Mailing List Archive

Am 02.06.21 um 08:49 schrieb Cyborg via Exim-users:
>
> Exim:      4.94.2   Fedora 33
> Openssl: 1.1.1k-1
>
> Hi,
>
> Problem 1:
>
> since an os upgrade of fedora, where the security policy changed, this
> happens to some connections:
>
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= user@senderdomain.de
> H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps
> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127
> id=504f250e-1b94-40f6-3d26-2011d5f54bca@senderdomain.de
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed
>
> You will notice, that the delivery line is missing.
>

UPDATE:

After lowering the security policy back to Fedora 32, the sending
mailserver does not cause this bug anymore, which it did reliably before.

The missing error logline, for whatever happend inside exim, still
remains and needs investigation.


WORKAROUND:

@Anyone have the same problems:

update-crypto-policies --set DEFAULT:FEDORA32;systemctl restart exim


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 02/06/2021 07:49, Cyborg via Exim-users wrote:
> since an os upgrade of fedora, where the security policy changed, this happens to some connections:
>
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= user@senderdomain.de H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 id=504f250e-1b94-40f6-3d26-2011d5f54bca@senderdomain.de
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed
>
> You will notice, that the delivery line is missing.

You're not showing a connection there; either of reception or of delivery.
How were those lines extracted from the log?
Do you log connection arrivals, incoming connection terminations,
delivery connection attempts or terminations?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 02.06.21 um 10:23 schrieb Jeremy Harris via Exim-users:
> On 02/06/2021 07:49, Cyborg via Exim-users wrote:
>> since an os upgrade of fedora, where the security policy changed,
>> this happens to some connections:
>>
>> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= user@senderdomain.de
>> H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps
>> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127
>> id=504f250e-1b94-40f6-3d26-2011d5f54bca@senderdomain.de
>> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed
>>
>> You will notice, that the delivery line is missing.
>
> You're not showing a connection there; either of reception or of
> delivery.

That the delivery "=>" line is missing, is exactly the problem here.

All other valid attempts in and out have that delivery line, but this ->
failed  <- message, does not have one.  I  have never seen this happen
in 15 years of exim services.

It's reliably happening if a specific server

> How were those lines extracted from the log?

manually copy and paste . I searched for error lines between <= and
completed, but there are none. The "=>" is not printed to the log at all
and there is no other error.

> Do you log connection arrivals, incoming connection terminations,

Standard logs are active, so we get "<=" "=>" "**" and Completed and
some internal warnings used for in-case-debugging of antispam problems.

here is a typical, randomly choosen, working log:

2021-06-02 10:51:44 1loMbI-00794v-6n
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195]
Warning: processing file "" for "To: "XXXXX XXXXXXX" <info@domain.tld>
-> From: "YYYYYYYYYYYYYYY" <noreply@senderdomain.de> /
R="YYYYYYYYYYYYYYY" <noreply@senderdomain.de>"
2021-06-02 10:51:44 1loMbI-00794v-6n
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195]
Warning: send for "XXXXX XXXXXXXXXX" <info@domain.de>
2021-06-02 10:51:48 1loMbI-00794v-6n <=
msprvs1=18787dju2Uvig=bounces-23261@bounces.senderdomain.de
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195]
P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=76268
id=DD.F8.45130.C9647B06@ai.mta1vrest.cc.prd.sparkpost
2021-06-02 10:51:48 1loMbI-00794v-6n => /STORAGE/Maildir/
(info@domain.tld) <info@domain.tld> R=virtual_user T=address_directory
2021-06-02 10:51:48 1loMbI-00794v-6n Completed

The messages in question have normal entries in those Warnings we
additional create, so i left them out, as they are not relevant personal
informations.

> delivery connection attempts or terminations?

Normally everything is logged, thats exactly the point.

NOW, AFTER i downgraded the crypto-policy of fedora back to F32, the
delivery of these message from the named server are processed and fully
logged again.

My guess is, we just found a bug in processing of the DH KEY TOO SMALL
error on incoming connections, openssl throws , where the error avoids
getting logged.

We are talking about a mailcluster with thousands of mailboxes, which
had no problems with >99% of all incoming/outgoing mails when the new
crypto-policy was active. That <1% of mailserver "seem" to have the same
dhe problem.

After i switched back to f32 policy and restarted exim, those remote
mailserver with the "DH key too small" error ( problem 2)  did use DHE
ciphers . I'm pretty sure, the orginal problem is a config error either
in fedoras openssl default config ( never changed it manually ) or the
remote servers DHE exchange is misconfigured.

If someone knows how to tell openssl s_client to  simulate or detect
this zero sized DH key, i can run tests on those servers to find out more.

best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hi,

Cyborg via Exim-users <exim-users@exim.org> (Mi 02 Jun 2021 08:49:21 CEST):
>
> Exim:      4.94.2   Fedora 33
> Openssl: 1.1.1k-1
>
> Hi,
>
> Problem 1:
>
> since an os upgrade of fedora, where the security policy changed, this
> happens to some connections:
>
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= user@senderdomain.de
> H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps
> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127
> id=504f250e-1b94-40f6-3d26-2011d5f54bca@senderdomain.de
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed

- What's your log_file_path?
- Can you extract all lines containing the Message-ID?
- An early version of the "taintwarn" patches had issues with lost log
lines (for local deliveries, though), maybe we've a re-incarnation of
this bug?

> You will notice, that the delivery line is missing.

If I remember well, it is the delivery process which is accessing the
log, and this process isn't privileged, it runs as the Exim runtime user.
For writing to the log no extra privilege is needed, but who knows…

> There is no error, no warning, no nothing that explains what happens.

Try adding syslog to your logfile path, if the line you're missing
appears there.

> As i can't reproduce it with any of our other exims as source, how can we
> find out what happened to this mails?
> What log option is to enable to get more infos here?

So you *can* reproduce it on F33 with the Exim package F provides?

> Problem 2:
>
> This may be strong evidence for the policy change: TLS session:
> (SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small

I think, this isn't related to Exim directly, as we do not require
special key sizes in the default configuration. So maybe library
defaults changed?

Again: I'm not an expert at all, so all my assumptions are only this:
assumptions.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -