Bug#873065: marked as done (postfix: Some mails refused since libssl1.1_1.1.0f-4_amd64.deb)

Mon, 10 Dec 2018 04:09:26 -0800 

Your message dated Mon, 10 Dec 2018 06:59:16 -0500
with message-id <2816618.JIdCfOaiKz@kitterma-e6430>
and subject line Re: postfix: Some mails refused since 
libssl1.1_1.1.0f-4_amd64.deb
has caused the Debian Bug report #873065,
regarding postfix: Some mails refused since libssl1.1_1.1.0f-4_amd64.deb
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
873065: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873065
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: postfix
Version: 3.2.2-1
Severity: normal

Dear Maintainer,

Since last update of libssl1.1 I've for example these lines in lhe logs :

Aug 23 06:27:55 sd-123993 postfix/smtpd[25802]: connect from 
smtp3.emailing.carrefour.fr[192.86.55.151]
Aug 23 06:27:55 sd-123993 postfix/smtpd[25802]: SSL_accept error from 
smtp3.emailing.carrefour.fr[192.86.55.151]: -1
Aug 23 06:27:55 sd-123993 postfix/smtpd[25802]: warning: TLS library problem: 
error:1417D18C:SSL routines:tls_process_client_hello:version too 
low:../ssl/statem/statem_srvr.c:974: Aug 23 06:27:55 sd-123993 
postfix/smtpd[25802]: lost connection after STARTTLS from 
smtp3.emailing.carrefour.fr[192.86.55.151] 
Aug 23 06:27:55 sd-123993 postfix/smtpd[25802]: disconnect from 
smtp3.emailing.carrefour.fr[192.86.55.151] ehlo=1 starttls=0/1
commands=1/2

and emailing.carrefour.fr try again to send the mail.

When I downgrade to libssl1.1_1.1.0f-3_amd64.deb I receive the mail and
there is no error in the logs.

This problem is not with many sites it's only with a little number of sites.

Perhaps this show that the emitter site is not informed of why the mail
is refused.

Regards

Francois


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.12.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages postfix depends on:
ii  adduser              3.116
ii  cpio                 2.11+dfsg-6
ii  debconf              1.5.63
ii  dpkg                 1.18.24
ii  init-system-helpers  1.49
ii  libc6                2.24-14
ii  libdb5.3             5.3.28-13
ii  libicu57             57.1-6
ii  libsasl2-2           2.1.27~101-g0780600+dfsg-3
pn  libssl1.1            <none>
ii  lsb-base             9.20161125
ii  netbase              5.4
ii  ssl-cert             1.0.39

Versions of packages postfix recommends:
ii  python3  3.5.3-3

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]        8.1.2-0.20160123cvs-4
ii  dovecot-core [dovecot-common]  1:2.2.31-1
ii  libsasl2-modules               2.1.27~101-g0780600+dfsg-3
ii  mutt [mail-reader]             1.8.3+neomutt20170609-2+b1
pn  postfix-cdb                    <none>
ii  postfix-doc                    3.2.2-1
pn  postfix-ldap                   <none>
pn  postfix-lmdb                   <none>
pn  postfix-mysql                  <none>
pn  postfix-pcre                   <none>
pn  postfix-pgsql                  <none>
pn  postfix-sqlite                 <none>
ii  procmail                       3.22-25+b1
pn  resolvconf                     <none>
pn  sasl2-bin                      <none>
pn  ufw                            <none>

-- debconf information:
  postfix/not_configured:
  postfix/protocols: all
  postfix/destinations: $myhostname, sd-123993.dedibox.fr, 
localhost.dedibox.fr, , localhost
  postfix/compat_conversion_warning: true
  postfix/sqlite_warning:
  postfix/recipient_delim: +
* postfix/mailname: sd-123993.dedibox.fr
  postfix/kernel_version_warning:
  postfix/retry_upgrade_warning:
  postfix/bad_recipient_delimiter:
  postfix/main_cf_conversion_warning: true
  postfix/root_address:
  postfix/relayhost:
  postfix/procmail: true
  postfix/relay_restrictions_warning:
  postfix/dynamicmaps_conversion_warning:
* postfix/main_mailer_type: Internet Site
  postfix/chattr: false
  postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  postfix/rfc1035_violation: false
  postfix/mydomain_warning:
  postfix/mailbox_limit: 0
  postfix/tlsmgr_upgrade_warning:
  postfix/lmtp_retired_warning: true

--- End Message ---
--- Begin Message --- 
On Wed, 13 Sep 2017 16:50:59 +0200 =?UTF-8?Q?BERTRAND_Jo=c3=abl?= 
<[email protected]> wrote:
>       Hello,
> 
>       Same constatation with sendmail and libssl1.1_1.1.0f-5.
> 
>       Looking at tls1_2_default.patch from Debian's openssl, the only thing 
> that needs to be done is to override this change:
> 
> @@ -2372,7 +2372,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
>           goto err;
> 
>       ret->method = meth;
> -    ret->min_proto_version = 0;
> +    if (meth->version == TLS_ANY_VERSION)
> +        ret->min_proto_version = TLS1_2_VERSION;
> +    else
> +        ret->min_proto_version = 0;
>       ret->max_proto_version = 0;
>       ret->session_cache_mode = SSL_SESS_CACHE_SERVER;
>       ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;
> 
>       I consider this bug should be grave or critical as for a mail server 
> (for example), ingoing mails can be refused without any bounce.

I believe this was solved differently in 3.3.0-1 (See 
debian/patches/tls_version.diff).  In postfix we let openssl's configuration 
set the minimum).

Scott K

--- End Message ---

Reply via email to