[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Git Commitchanged: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #16 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/da88acaeb7d76e5312c8ea799951470eaa5eca0f commit da88acaeb7d76e5312c8ea799951470eaa5eca0f Author: Phil Pennock AuthorDate: Tue Jan 31 22:15:55 2017 -0500 Commit: Phil Pennock CommitDate: Tue Jan 31 22:15:55 2017 -0500 handle proxy protocol v2 safely as well. we had test suite failures (test suite success!) because proxy protocol v2 (ppv2) wasn't being detected; by only reading 12 octets, the >= 16 check was failing. but in fact i had previously only fixed reading "only enough" for ppv1. handling both ppv1 and ppv2 is complicated because the minimum valid length for ppv1 is 15 octets but for ppv2 the size to read is in the 15th and 16th octets. so refactored a little and we now use a total of 3 reads for the ppv2 case (assuming no fragmentation, etc; we'll actually keep reading now instead of aborting) to get the entire ppv2 header of exactly the right size, so that tls handshake immediately following the pp header is not also swallowed. fixes: 2018 tested: manually, tls and non-tls, ppv1 and ppv2, all ways. release: should be cherry-picked into 4.89rc series doc/doc-txt/ChangeLog | 2 + src/src/smtp_in.c | 128 +++--- 2 files changed, 103 insertions(+), 27 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #15 from Phil Pennock--- Okay, problem is easy to see: if (ret >= 16 && memcmp(, v2sig, 12) == 0) We now only read 16 characters in the first pass, so that's never true. Deoh. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Phil Pennockchanged: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #14 from Phil Pennock --- Jeremy saw test suite failures, I have dug into how to configure haproxy to try proxy protocol v2 and indeed, I see failure. I broke v2. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #13 from Git Commit--- Git commit: https://git.exim.org/exim.git/commitdiff/f700ea4d43b74a85ff4f606828fee4e9a2131f9c commit f700ea4d43b74a85ff4f606828fee4e9a2131f9c Author: Phil Pennock AuthorDate: Mon Jan 30 19:54:47 2017 -0500 Commit: Phil Pennock CommitDate: Mon Jan 30 19:54:47 2017 -0500 Document that fixed 2018 Fixes: 2018 --- doc/doc-txt/ChangeLog | 4 1 file changed, 4 insertions(+) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index bc9b19f..69c7789 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -73,6 +73,10 @@ JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are now limited to an arbitrary five deep, while parsing addresses with the strip_excess_angle_brackets option enabled. +PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and + instead leave the unprompted TLS handshake in socket buffer for the + TLS library to consume. + Exim version 4.88 - -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Phil Pennockchanged: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #12 from Phil Pennock--- Have pushed a fix for this. I'm marking it closed; Nenad, please try Exim 4.89RC1 which I'll be cutting tonight and re-open the ticket if you still experience problems. Thank you for your patience! -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Phil Pennockchanged: What|Removed |Added Assignee|jgh146...@wizmail.org |p...@exim.org -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #11 from Phil Pennock--- Isolated the problem, confirmed with a debug statement. We're doing a fixed read for proxy handling, assuming that the read will come up short for PROXYv1. For SMTP where server-speaks-first, that's true for compliant clients. For TLS, where client-speaks-first and the proxy waits for client data before opening the backend connection, it's not true. With a little bit of debugging added: 90478 Bytes read not within PROXY header: 178 For plaintext, that "178" is the desired "0". Am pondering solutions right now. I consider this blocking of 4.89RC1. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Phil Pennockchanged: What|Removed |Added CC||p...@exim.org --- Comment #10 from Phil Pennock --- I can reproduce and am investigating further. I have exim on my laptop and haproxy on my laptop, setup such that: daemon_smtp_ports = 25 : 465 : 466 : 587 : 588 tls_on_connect_ports = 465 : 466 hosts_proxy = <; ${if forany{466:588}{=={$received_port}{$item}} {127.0.0.1 ; ::1}{}} and for proxy testing, I start Exim with `-oX 127.0.0.1` and run: sudo haproxy -f haproxy.conf -db -d with an haproxy configuration of: frontend ft_smtp_submission bind 0.0.0.0:587 mode tcp no option http-server-close timeout client 1m log global option tcplog default_backend bk_exim_submission backend bk_exim_submission mode tcp no option http-server-close log global option tcplog timeout server 1m timeout connect 5s server exim 127.0.0.1:588 send-proxy frontend ft_smtp_tlsonconnect bind 0.0.0.0:465 mode tcp no option http-server-close timeout client 1m log global option tcplog default_backend bk_exim_tlsonconnect backend bk_exim_tlsonconnect mode tcp no option http-server-close log global option tcplog timeout server 1m timeout connect 5s server exim 127.0.0.1:466 send-proxy -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #9 from Jeremy Harris--- Grab a packet capture and look at the first few TLS packets (or attach it here). -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #8 from Nenad Opsenica--- > That looks like a TLS config problem. Well, literally the same exim configuration works just fine if I connect directly from Thunderbird to exim server (therefore, without hosts_proxy settings). Only if connection goes over HAproxy, error occurs. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #7 from Jeremy Harris--- That looks like a TLS config problem. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #6 from Nenad Opsenica--- Unfortunatelly, provided patch does not work (I have applied it to 4.88 patched with v2 proxy patch; patching went cleanly). Proxied session was detected, but TLS was not established. Client (Thunderbird) after a while pops up information dialog with "The message could not be sent because the connection to Outgoing server was lost in the middle of the transaction" Exim debug session (10.9.27.240 is Thunderbird's address, it connects to HAproxy): 15:31:21 16939 Initialized TLS 15:31:21 16939 required ciphers: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA 15:31:21 16939 host in tls_verify_hosts? no (option unset) 15:31:21 16939 host in tls_try_verify_hosts? no (option unset) 15:31:21 16939 Calling SSL_accept 15:31:21 16939 SSL info: before/accept initialization 15:31:21 16939 SSL info: before/accept initialization 15:31:51 16939 LOG: MAIN 15:31:51 16939 TLS error on connection from [10.9.27.240] (SSL_accept): error::lib(0):func(0):reason(0) 15:31:51 16939 LOG: MAIN 15:31:51 16939 TLS client disconnected cleanly (rejected our certificate?) 15:31:51 16939 search_tidyup called 15:31:51 16924 child 16939 ended: status=0x0 15:31:51 16924 normal exit, 0 15:31:51 16924 0 SMTP accept processes now running 15:31:51 16924 Listening... -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Git Commitchanged: What|Removed |Added CC||g...@exim.org --- Comment #5 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/1811cb4cb491183bd4b32bca3e80f77b4c8d391d commit 1811cb4cb491183bd4b32bca3e80f77b4c8d391d Author: Jeremy Harris AuthorDate: Tue Jan 17 00:39:41 2017 + Commit: Jeremy Harris CommitDate: Sun Jan 29 15:09:48 2017 + shuffle proxy-protocol to wrap tls-on-connect startup. bug 2018 src/src/smtp_in.c | 111 +++--- 1 file changed, 55 insertions(+), 56 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
On 2017-01-18 at 16:06 +, Jeremy Harris wrote: > To expand: Exim's implementation of Proxy Protocol > is currently hooked in after the TLS start done for > tls-on-connect. > > It turns out that the protocol spec document is ambiguous > and the other way about (proxy-protocol handling done > in-clear, then TLS) is the preferred way for HAproxy. > > Is anyone using and relying on the current Exim implementation > ordering? Or shall I just swap them round? I think that Jeremy knows my opinion here, but so that others know what is likely to happen if nobody speaks up: I strongly favour swapping them around, putting a note in README.UPDATING and avoiding adding yet another knob. So if you are relying upon something which speaks Proxy Protocol initiating its _own_ TLS connection to an Exim TLS-on-connect backend, _then_ speaking PP within that, _before_ passing off to hand-off from the origin client, then you need to speak up with some details so that we can understand and weigh the cost of the added complexity, and make sure that we can then handle it without ending up with TLS tunnelled inside TLS. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
On 18/01/17 14:05, ad...@bugs.exim.org wrote: > https://bugs.exim.org/show_bug.cgi?id=2018 > > Jeremy Harrischanged: > >What|Removed |Added > > Status|NEW |ASSIGNED To expand: Exim's implementation of Proxy Protocol is currently hooked in after the TLS start done for tls-on-connect. It turns out that the protocol spec document is ambiguous and the other way about (proxy-protocol handling done in-clear, then TLS) is the preferred way for HAproxy. Is anyone using and relying on the current Exim implementation ordering? Or shall I just swap them round? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Jeremy Harrischanged: What|Removed |Added Target Milestone|Exim 4.88 |Exim 4.89 -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 Jeremy Harrischanged: What|Removed |Added Status|NEW |ASSIGNED -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #4 from Nenad Opsenica--- Just to describe my setup: * haproxy to do "ssl passthrough" (i.e. running in TCP mode without SSL/TLS offloading) from clients to imap and smtp/submission servers * dovecot configuration, that uses this kind of setup works perfectly with both StartTLS IMAP (port 143) and IMAPS (port 993). Relevant configuration parts for TLS-on-connect case (port 993/imaps) HAproxy: listen imap bind :993 mode tcp option tcplog stick-table type ip size 200k expire 30m stick on src server mail2 mail2.local.net:10993 check-send-proxy send-proxy-v2 Dovecot: inet_listener imaps_haproxy { port = 10993 ssl = yes haproxy = yes } Similar setup with HAproxy and Exim for TLS-on-connect case (port 465) does not work: HAproxy: listen smtp bind :465 mode tcp option tcplog stick-table type ip size 200k expire 30m stick on src server mail2 mail2.local.net:465 check-send-proxy send-proxy-v2 Exim configuration: hosts_proxy = IP_address_of_HAproxy_server Exim is patched with fix for proxy-v2 from https://bugs.exim.org/show_bug.cgi?id=2003 When I changed function smtp_start_session() in smtp_in.c, to call check_proxy_protocol_host() first, and then tls_server_start(), proxied session was successfully detected (debug information showed IP address of end client), but unfortunatelly TLS session was not started; obviously this can't be fixed that 'easy' way. But, it shows that HAproxy, when used with "TLS/SSL passthrough" mode prepends unencrypted proxy header. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
On Mon, Jan 16, 2017 at 05:17:49PM +, ad...@bugs.exim.org wrote: > https://bugs.exim.org/show_bug.cgi?id=2018 FWIW, Postfix performs the HAPROXY handshake at the start of the TCP session (thus prior to any TLS setup) on all ports (25, 587 and 465), i.e. whether doing STARTTLS or doing SMTP inside TLS (TLS "wrapper mode"). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #3 from Jeremy Harris--- So your incoming connection did not talk TLS-on-connect. You're assuming the model of "proxying of a remote tls-on-connect", I think - whereas Exim is assuming, if it supports it at all, a local tls-on-connect between the proxy and the MTA. The standard for Proxy Protocol mentions a client type PP2_CLIENT_SSL "indicates that the client connected over SSL/TLS" which I think at least allows for the possibility of the remote TCP connection terminating a TLS. It isn't quite clear whether that is the only model it supports. The v1 portion of the spec says "sent immediately and at once upon the connection establishment" but fails to say whether it is talking about the TCP connection or the TLS connection, for a TLS case. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #2 from Nenad Opsenica--- > What's the evidence for "proxy settings are not even checked"? Excerpt from HAproxy log: Jan 16 17:45:13 localhost haproxy[29817]: 10.9.27.240:57140 [16/Jan/2017:17:45:13.557] smtp bk_mail-starttls/mail2 6/0/12 0 SD 0/0/0/0/0 0/0 And debug information from exim when connection is being made to port 465 with SSL/TLS: 17:45:14 11748 Connection request from 10.9.4.12 port 60468 17:45:14 11748 interface address=10.9.4.25 port=465 17:45:14 11748 search_tidyup called 17:45:14 11748 1 SMTP accept process running 17:45:14 11748 Listening... 17:45:14 11750 sender_fullhost = [10.9.4.12] 17:45:14 11750 sender_rcvhost = [10.9.4.12] 17:45:14 11750 Process 11750 is handling incoming connection from [10.9.4.12] 17:45:14 11750 host in host_lookup? yes (matched "*") 17:45:14 11750 looking up host name for 10.9.4.12 17:45:14 11750 DNS lookup of 12.4.9.10.in-addr.arpa (PTR) gave HOST_NOT_FOUND 17:45:14 11750 returning DNS_NOMATCH 17:45:14 11750 IP address lookup using gethostbyaddr() 17:45:14 11750 IP address lookup failed: h_errno=1 17:45:14 11750 LOG: host_lookup_failed MAIN 17:45:14 11750 no host name found for IP address 10.9.4.12 17:45:14 11750 sender_fullhost = [10.9.4.12] 17:45:14 11750 sender_rcvhost = [10.9.4.12] 17:45:14 11750 set_process_info: 11750 handling incoming connection from [10.9.4.12] 17:45:14 11750 openssl option, adding from 110: 100 (no_sslv2 +no_sslv3) 17:45:14 11750 openssl option, adding from 110: 200 (no_sslv3) 17:45:14 11750 setting SSL CTX options: 0x310 17:45:14 11750 Diffie-Hellman initialized from default with 2048-bit prime 17:45:14 11750 ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding "auto" with "prime256v1" 17:45:14 11750 ECDH: curve 'prime256v1' 17:45:14 11750 ECDH: enabled 'prime256v1' curve 17:45:14 11750 tls_certificate file /etc/pki/tls/certs/...DELETED_HERE. 17:45:14 11750 tls_privatekey file /etc/pki/tls/certs/...DELETED_HERE. 17:45:14 11750 Initialized TLS 17:45:14 11750 required ciphers: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA 17:45:14 11750 host in tls_verify_hosts? no (option unset) 17:45:14 11750 host in tls_try_verify_hosts? no (option unset) 17:45:14 11750 Calling SSL_accept 17:45:14 11750 SSL info: before/accept initialization 17:45:14 11750 SSL info: before/accept initialization 17:45:14 11750 SSL info: SSLv2/v3 read client hello A 17:45:14 11750 LOG: MAIN 17:45:14 11750 TLS error on connection from [10.9.4.12] (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 17:45:14 11750 LOG: MAIN 17:45:14 11750 TLS client disconnected cleanly (rejected our certificate?) 17:45:14 11750 search_tidyup called 17:45:14 11748 child 11750 ended: status=0x0 17:45:14 11748 normal exit, 0 17:45:14 11748 0 SMTP accept processes now running 17:45:14 11748 Listening... The same setup works perfectly with StartTLS. Function smtp_start_session() in smtp_in.c, calls tls_server_start() before checking with check_proxy_protocol_host() if proxy protocol is used. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018 --- Comment #1 from Jeremy Harris--- TLS being started immediately on the TCP connection sounds normal. What's the evidence for "proxy settings are not even checked"? -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##