Your message dated Fri, 06 Nov 2020 07:48:45 +1100 with message-id <87h7q3fs2a....@canidae.wired.pri> has caused the report #973654, regarding TLS: start_SSL fails to set SSL_verifycn_name to be marked as having been forwarded to the upstream software author(s)
(NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 973654: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973654 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Hello, I received this bug report against amavisd-new in Debian. For full details please see http://bugs.debian.org/ Thanks Martina Ferrari <t...@debian.org> writes: > Package: amavisd-new > Version: 1:2.11.0-6.1 > Severity: important > > Hi, > > As part of a new server setup, I have installed amavisd-new. Since it is > running in a different host than the MX, I have set up TLS between every part > of the system, but amavis fails to connect back to the MX, with the following > error: > > (!!)Upgrading socket to TLS failed (in ssl_upgrade): hostname verification > failed\n > > After some investigation, I found that amavis is not using the IO::Socket::SSL > library correctly. The default (and reasonable) SSL parameters for the client > TLS connection are: > > %smtp_tls_client_options = ( > SSL_verifycn_scheme => 'smtp', > ); > > When the `$tls_security_level_out` variable is set to 'may' or 'encrypt', the > socket is upgraded to TLS using the `start_SSL` method and the options set by > the user but without any way for the library to determine the hostname of the > server, and therefore its identity can't be verified. > > The documentation for the `SSL_verifycn_name` option of the `start_SSL` method > states (https://metacpan.org/pod/IO::Socket::SSL#SSL_verifycn_name): > > SSL_verifycn_name > > Set the name which is used in verification of hostname. If > SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try > to > use SSL_hostname or PeerHost and PeerAddr settings and fail if no name can > be determined. If SSL_verifycn_scheme is not set it will use a default > scheme and warn if it cannot determine a hostname, but it will not fail. > > Using PeerHost or PeerAddr works only if you create the connection > directly > with IO::Socket::SSL->new, if an IO::Socket::INET object is upgraded with > start_SSL the name has to be given in SSL_verifycn_name or SSL_hostname. > > The solution for this is pretty simple: `SSL_verifycn_name` has to be set by > the calling function using the same hostname used to connect the TCP socket in > the first place. A workaround is to pass this option manually in the > configuration, but that fails to work if there is more than one SSL target > (for > example, different hostnames for `notify_method` and `forward_method`). > > -- System Information: > Debian Release: 10.6 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core) > Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), > LANGUAGE=en_IE:en (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages amavisd-new depends on: > ii adduser 3.118 > ii debconf [debconf-2.0] 1.5.71 > ii file 1:5.35-4+deb10u1 > ii init-system-helpers 1.56+nmu1 > ii libarchive-zip-perl 1.64-1 > ii libberkeleydb-perl 0.55-2 > ii libconvert-tnef-perl 0.18-1 > ii libconvert-uulib-perl 1:1.5~dfsg-1+b1 > pn libdigest-md5-perl <none> > ii libio-stringy-perl 2.111-3 > ii libmail-dkim-perl 0.54-1 > ii libmailtools-perl 2.18-1 > pn libmime-base64-perl <none> > ii libmime-tools-perl 5.509-1 > ii libnet-libidn-perl 0.12.ds-3+b1 > ii libnet-server-perl 2.009-1 > ii libunix-syslog-perl 1.1-3+b1 > ii lsb-base 10.2019051400 > ii pax 1:20190224-1 > ii perl [libtime-hires-perl] 5.28.1-6+deb10u1 > ii perl-modules-5.24 [libarchive-tar-perl] 5.24.1-3+deb9u6 > > Versions of packages amavisd-new recommends: > pn altermime <none> > ii libnet-patricia-perl 1.22-1+b5 > ii ripole 0.2.0+20081101.0215-3 > > Versions of packages amavisd-new suggests: > ii apt-listchanges 3.19 > ii arj 3.10.22-18 > ii cabextract 1.9-1 > pn clamav <none> > ii clamav-daemon 0.102.4+dfsg-0+deb10u1 > ii cpio 2.12+dfsg-9 > pn dspam <none> > ii lhasa 0.3.1-3 > pn libauthen-sasl-perl <none> > ii libdbi-perl 1.642-1+deb10u1 > ii libmail-dkim-perl 0.54-1 > pn libnet-ldap-perl <none> > pn libsnmp-perl <none> > pn libzeromq-perl <none> > ii lzop 1.03-4+b1 > ii nomarch 1.4-3+b2 > ii p7zip 16.02+dfsg-6 > pn rpm <none> > ii spamassassin 3.4.2-1+deb10u2 > ii unrar 1:5.6.6-1 > > -- Configuration Files: > /etc/amavis/conf.d/05-node_id changed [not included] > /etc/amavis/conf.d/15-content_filter_mode changed [not included] > /etc/amavis/conf.d/50-user changed [not included] > /etc/init.d/amavis changed [not included] > > -- no debconf information -- Brian May <br...@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/
--- End Message ---
