On Fri, Feb 02, 2024 at 08:44:45PM -0600, Brian Conway wrote: > On Fri, Feb 2, 2024, at 6:44 PM, Herbert J. Skuhra wrote: > > On Sat, Feb 03, 2024 at 03:00:10AM +0300, Mark wrote: > >> Hi. > >> > >> It seems that the recent Postfix update under 7.4-amd64, > >> (package: postfix-3.8.20221007p12-sasl2-mysql) breaks TLS connections, > >> coming from Gmail servers, throwing a TLS library problem. > >> > >> Here's the log output; > >> > >> postfix/smtpd[32879]: connect from mail-yw1-f178.google.com[209.85.128.178] > >> > >> postfix/smtpd[7374]: Trusted TLS connection established from > >> mail-lf1-f45.google.com[209.85.167.45]: TLSv1.3 > >> with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 > >> server-signature ECDSA (prime256v1) server-digest SHA256 client-signature > >> RSA-PSS (2048 bits) client-digest SHA256 > >> > >> postfix/smtpd[7374]: warning: TLS library problem: error:0A000126:SSL > >> routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: > >> postfix/smtpd[7374]: lost connection after STARTTLS from > >> mail-lf1-f45.google.com[209.85.167.45] > >> postfix/smtpd[7374]: disconnect from mail-lf1-f45.google.com[209.85.167.45] > >> ehlo=1 starttls=1 commands=2 > >> > >> Before updating the package, I had postfix-3.8.20221007p11, and it had no > >> such problem. > > > > Why do you run such an outdated postfix snapshot? > > That is the latest version that is supported/available in packages-stable: > > https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/
Yeah, sadly! But no reason to install/run outdated and potentially vulnerable server software. :-) Postfix 3.8.20221007 is an old development snapshot (experimental!). It should be either updated or removed. Latest version as of today is postfix-3.9-20240129. There are also updates available for postfix35 (3.5.24) and postfix (3.7.10/3.8.5). -- Herbert
