On Tue, Feb 02, 2021 at 09:39:22AM -0800, Leo Bicknell wrote:
> I have found many opinions of the severity or urgency, but I have yet
> in any previous community had anyone argue that dropping the TLS
> connection was a good behavior.
Postfix is NOT dropping the TLS connection, it sends a close notify by
calling SSL_shutdown(), it is just not waiting for an unnecessary
confirmation that the peer has done likewise. This is in complete
conformance with the TLS specification.
> I absolutely did not expect such a strong response suggesting this was
> good or even intentional. Perhaps I handled Viktor's reponse
> poorly as a result.
Sometimes an unexpected contrary response indicates that there's more
one can learn about the topic at hand.
> I sought out
> the expertise of the OpenSSL developers (which I linked to).
Perhaps you don't know, but while I've recently scaled back my
involvement in OpenSSL, for some years I've been one of said OpenSSL
developerrs, cleaned up the protocol version negotiation code, fixed the
hostname matching code, improved the X.509 verification code,
contributed DANE support, ...
> While I freely admit I don't have deep experience with
> the Postfix source code, I find it sad that might be a reason people
> dismiss effort to alert this community to my findings.
Your findings are not news here, the SSL_shutdown() issues in Sendmail
that you've run into were understood and handled in Postfix a long time
ago. We've made carefully decisions about how to handle TLS connection
termination, and nothing in this thread updates the inputs to those
decisions.
> One of the major positives of Open Source to me is that we can share
> knowledge and improvements across projects.
I am sorry for not having the cycles to keep Sendmail abreast of all
the TLS developments in Postfix over the years. Perhaps the Sendmail
issue you ran into could have been resolved some years back.
> I came here to make Postfix users/developers aware of this situation.
> That mission has been accomplished. Do with the information what you
> want.
By all means, sharing information is fine. But you should also be
prepared, without indignation, to encounter and accept a different
assessment of the information you're sharing.
--
Viktor.
