[exim] Re: exim don't speak to google any more!

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni via Exim-users
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: exim don't speak to google any more!
On Sun, Jul 28, 2024 at 05:56:33PM +0100, Jeremy Harris via Exim-users wrote:

> > BUT in the log, I get the following message:
> >
> >  H=gmail-smtp-in.l.google.com [142.251.16.26] TLS error on
> > connection (recv): The TLS connection was non-properly terminated.
>
> Google is violating standards, according to the OpenSSL library.


No, rather the Google MTA is not wasting valuable resources doing
unnecessary TLS-layer framing to avoid truncation attacks that
don't apply to SMTP, which does application-layer framing.

> Complain to them (and you'll be ignoredr, like the rest of us).


Exim really should be updated to ignore OpenSSL's truncation detection,
I don't recall whether that even already happened and the OP is running
an older version?

All it takes is including `SSL_OP_IGNORE_UNEXPECTED_EOF` in a call
to `SSL_CTX_set_options()`.

For comparison, the associated delta in Postfix below.

-- 
    Viktor.

commit 6876e420275bb44e98827c76306f7ff5481eb192
Author: Wietse Venema <wietse@???>
Date:   Sat Jan 21 00:00:00 2023 -0500

    postfix-3.8-20230121

--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -26779 +26779,10 @@ Apologies for any names omitted.
     warning message tls.tls_dh.c.
+
+20230115
+    Workaround for a breaking change in OpenSSL 3: always turn
+    on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
+    and missed opportunities for TLS session reuse. This is
+    safe because the SMTP protocol implements application-level
+    framing, and is therefore not affected by TLS truncation
+    attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
+    tls/tls_server.c.
--- a/postfix/src/tls/tls.h
+++ b/postfix/src/tls/tls.h
@@ -389,2 +389,9 @@ extern void tls_param_init(void);
 
+/*
+ * Always used when defined, SMTP has no truncation attacks.
+ */
+#ifndef SSL_OP_IGNORE_UNEXPECTED_EOF
+#define SSL_OP_IGNORE_UNEXPECTED_EOF    0L
+#endif
+
 #define TLS_KNOWN_PROTOCOLS \
@@ -405,3 +412,4 @@ extern void tls_param_init(void);
 #define TLS_SSL_OP_MANAGED_BITS \
-    (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0))
+    (SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_IGNORE_UNEXPECTED_EOF | \
+     TLS_SSL_OP_PROTOMASK(~0))
 
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -715,2 +715,11 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
 
+    /*
+     * Presently we use TLS only with SMTP where truncation attacks are not
+     * possible as a result of application framing.  If we ever use TLS in
+     * some other application protocol where truncation could be relevant,
+     * we'd need to disable truncation detection conditionally, or explicitly
+     * clear the option in that code path.
+     */
+    off |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+
     /*
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 6caf3ab54..b76cfbc70 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -514,2 +514,11 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
 
+    /*
+     * Presently we use TLS only with SMTP where truncation attacks are not
+     * possible as a result of application framing.  If we ever use TLS in
+     * some other application protocol where truncation could be relevant,
+     * we'd need to disable truncation detection conditionally, or explicitly
+     * clear the option in that code path.
+     */
+    off |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+
     /*


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/