On 6/10/22 08:55, Gerben Wierda wrote: > >> On 10 Jun 2022, at 13:17, Wietse Venema <wie...@porcupine.org> wrote: >> >> Wietse Venema: >>> Gerben Wierda: >>>> >>>>> On 10 Jun 2022, at 02:30, Wietse Venema <wie...@porcupine.org> wrote: >>>>> >>>>> Gerben Wierda: >>>>>> What is happening here? (mail is delivered, I?m just curious) >>>>>> >>>>>> Jun 09 23:37:39 mail postfix/postscreen[4294]: CONNECT from >>>>>> [146.185.52.133]:10400 to [192.168.2.66]:25 >>>>>> Jun 09 23:37:45 mail postfix/postscreen[4294]: PASS NEW >>>>>> [146.185.52.133]:10400 >>>>>> Jun 09 23:37:45 mail smtp/smtpd[4296]: connect from >>>>>> ims-smtp133.persgroep-ops.net[146.185.52.133] >>>>>> Jun 09 23:37:46 mail smtp/smtpd[4296]: CC868E75AA1E: >>>>>> client=ims-smtp133.persgroep-ops.net[146.185.52.133] >>>>>> Jun 09 23:37:47 mail postfix/cleanup[4300]: CC868E75AA1E: >>>>>> message-id=<220609233739.sim_40lt1wa1poje3tjw6hnmtvk29xxj_ghn7vvejgut3cs3hljfekzafd9hipabzz8ro0vetlr2qj0j2ddp9oie2u%2bfuro...@ims-smtp133.persgroep-ops.net> >>>>>> Jun 09 23:37:48 mail postfix/qmgr[8801]: CC868E75AA1E: >>>>>> from=<nore...@mail.trouw.nl>, size=34628, nrcpt=1 (queue active) >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: warning: TLS library problem: >>>>>> error:0A000126:SSL routines::unexpected eof while >>>>>> reading:ssl/record/rec_layer_s3.c:309: >>>>>> Jun 09 23:37:48 mail smtp/smtpd[4296]: disconnect from >>>>>> ims-smtp133.persgroep-ops.net[146.185.52.133] ehlo=2 starttls=1 mail=1 >>>>>> rcpt=1 data=1 commands=6 >>>>>> >>>>> >>>>> Did you look for 0A000126 with a web search engine? >>>> >>>> Yes. Searched on the entire error string as well. >>>> >>>> But that did not give me a clue. >>> >>> I got: OpenSSL 3 is more strict about clients that disconnect without >>> fully following the protocol. >> >> Specifically, google 0A000126, the first result is PHP issue 8369a > > Indeed. Interesting. I use duckduckgo (which relies on Bing afaik) and it > doesn’t find that. > >> which links to https://github.com/openssl/openssl/issues/11378 >> <https://github.com/openssl/openssl/issues/11378>. The >> latter had a breaking fix, backed it out for OpenSSL 1.1.1, but >> kept it in the branch that become OpenSSL 3. > > So basically, the sender doesn’t properly close the SSL protocol, their MTA > is using an SSL which isn’t properly implemented.
My understanding is that a truncation attack is never a problem in SMTP, as a premature EOF is always an SMTP error. If this is in fact the case, Postfix should set SSL_OP_IGNORE_UNEXPECTED_EOF to tell OpenSSL to not treat a missing close_notify as an error. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
