Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Wed, 15 Oct 2014 11:01:27 -0700 

Viktor Dukhovni:
> On Wed, Oct 15, 2014 at 11:08:19AM +0200, Ralf Hildebrandt wrote:
> 
> > * Ralf Hildebrandt <r...@sys4.de>:
> > > Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those 
> > > in my mailq output:
> > 
> > With 2.12-20141001 (same config!)
> > 
> > Oct 15 11:05:34 mail2 postfix/smtp[5903]: Host offered STARTTLS: 
> > [smtp.entelnet.bo]
> 
> This is only logged when TLS is disabled for the destination or
> TLS is disabled due to a configuration problem or lookup error.
> 
>     if ((session->features & SMTP_FEATURE_STARTTLS) &&
>       var_smtp_tls_note_starttls_offer &&
>       session->tls_level <= TLS_LEV_NONE)
>       msg_info("Host offered STARTTLS: [%s]", session->host);
> 
> What earlier warnings do you have for "smtp[5903]" that are not
> part of some other delivery?
> 
> > Oct 15 11:05:35 mail2 postfix/smtp[5903]: 3jHGY70x2gzBs34: 
> > to=<cbsx...@entelnet.bo>, relay=smtp.entelnet.bo[200.87.100.30]:25,
> > delay=73556, delays=73555/0.03/0.68/0.72, dsn=2.0.0, status=sent (250 
> > 22006251 message accepted for delivery)
> > 
> > > 3jHGY70x2gzBs34       3230 Tue Oct 14 14:39:39 sen...@charite.de
> > >                                             (TLS is required, but 
> > > unavailable)
> > >                                                cbsx...@entelnet.bo
> > 
> > So what changed between 2.12-20141001 and 2.12-20141013?
> > When I have more time I can test other versions in between.
> 
> The code path for detecting/reporting TLS session errors.
> 
> I don't get "TLS is required, but unavailable":

This means the host announced STARTTLS, smtp_tls_ctx was non-null, and 
the TLS level was "none".

        Wietse

        if ((session->features & SMTP_FEATURE_STARTTLS) != 0
            && smtp_tls_ctx != 0 && session->tls->level >= TLS_LEV_MAY) {
            ...
        } else {
            ...
            if (smtp_tls_trouble(state, STARTTLS_FEATURE_FALLBACK)) {
                if (!(session->features & SMTP_FEATURE_STARTTLS)) {
                    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
                                           SMTP_RESP_FAKE(&fake, "4.7.4"),
                          "TLS is required, but was not offered by host %s",
                                           session->namaddr));
                } else if (smtp_tls_ctx == 0) {
                    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
                                           SMTP_RESP_FAKE(&fake, "4.7.5"),
                     "TLS is required, but our TLS engine is unavailable"));
                } else {
                    msg_warn("%s: TLS is required but unavailable, don't know 
why",
                             myname);
                    return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
                                           SMTP_RESP_FAKE(&fake, "4.7.0"),
                                       "TLS is required, but unavailable"));
                }

Reply via email to