[exim-dev] [Bug 3121] New: Add new option tls_ignore_missing…

Pàgina inicial
Delete this message
Reply to this message
Autor: Exim Bugzilla
Data:  
A: exim-dev
Assumptes nous: [exim-dev] [Bug 3121] Quieten transport logging of TLS close peer bugs, [exim-dev] [Bug 3121] Quieten transport logging of TLS close peer bugs, [exim-dev] [Bug 3121] Quieten transport logging of TLS close peer bugs
Assumpte: [exim-dev] [Bug 3121] New: Add new option tls_ignore_missing_close_notify
https://bugs.exim.org/show_bug.cgi?id=3121

            Bug ID: 3121
           Summary: Add new option tls_ignore_missing_close_notify
           Product: Exim
           Version: 4.97
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: divinity76@???
                CC: exim-dev@???


Created attachment 1498
--> https://bugs.exim.org/attachment.cgi?id=1498&action=edit
tls_ignore_missing_close_notify

- Introduced tls_ignore_missing_close_notify to handle servers that do not send
the TLS close_notify on connection close.
- This addresses a common issue with both Gmail and Yandex servers, which
intentionally omit close_notify to save a roundtrip, despite it being against
the TLS protocol.
- Without this option, every time an email is sent to gmail or Yandex, the
omission generates spurious errors in logs, such as: "2024-10-13 14:06:53
1szzFE-00000004UoN-2uxk H=gmail-smtp-in.l.google.com [108.177.127.26] TLS error
on connection (recv): The TLS connection was non-properly terminated.
2024-10-13 14:06:53 1szzFE-00000004UoN-2uxk H=gmail-smtp-in.l.google.com
[108.177.127.26] TLS error on connection (recv): The specified session has been
invalidated for some reason."
- The new option allows treating this as a normal EOF

quoting https://github.com/php/php-src/issues/8369

> OpenSSL became more strict about unexpected EOF (not sending close notify) in 1.1.1e but reverted that change in 1.1.1f due to the huge amount of non-compliant servers. With the new major release 3.0.0 it came back. See openssl/openssl#11378 for more details.


It's the same issue here, turns out that gmail and yandex is among the "huge
amount of non-compliant servers".

The issue is so common that:

- postfix ignores it.
- OpenSSL < 1.1.1e always ignored it
- OpenSSL >=1.1.1f decided to ignore it again
- OpenSSL >=3.0 made ignoring it optional, configurable with
SSL_OP_IGNORE_UNEXPECTED_EOF
- but GnuTLS (which Debian and Ubuntu's exim4 links to) does not have a setting
to ignore it. Still, ignoring it "manually" is easy.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/