Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
> 3.7.9 is a newer version than 3.8.20221007 Stuart, thanks very much for this information, I didn't know about that. Moved to 3.7.9 and it's working fine right now. Configured my postfix from scratch, though, to prevent any misconfiguration on my side. Best wishes, Mark. Stuart Henderson , 3 Şub 2024 Cmt, 16:23 tarihinde şunu yazdı: > On 2024-02-03, Mike Fischer wrote: > > > >> Am 03.02.2024 um 03:44 schrieb Brian Conway : > >> > >>> Why do you run such an outdated postfix snapshot? > >> > >> That is the latest version that is supported/available in > packages-stable: > >> > >> https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ > > > > While we have not encountered the TLS issue with Gmail (see below) we > are in the same boat otherwise. postfix-3.8.20221007 seemed like the newest > version a while back and so we are running that version. Going back to > 3.7.9 seems like it may be a partial step backwards. > > 3.7.9 is a newer version than 3.8.20221007. > > -- > Please keep replies on the mailing list. > >
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On 2024-02-03, Mike Fischer wrote: > >> Am 03.02.2024 um 03:44 schrieb Brian Conway : >> >>> Why do you run such an outdated postfix snapshot? >> >> That is the latest version that is supported/available in packages-stable: >> >> https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ > > While we have not encountered the TLS issue with Gmail (see below) we are in > the same boat otherwise. postfix-3.8.20221007 seemed like the newest version > a while back and so we are running that version. Going back to 3.7.9 seems > like it may be a partial step backwards. 3.7.9 is a newer version than 3.8.20221007. -- Please keep replies on the mailing list.
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On 2024-02-03, Mark wrote: > Hi again, > > I completely removed Postfix and installed the official stable package > "postfix-3.7.9p0-sasl2-mysql", but the problem persists. There is possibly still some conflict between openssl (required by newer versions of postfix) and libressl (used by pretty much all of the rest of the ports tree). I would suggest using a 3.5 version if you're using one of the non-default flavoured versions of postfix and having TLS-related problems and see if that helps (from 3.6 they started requiring features from newer versions of openssl that haven't made it into libressl yet). >> https://github.com/openbsd/ports/blob/master/mail/postfix/snapshot/Makefile the snapshot version of Postfix that is currently in the ports tree is seriously outdated, I think it should probably be removed. -- Please keep replies on the mailing list.
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
> Am 03.02.2024 um 03:44 schrieb Brian Conway : > >> Why do you run such an outdated postfix snapshot? > > That is the latest version that is supported/available in packages-stable: > > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ While we have not encountered the TLS issue with Gmail (see below) we are in the same boat otherwise. postfix-3.8.20221007 seemed like the newest version a while back and so we are running that version. Going back to 3.7.9 seems like it may be a partial step backwards. Meanwhile Postfix 3.8.5 (along with versions 3.7.10, 3.6.14, 3.5.24) seem to have become a stable releases [1| but alas there are no OpenBSD ports for these versions yet. So instead of directing people to the older stable release version 3.7.9 maybe a better plan would be to eventually create a port for 3.8.5? BTW: On OpenBSD 7.4-stable amd64 using postfix-3.8.20221007p12 I was able to send and receive emails to/from Gmail without problems. So maybe Mark has some sort of configuration issue? Note however that we are not using the -sasl2-mysql flavor of the port so that might make a difference? Mike [1] https://www.postfix.org/announcements/postfix-3.8.5.html
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
As an additional note; I upgraded my server yesterday from (amd64) OpenBSD 7.3 to 7.4 by sysupgrade tool (remotely - unattended way). Is it possible that the upgrade process created trouble with TLS, SSL libraries? It was completed without any "visible" issue, as far as I can tell. Regards. Mark , 3 Şub 2024 Cmt, 10:34 tarihinde şunu yazdı: > Hi again, > > I completely removed Postfix and installed the official stable package > "postfix-3.7.9p0-sasl2-mysql", but the problem persists. > > P.S.: The issue only happens with incoming mails from Gmail servers. > > (Well, I do have the needed lines recommended in smtp-smuggling page, the > ones for "works with all versions".) > > > Herbert J. Skuhra , 3 Şub 2024 Cmt, 10:28 tarihinde > şunu yazdı: > >> On Sat, Feb 03, 2024 at 09:19:47AM +0300, Mark wrote: >> > An experimental, unstable package in packages-stable? >> > >> > An outdated and potentially vulnerable software in the latest OpenBSD >> > 7.4-stable? >> > >> > I must really have been missing something here... >> >> Just a few links: >> >> >> https://github.com/openbsd/ports/blob/master/mail/postfix/snapshot/Makefile >> http://ftp.porcupine.org/mirrors/postfix-release/index.html#experimental >> https://www.postfix.org/smtp-smuggling.html >> >> -- >> Herbert >> >>
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
Hi again, I completely removed Postfix and installed the official stable package "postfix-3.7.9p0-sasl2-mysql", but the problem persists. P.S.: The issue only happens with incoming mails from Gmail servers. (Well, I do have the needed lines recommended in smtp-smuggling page, the ones for "works with all versions".) Herbert J. Skuhra , 3 Şub 2024 Cmt, 10:28 tarihinde şunu yazdı: > On Sat, Feb 03, 2024 at 09:19:47AM +0300, Mark wrote: > > An experimental, unstable package in packages-stable? > > > > An outdated and potentially vulnerable software in the latest OpenBSD > > 7.4-stable? > > > > I must really have been missing something here... > > Just a few links: > > https://github.com/openbsd/ports/blob/master/mail/postfix/snapshot/Makefile > http://ftp.porcupine.org/mirrors/postfix-release/index.html#experimental > https://www.postfix.org/smtp-smuggling.html > > -- > Herbert > >
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On Sat, Feb 03, 2024 at 09:19:47AM +0300, Mark wrote: > An experimental, unstable package in packages-stable? > > An outdated and potentially vulnerable software in the latest OpenBSD > 7.4-stable? > > I must really have been missing something here... Just a few links: https://github.com/openbsd/ports/blob/master/mail/postfix/snapshot/Makefile http://ftp.porcupine.org/mirrors/postfix-release/index.html#experimental https://www.postfix.org/smtp-smuggling.html -- Herbert
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
An experimental, unstable package in packages-stable? An outdated and potentially vulnerable software in the latest OpenBSD 7.4-stable? I must really have been missing something here... Herbert J. Skuhra , 3 Şub 2024 Cmt, 09:04 tarihinde şunu yazdı: > On Fri, Feb 02, 2024 at 08:44:45PM -0600, Brian Conway wrote: > > On Fri, Feb 2, 2024, at 6:44 PM, Herbert J. Skuhra wrote: > > > On Sat, Feb 03, 2024 at 03:00:10AM +0300, Mark wrote: > > >> Hi. > > >> > > >> It seems that the recent Postfix update under 7.4-amd64, > > >> (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, > > >> coming from Gmail servers, throwing a TLS library problem. > > >> > > >> Here's the log output; > > >> > > >> postfix/smtpd[32879]: connect from mail-yw1-f178.google.com > [209.85.128.178] > > >> > > >> postfix/smtpd[7374]: Trusted TLS connection established from > > >> mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 > > >> with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 > > >> server-signature ECDSA (prime256v1) server-digest SHA256 > client-signature > > >> RSA-PSS (2048 bits) client-digest SHA256 > > >> > > >> postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL > > >> routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: > > >> postfix/smtpd[7374]: lost connection after STARTTLS from > > >> mail-lf1-f45.google.com[209.85.167.45] > > >> postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com > [209.85.167.45] > > >> ehlo=1 starttls=1 commands=2 > > >> > > >> Before updating the package, I had postfix-3.8.20221007p11, and it > had no > > >> such problem. > > > > > > Why do you run such an outdated postfix snapshot? > > > > That is the latest version that is supported/available in > packages-stable: > > > > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ > > Yeah, sadly! But no reason to install/run outdated and potentially > vulnerable server software. :-) > > Postfix 3.8.20221007 is an old development snapshot (experimental!). It > should be either updated or removed. Latest version as of today is > postfix-3.9-20240129. There are also updates available for postfix35 > (3.5.24) and postfix (3.7.10/3.8.5). > > -- > Herbert > >
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On Fri, Feb 02, 2024 at 08:44:45PM -0600, Brian Conway wrote: > On Fri, Feb 2, 2024, at 6:44 PM, Herbert J. Skuhra wrote: > > On Sat, Feb 03, 2024 at 03:00:10AM +0300, Mark wrote: > >> Hi. > >> > >> It seems that the recent Postfix update under 7.4-amd64, > >> (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, > >> coming from Gmail servers, throwing a TLS library problem. > >> > >> Here's the log output; > >> > >> postfix/smtpd[32879]: connect from mail-yw1-f178.google.com[209.85.128.178] > >> > >> postfix/smtpd[7374]: Trusted TLS connection established from > >> mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 > >> with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 > >> server-signature ECDSA (prime256v1) server-digest SHA256 client-signature > >> RSA-PSS (2048 bits) client-digest SHA256 > >> > >> postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL > >> routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: > >> postfix/smtpd[7374]: lost connection after STARTTLS from > >> mail-lf1-f45.google.com[209.85.167.45] > >> postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com[209.85.167.45] > >> ehlo=1 starttls=1 commands=2 > >> > >> Before updating the package, I had postfix-3.8.20221007p11, and it had no > >> such problem. > > > > Why do you run such an outdated postfix snapshot? > > That is the latest version that is supported/available in packages-stable: > > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ Yeah, sadly! But no reason to install/run outdated and potentially vulnerable server software. :-) Postfix 3.8.20221007 is an old development snapshot (experimental!). It should be either updated or removed. Latest version as of today is postfix-3.9-20240129. There are also updates available for postfix35 (3.5.24) and postfix (3.7.10/3.8.5). -- Herbert
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On Fri, Feb 2, 2024, at 6:44 PM, Herbert J. Skuhra wrote: > On Sat, Feb 03, 2024 at 03:00:10AM +0300, Mark wrote: >> Hi. >> >> It seems that the recent Postfix update under 7.4-amd64, >> (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, >> coming from Gmail servers, throwing a TLS library problem. >> >> Here's the log output; >> >> postfix/smtpd[32879]: connect from mail-yw1-f178.google.com[209.85.128.178] >> >> postfix/smtpd[7374]: Trusted TLS connection established from >> mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 >> with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 >> server-signature ECDSA (prime256v1) server-digest SHA256 client-signature >> RSA-PSS (2048 bits) client-digest SHA256 >> >> postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL >> routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: >> postfix/smtpd[7374]: lost connection after STARTTLS from >> mail-lf1-f45.google.com[209.85.167.45] >> postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com[209.85.167.45] >> ehlo=1 starttls=1 commands=2 >> >> Before updating the package, I had postfix-3.8.20221007p11, and it had no >> such problem. > > Why do you run such an outdated postfix snapshot? That is the latest version that is supported/available in packages-stable: https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/ Brian Conway Owner RCE Software, LLC
Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?
On Sat, Feb 03, 2024 at 03:00:10AM +0300, Mark wrote: > Hi. > > It seems that the recent Postfix update under 7.4-amd64, > (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, > coming from Gmail servers, throwing a TLS library problem. > > Here's the log output; > > postfix/smtpd[32879]: connect from mail-yw1-f178.google.com[209.85.128.178] > > postfix/smtpd[7374]: Trusted TLS connection established from > mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 > with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 > server-signature ECDSA (prime256v1) server-digest SHA256 client-signature > RSA-PSS (2048 bits) client-digest SHA256 > > postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL > routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: > postfix/smtpd[7374]: lost connection after STARTTLS from > mail-lf1-f45.google.com[209.85.167.45] > postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com[209.85.167.45] > ehlo=1 starttls=1 commands=2 > > Before updating the package, I had postfix-3.8.20221007p11, and it had no > such problem. Why do you run such an outdated postfix snapshot? -- Herbert
New postfix-3.8.20221007p12 broken TLS for Gmail servers?
Hi. It seems that the recent Postfix update under 7.4-amd64, (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, coming from Gmail servers, throwing a TLS library problem. Here's the log output; postfix/smtpd[32879]: connect from mail-yw1-f178.google.com[209.85.128.178] postfix/smtpd[7374]: Trusted TLS connection established from mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256 postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: postfix/smtpd[7374]: lost connection after STARTTLS from mail-lf1-f45.google.com[209.85.167.45] postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com[209.85.167.45] ehlo=1 starttls=1 commands=2 Before updating the package, I had postfix-3.8.20221007p11, and it had no such problem. Any idea? Regards. Mark.