Package: exim4 Version: 4.89-2+deb9u2 Severity: normal Tags: upstream Dear Maintainer,
This bug was discoverd in a complex configuration. This configuration is an artificial simple configuration which only purpose is to reproduce the bug. The bug is showing when a message is sent to an address routed to an unreachable MTA (for instance a stopped one) and when, for the recipient domain, exists an ACL with a verify recipient callout with a short timeout. It is expected that message will be queued In fact, an error 421 is returned. The interesting part of the debug output : ... end of ACL "acl_local_check_rcpt": ACCEPT SMTP>> 250 Accepted tls_do_write(0x5617a4424e90, 14) gnutls_record_send(SSL, 0x5617a4424e90, 14) outbytes=14 DSN: orcpt: NULL flags: 0 Calling gnutls_record_recv(0x5617a472e630, 0x5617a4b4ea00, 4096) Got tls read timeout SMTP>> 421 smtp-dev.unilim.fr lost input connection tls_do_write(0x5617a4424e90, 46) gnutls_record_send(SSL, 0x5617a4424e90, 46) outbytes=46 LOG: lost_incoming_connection MAIN unexpected disconnection while reading SMTP command from dsiport-yl.unilim.fr (164.81.3.93) [164.81.3.93] SMTP>>(close on process exit) ... The most significant lines are : Calling gnutls_record_recv(0x5617a472e630, 0x5617a4b4ea00, 4096) Got tls read timeout Probable cause : Il seems that the timeout of the callout is interfering with the timeout of the TLS incoming connection. How to reproduce ? Detail of the procedure to reproduce the bug : Working on a test server with a test configuration only made to reproduce the bug Add this acl at the beginning of acl_check_rcpt accept domains = <an existing domain - for instance gmail.com> verify = recipient/defer_ok/callout=1s,defer_ok Add this router at the beginning of the router list test_route: driver = manualroute domains = gmail.com transport = remote_smtp route_data = <stopped or unreacheable server - This server has to resolve in dns> Try to connect whith SSL and send a message to "this-address.does-not-ex...@gmail.com" You are expecting that your message will be queued , In fact it will produce the lost of the incoming connection Il is a very bad behaviour especially with MUA. Command from a client workstation to reproduce the bug : $ openssl s_client -connect <your test server>:465 -quiet MAIL FROM: <postmaster@<your domain>> RCPT TO: <this-address.does-not-ex...@gmail.com> DATA Here your are receiving an error indicating that the incoming connection is lost Example of the command with the responses : $ openssl s_client -connect smtp-dev.unilim.fr:465 -quiet depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 verify error:num=20:unable to get local issuer certificate verify return:0 220 smtp-dev.unilim.fr ESMTP Exim 4.89 Tue, 10 Oct 2017 12:32:14 +0200 MAIL FROM: <postmas...@unilim.fr> 250 OK RCPT TO: <this-address.does-not-ex...@gmail.com> 250 Accepted DATA 421 smtp-dev.unilim.fr lost input connection read:errno=0 I am thinking that the timeout on the callout is interfering with the tls timeout on the incoming connection. Sincerely -- Package-specific info: Exim version 4.89 #1 built 28-Nov-2017 21:58:00 Copyright (c) University of Cambridge, 1995 - 2017 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: 9.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.61 ii exim4-base 4.89-2+deb9u2 ii exim4-daemon-heavy 4.89-2+deb9u2 exim4 recommends no packages. exim4 suggests no packages. -- debconf information: exim4/drec:
