Hi all,

I was working on the same case for a bug open in Ubuntu
https://bugs.launchpad.net/debian/+source/postfix/+bug/1995312 (It was
reported to Debian also at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011040 ) when using
postfix when openssl3. I developed a solution similar to Viktor's proposed
in this thread. Still, I doubted if it was affecting only the server-side,
client-side or both, although I would opt toward both, as an abrupt
disconnection can happen in both ways... but as I said, it was a thing I
want to share here for discussion and advice, also proposing if you could
pick one of the proposed fixes in future patches or releases to solve the
bugs (as I didn't see it in the incoming postfix 3.8 either).

I put the setting of the  SSL_OP_IGNORE_UNEXPECTED_EOF in the function
tls_bug_bits (src/tls/tls_misc.c) used by both client and server
connections:

--- a/src/tls/tls_misc.c
+++ b/src/tls/tls_misc.c
@@ -1355,6 +1355,9 @@ long    tls_bug_bits(void)
      * options just in case.
      */
     bits |= SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE;
+#ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
+    bits |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+#endif
     return (bits);
 }

I tested this fix in Ubuntu Jammy (potsfix 3.6.4-1ubuntu1), Ubuntu Kinetic
(potsfix3.6.4-1ubuntu2 ) and also 23.04 (our on-development version,
postfix 3.7.3-4) and I'll document that in the Ubuntu bug.

I really appreciate any help you can provide and many thanks for
considering my request.


On Tue, Jun 14, 2022 at 5:17 PM Demi Marie Obenour <demioben...@gmail.com>
wrote:

> On 6/10/22 08:55, Gerben Wierda wrote:
> >
> >> On 10 Jun 2022, at 13:17, Wietse Venema <wie...@porcupine.org> wrote:
> >>
> >> Wietse Venema:
> >>> Gerben Wierda:
> >>>>
> >>>>> On 10 Jun 2022, at 02:30, Wietse Venema <wie...@porcupine.org>
> wrote:
> >>>>>
> >>>>> Gerben Wierda:
> >>>>>> What is happening here? (mail is delivered, I?m just curious)
> >>>>>>
> >>>>>> Jun 09 23:37:39 mail postfix/postscreen[4294]: CONNECT from
> [146.185.52.133]:10400 to [192.168.2.66]:25
> >>>>>> Jun 09 23:37:45 mail postfix/postscreen[4294]: PASS NEW
> [146.185.52.133]:10400
> >>>>>> Jun 09 23:37:45 mail smtp/smtpd[4296]: connect from
> ims-smtp133.persgroep-ops.net[146.185.52.133]
> >>>>>> Jun 09 23:37:46 mail smtp/smtpd[4296]: CC868E75AA1E: client=
> ims-smtp133.persgroep-ops.net[146.185.52.133]
> >>>>>> Jun 09 23:37:47 mail postfix/cleanup[4300]: CC868E75AA1E:
> message-id=<
> 220609233739.sim_40lt1wa1poje3tjw6hnmtvk29xxj_ghn7vvejgut3cs3hljfekzafd9hipabzz8ro0vetlr2qj0j2ddp9oie2u%2bfuro...@ims-smtp133.persgroep-ops.net
> >
> >>>>>> Jun 09 23:37:48 mail postfix/qmgr[8801]: CC868E75AA1E: from=<
> nore...@mail.trouw.nl>, size=34628, nrcpt=1 (queue active)
> >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: warning: TLS library
> problem: error:0A000126:SSL routines::unexpected eof while
> reading:ssl/record/rec_layer_s3.c:309:
> >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: disconnect from
> ims-smtp133.persgroep-ops.net[146.185.52.133] ehlo=2 starttls=1 mail=1
> rcpt=1 data=1 commands=6
> >>>>>>
> >>>>>
> >>>>> Did you look for 0A000126 with a web search engine?
> >>>>
> >>>> Yes. Searched on the entire error string as well.
> >>>>
> >>>> But that did not give me a clue.
> >>>
> >>> I got: OpenSSL 3 is more strict about clients that disconnect without
> >>> fully following the protocol.
> >>
> >> Specifically, google 0A000126, the first result is PHP issue 8369a
> >
> > Indeed. Interesting. I use duckduckgo (which relies on Bing afaik) and
> it doesn’t find that.
> >
> >> which links to https://github.com/openssl/openssl/issues/11378 <
> https://github.com/openssl/openssl/issues/11378>. The
> >> latter had a breaking fix, backed it out for OpenSSL 1.1.1, but
> >> kept it in the branch that become OpenSSL 3.
> >
> > So basically, the sender doesn’t properly close the SSL protocol, their
> MTA is using an SSL which isn’t properly implemented.
>
> My understanding is that a truncation attack is never a problem in
> SMTP, as a premature EOF is always an SMTP error.  If this is in
> fact the case, Postfix should set SSL_OP_IGNORE_UNEXPECTED_EOF to
> tell OpenSSL to not treat a missing close_notify as an error.
> --
> Sincerely,
> Demi Marie Obenour (she/her/hers)



-- 
Miriam España Acebal
Software Engineer II - Ubuntu PublicCloud/Server
Canonical Ltd.

Reply via email to