[exim-dev] [Bug 2018] proxy protocol is not supported on smt…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: admin
Date:  
À: exim-dev
Sujet: [exim-dev] [Bug 2018] proxy protocol is not supported on smtps (direct SSL/TLS) connections
https://bugs.exim.org/show_bug.cgi?id=2018

--- Comment #2 from Nenad Opsenica <nenad@???> ---
> What's the evidence for "proxy settings are not even checked"?


Excerpt from HAproxy log:

Jan 16 17:45:13 localhost haproxy[29817]: 10.9.27.240:57140
[16/Jan/2017:17:45:13.557] smtp bk_mail-starttls/mail2 6/0/12 0 SD 0/0/0/0/0
0/0


And debug information from exim when connection is being made to port 465 with
SSL/TLS:

17:45:14 11748 Connection request from 10.9.4.12 port 60468
17:45:14 11748 interface address=10.9.4.25 port=465
17:45:14 11748 search_tidyup called
17:45:14 11748 1 SMTP accept process running
17:45:14 11748 Listening...
17:45:14 11750 sender_fullhost = [10.9.4.12]
17:45:14 11750 sender_rcvhost = [10.9.4.12]
17:45:14 11750 Process 11750 is handling incoming connection from [10.9.4.12]
17:45:14 11750 host in host_lookup? yes (matched "*")
17:45:14 11750 looking up host name for 10.9.4.12
17:45:14 11750 DNS lookup of 12.4.9.10.in-addr.arpa (PTR) gave HOST_NOT_FOUND
17:45:14 11750 returning DNS_NOMATCH
17:45:14 11750 IP address lookup using gethostbyaddr()
17:45:14 11750 IP address lookup failed: h_errno=1
17:45:14 11750 LOG: host_lookup_failed MAIN
17:45:14 11750 no host name found for IP address 10.9.4.12
17:45:14 11750 sender_fullhost = [10.9.4.12]
17:45:14 11750 sender_rcvhost = [10.9.4.12]
17:45:14 11750 set_process_info: 11750 handling incoming connection from
[10.9.4.12]
17:45:14 11750 openssl option, adding from 1100000: 1000000 (no_sslv2
+no_sslv3)
17:45:14 11750 openssl option, adding from 1100000: 2000000 (no_sslv3)
17:45:14 11750 setting SSL CTX options: 0x3100000
17:45:14 11750 Diffie-Hellman initialized from default with 2048-bit prime
17:45:14 11750 ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding
"auto" with "prime256v1"
17:45:14 11750 ECDH: curve 'prime256v1'
17:45:14 11750 ECDH: enabled 'prime256v1' curve
17:45:14 11750 tls_certificate file /etc/pki/tls/certs/...DELETED_HERE.....
17:45:14 11750 tls_privatekey file /etc/pki/tls/certs/...DELETED_HERE.....
17:45:14 11750 Initialized TLS
17:45:14 11750 required ciphers:
ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC4:!RC5:!CAMELLIA
17:45:14 11750 host in tls_verify_hosts? no (option unset)
17:45:14 11750 host in tls_try_verify_hosts? no (option unset)
17:45:14 11750 Calling SSL_accept
17:45:14 11750 SSL info: before/accept initialization
17:45:14 11750 SSL info: before/accept initialization
17:45:14 11750 SSL info: SSLv2/v3 read client hello A
17:45:14 11750 LOG: MAIN
17:45:14 11750 TLS error on connection from [10.9.4.12] (SSL_accept):
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
17:45:14 11750 LOG: MAIN
17:45:14 11750 TLS client disconnected cleanly (rejected our certificate?)
17:45:14 11750 search_tidyup called
17:45:14 11748 child 11750 ended: status=0x0
17:45:14 11748 normal exit, 0
17:45:14 11748 0 SMTP accept processes now running
17:45:14 11748 Listening...

The same setup works perfectly with StartTLS.

Function smtp_start_session() in smtp_in.c, calls tls_server_start() before
checking with check_proxy_protocol_host() if proxy protocol is used.

--
You are receiving this mail because:
You are on the CC list for the bug.