Bug#887489: exim4: callout timeout in recipient verify can result in the lost of the TLS incoming connexion
Yvon Lafaille
yvon.lafaille at unilim.fr
Wed Jan 17 10:11:51 UTC 2018
Package: exim4
Version: 4.89-2+deb9u2
Severity: normal
Tags: upstream
Dear Maintainer,
This bug was discoverd in a complex configuration.
This configuration is an artificial simple configuration which only purpose is to reproduce the bug.
The bug is showing when a message is sent to an address routed to an unreachable MTA (for instance a stopped one) and when, for the recipient domain, exists an ACL with a verify recipient callout with a short timeout.
It is expected that message will be queued
In fact, an error 421 is returned.
The interesting part of the debug output :
...
end of ACL "acl_local_check_rcpt": ACCEPT
SMTP>> 250 Accepted
tls_do_write(0x5617a4424e90, 14)
gnutls_record_send(SSL, 0x5617a4424e90, 14)
outbytes=14
DSN: orcpt: NULL flags: 0
Calling gnutls_record_recv(0x5617a472e630, 0x5617a4b4ea00, 4096)
Got tls read timeout
SMTP>> 421 smtp-dev.unilim.fr lost input connection
tls_do_write(0x5617a4424e90, 46)
gnutls_record_send(SSL, 0x5617a4424e90, 46)
outbytes=46
LOG: lost_incoming_connection MAIN
unexpected disconnection while reading SMTP command from dsiport-yl.unilim.fr (164.81.3.93) [164.81.3.93]
SMTP>>(close on process exit)
...
The most significant lines are :
Calling gnutls_record_recv(0x5617a472e630, 0x5617a4b4ea00, 4096)
Got tls read timeout
Probable cause :
Il seems that the timeout of the callout is interfering with the timeout of the TLS incoming connection.
How to reproduce ?
Detail of the procedure to reproduce the bug :
Working on a test server with a test configuration only made to reproduce the bug
Add this acl at the beginning of acl_check_rcpt
accept
domains = <an existing domain - for instance gmail.com>
verify = recipient/defer_ok/callout=1s,defer_ok
Add this router at the beginning of the router list
test_route:
driver = manualroute
domains = gmail.com
transport = remote_smtp
route_data = <stopped or unreacheable server - This server has to resolve in dns>
Try to connect whith SSL and send a message to "this-address.does-not-exist at gmail.com"
You are expecting that your message will be queued ,
In fact it will produce the lost of the incoming connection
Il is a very bad behaviour especially with MUA.
Command from a client workstation to reproduce the bug :
$ openssl s_client -connect <your test server>:465 -quiet
MAIL FROM: <postmaster@<your domain>>
RCPT TO: <this-address.does-not-exist at gmail.com>
DATA
Here your are receiving an error indicating that the incoming connection is lost
Example of the command with the responses :
$ openssl s_client -connect smtp-dev.unilim.fr:465 -quiet
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3
verify error:num=20:unable to get local issuer certificate
verify return:0
220 smtp-dev.unilim.fr ESMTP Exim 4.89 Tue, 10 Oct 2017 12:32:14 +0200
MAIL FROM: <postmaster at unilim.fr>
250 OK
RCPT TO: <this-address.does-not-exist at gmail.com>
250 Accepted
DATA
421 smtp-dev.unilim.fr lost input connection
read:errno=0
I am thinking that the timeout on the callout is interfering with the tls timeout on the incoming connection.
Sincerely
-- Package-specific info:
Exim version 4.89 #1 built 28-Nov-2017 21:58:00
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
-- System Information:
Debian Release: 9.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages exim4 depends on:
ii debconf [debconf-2.0] 1.5.61
ii exim4-base 4.89-2+deb9u2
ii exim4-daemon-heavy 4.89-2+deb9u2
exim4 recommends no packages.
exim4 suggests no packages.
-- debconf information:
exim4/drec:
More information about the Pkg-exim4-maintainers
mailing list