On 8/20/2020 2:38 PM, Wietse Venema wrote: > Thorsten Habich: >> On 8/19/2020 4:31 PM, Viktor Dukhovni wrote: >>> Do *resumed* sessions always fail to validate? Or is that intermittent? >> As far as I could see resumed sessions that failed keep failing > That's not what he asked. > > What he asked is: > > - Do FAILURES happen ONLY after a session is RESUMED. > > Wietse
Sorry, no. The first connection decides if the problem occurs or not. If the session is resumed the error only occurs *if the first connection failed*. If the first connection was successful the error will not appear. The status then seem to change in case of a restart (as clarified by Victor that clears the session cache) or after I assume tlsproxy_tls_session_cache_timeout (default: 3600). In the examples I found in our logs, after a failed connection, the first successful delivery without a restart was made after 1h + x minutes. For sessions which do not get resumed at all the error occurs frequently, too. If I remember correctly the certificate verification with connection reuse (so the tlsproxy gets involved) was fixed with: 20200620 Bugfix (introduced: Postfix 3.4): SMTP over TLS connection reuse was broken for configurations that use explicit trust anchors. Reported by Thorsten Habich. Fixed by calling DANE initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c. Might there still be a problem?