Package: postfix Version: 2.11.3-1 Severity: normal Tags: upstream patch Control: fixed -1 3.0.3-1
Dear Maintainer, There is a bug in the HAProxy PROXY protocol implementation in postfix that breaks smtpd_tls_wrappermode when used with smtpd_upstream_proxy_protocol. The bug was fixed upstream in 2.11.7 and 3.0. The attached patch fixes this for 2.11.3. Please consider fixing this in Jessie as well. Regardsn Apollon -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (90, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, mips Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages postfix depends on: ii adduser 3.113+nmu3 ii cpio 2.11+dfsg-4.1 ii debconf [debconf-2.0] 1.5.58 ii dpkg 1.18.4 ii libc6 2.21-8 ii libdb5.3 5.3.28-11 ii libsasl2-2 2.1.26.dfsg1-14+b1 ii libsqlite3-0 3.10.2-1 ii libssl1.0.2 1.0.2f-2 ii lsb-base 9.20160110 ii netbase 5.3 ii ssl-cert 1.0.37 Versions of packages postfix recommends: ii python 2.7.11-1 Versions of packages postfix suggests: ii bsd-mailx [mail-reader] 8.1.2-0.20160123cvs-2 ii dovecot-core [dovecot-common] 1:2.2.18-2+b1 ii icedove [mail-reader] 38.5.0-1+b1 ii libsasl2-modules 2.1.26.dfsg1-14+b1 ii mailutils [mail-reader] 1:2.99.99-1 ii mutt [mail-reader] 1.5.24-1+b1 pn postfix-cdb <none> pn postfix-doc <none> pn postfix-ldap <none> pn postfix-mysql <none> pn postfix-pcre <none> pn postfix-pgsql <none> ii procmail 3.22-25 ii resolvconf 1.78 pn sasl2-bin <none> pn ufw <none> -- debconf-show failed
>From e3fd69788f7009aaace8f0733d6a568a297645da Mon Sep 17 00:00:00 2001 From: Apollon Oikonomopoulos <apoi...@debian.org> Date: Thu, 18 Feb 2016 15:09:01 +0200 Subject: [PATCH] Fix TLS handshake after HAProxy PROXY header This is fixed in postfix 2.11.7: 20150923 Bugfix (introduced: 20120531-617): the Postfix SMTP server used a larger-than-1 VSTREAM buffer to read the HAProxy connection hand-off information. This broke TLS wrappermode, as the TLS helo packet would end up in the plaintext VSTREAM buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c. See also: http://postfix.1071664.n5.nabble.com/smtpd-upstream-proxy-protocol-smtpd-tls-wrappermode-td79550.html --- src/smtpd/smtpd_haproxy.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/smtpd/smtpd_haproxy.c b/src/smtpd/smtpd_haproxy.c index 599e3ed..c6a954e 100644 --- a/src/smtpd/smtpd_haproxy.c +++ b/src/smtpd/smtpd_haproxy.c @@ -103,6 +103,14 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state) */ #define ENABLE_DEADLINE 1 + /* + * While reading HAProxy handshake information, don't buffer input beyond + * the end-of-line. That would break the TLS wrappermode handshake. + */ + vstream_control(state->client, + VSTREAM_CTL_BUFSIZE, 1, + VSTREAM_CTL_END); + smtp_stream_setup(state->client, var_smtpd_uproxy_tmout, ENABLE_DEADLINE); switch (io_err = vstream_setjmp(state->client)) { default: @@ -139,6 +147,13 @@ int smtpd_peer_from_haproxy(SMTPD_STATE *state) state->port = mystrdup(smtp_client_port.buf); /* + * Enable normal buffering. + */ + vstream_control(state->client, + VSTREAM_CTL_BUFSIZE, VSTREAM_BUFSIZE, + VSTREAM_CTL_END); + + /* * Avoid surprises in the Dovecot authentication server. */ state->dest_addr = mystrdup(smtp_server_addr.buf); -- 2.7.0