "**" and Completed and some internal warnings used for in-case-debugging of antispam problems. here is a typical, randomly choosen, working log: 2021-06-02 10:51:44 1loMbI-00794v-6n H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] Warning: processing file "" for "To: "X XXX" -> From: "YYY" / R="YYY" " 2021-06-02 10:51:44 1loMbI-00794v-6n H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] Warning: send for "X XX" 2021-06-02 10:51:48 1loMbI-00794v-6n <= msprvs1=18787dju2Uvig=bounces-23...@bounces.senderdomain.de H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=76268 id=dd.f8.45130.c9647...@ai.mta1vrest.cc.prd.sparkpost 2021-06-02 10:51:48 1loMbI-00794v-6n => /STORAGE/Maildir/ (i...@domain.tld) R=virtual_user T=address_directory 2021-06-02 10:51:48 1loMbI-00794v-6n Completed The messages in question have normal entries in those Warnings we additional create, so i left them out, as they are not relevant personal informations. delivery connection attempts or terminations? Normally everything is logged, thats exactly the point. NOW, AFTER i downgraded the crypto-policy of fedora back to F32, the delivery of these message from the named server are processed and fully logged again. My guess is, we just found a bug in processing of the DH KEY TOO SMALL error on incoming connections, openssl throws , where the error avoids getting logged. We are talking about a mailcluster with thousands of mailboxes, which had no problems with >99% of all incoming/outgoing mails when the new crypto-policy was active. That <1% of mailserver "seem" to have the same dhe problem. After i switched back to f32 policy and restarted exim, those remote mailserver with the "DH key too small" error ( problem 2) did use DHE ciphers . I'm pretty sure, the orginal problem is a config error either in fedoras openssl default config ( never changed it manually ) or the remote servers DHE exchange is misconfigured. If someone knows how to tell openssl s_client to simulate or detect this zero sized DH key, i can run tests on those servers to find out more. best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] missing logline, as if the delivery crashed
Hi,
Cyborg via Exim-users (Mi 02 Jun 2021 08:49:21 CEST):
>
> Exim: 4.94.2 Fedora 33
> Openssl: 1.1.1k-1
>
> Hi,
>
> Problem 1:
>
> since an os upgrade of fedora, where the security policy changed, this
> happens to some connections:
>
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de
> H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps
> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127
> id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed
- What's your log_file_path?
- Can you extract all lines containing the Message-ID?
- An early version of the "taintwarn" patches had issues with lost log
lines (for local deliveries, though), maybe we've a re-incarnation of
this bug?
> You will notice, that the delivery line is missing.
If I remember well, it is the delivery process which is accessing the
log, and this process isn't privileged, it runs as the Exim runtime user.
For writing to the log no extra privilege is needed, but who knows…
> There is no error, no warning, no nothing that explains what happens.
Try adding syslog to your logfile path, if the line you're missing
appears there.
> As i can't reproduce it with any of our other exims as source, how can we
> find out what happened to this mails?
> What log option is to enable to get more infos here?
So you *can* reproduce it on F33 with the Exim package F provides?
> Problem 2:
>
> This may be strong evidence for the policy change: TLS session:
> (SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small
I think, this isn't related to Exim directly, as we do not require
special key sizes in the default configuration. So maybe library
defaults changed?
Again: I'm not an expert at all, so all my assumptions are only this:
assumptions.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] missing logline, as if the delivery crashed
On 02/06/2021 07:49, Cyborg via Exim-users wrote: since an os upgrade of fedora, where the security policy changed, this happens to some connections: 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed You will notice, that the delivery line is missing. You're not showing a connection there; either of reception or of delivery. How were those lines extracted from the log? Do you log connection arrivals, incoming connection terminations, delivery connection attempts or terminations? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] missing logline, as if the delivery crashed
Exim: 4.94.2 Fedora 33 Openssl: 1.1.1k-1 Hi, Problem 1: since an os upgrade of fedora, where the security policy changed, this happens to some connections: 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed You will notice, that the delivery line is missing. There is no error, no warning, no nothing that explains what happens. As this server has run this exact exim version of fedora 33 packages due to 21Nails before the os update without such problems, those packages actually did not not update at all, I think, the os security policy of fedora 33 is causing this, but i can't profe it. As i can't reproduce it with any of our other exims as source, how can we find out what happened to this mails? What log option is to enable to get more infos here? Problem 2: This may be strong evidence for the policy change: TLS session: (SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small It also happens since the os upgrade. It is an indicator, that the remote smtp server does not have it's setup straight ( dh key size = 0 according to debian). I checked it by lowering the policy back to Fedora 32 and now the server can send mails to the before erroring servers again. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
