Bug#934761: exim4: 2) Callout timeout in recipient verify can result in the lost of the TLS incoming connexion

[Martin Duspiva]

Package: exim4
Version: 4.92-8+deb10u1~bpo9+1
Severity: normal
Tags: upstream

Dear Maintainer,

I think that the bug #887489, which is  already archived, is still persist.
I have Debin 9 with backported Exim4 ( 4.92-8+deb10u1~bpo9+1 ) and the callout funciton in rcpt acl has  as the same bad behavior as described in bug #887489.

My acl rule in acl_smtp_rcpt :

  accept hosts =  +relay_from_hosts
        !verify = recipient/defer_ok/callout=30s,defer_ok,use_sender
        ratelimit = NONEX_LIM / NONEX_PERIOD / per_rcpt / relayuser-$acl_m_user
        continue = ${run{SHELL -c "echo $acl_m_user \
           >>$spool_directory/blocked_relay_users; \
           \N{\N echo Subject: relay user $acl_m_user blocked; echo; echo \
           because has sent mail to NONEX_LIM invalid recipients during NONEX_PERIOD.; \
           \N}\N | NONEX_EXIMBINARY NONEX_WARNTO"}}
        control = freeze/no_tell
        control = submission/domain=
        add_header = X-Relayed-From: $acl_m_user

And relay hosts sometimes get te following 421 error when sending email:
"SMTP command timeout on TLS connection from of.aira.cz (remote.aira.cz) [84.242.100.166]"


This is in Exim's debug log:

 5272 tls_write(0x5639a0cfa550, 14)
 5272 gnutls_record_send(SSL, 0x5639a0cfa550, 14)
 5272 outbytes=14
 5272 DSN: orcpt: NULL  flags: 0
 5272 Calling gnutls_record_recv(0x5639a0d8d410, 0x5639a11560e0, 4096)
 5272 GnuTLS<3>: ASSERT: buffers.c[_gnutls_io_read_buffered]:587
 5272 GnuTLS<3>: ASSERT: record.c[_gnutls_recv_int]:1473
 5272 LOG: lost_incoming_connection MAIN
 5272   SMTP command timeout on TLS connection from of.aira.cz (remote.aira.cz) [84.242.100.166]
 5272 SMTP>> 421 holub.aira.cz: SMTP command timeout - closing connection

The acl works well with comment out "callout" line. 


exim4: 2) Callout timeout in recipient verify can result in the lost of the TLS incoming connexion 


-- Package-specific info:
Exim version 4.92 #3 built 21-Jul-2019 09:43:55
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event OCSP PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /etc/exim4/exim4.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='local'
dc_other_hostnames='holub.aira.cz'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:holub.aira.cz
# /etc/default/exim4
EX4DEF_VERSION=''

# 'combined' -	 one daemon running queue and listening on SMTP port
# 'no'       -	 no daemon running the queue
# 'separate' -	 two separate daemons
# 'ppp'      -   only run queue with /etc/ppp/ip-up.d/exim4.
# 'nodaemon' - no daemon is started at all.
# 'queueonly' - only a queue running daemon is started, no SMTP listener.
# setting this to 'no' will also disable queueruns from /etc/ppp/ip-up.d/exim4
QUEUERUNNER='combined'
# how often should we run the queue
QUEUEINTERVAL='10m'
# options common to quez-runner and listening daemon
COMMONOPTIONS=''
# more options for the daemon/process running the queue (applies to the one
# started in /etc/ppp/ip-up.d/exim4, too.
QUEUERUNNEROPTIONS=''
# special flags given to exim directly after the -q. See exim(8)
QFLAGS=''
# options for daemon listening on port 25
SMTPLISTENEROPTIONS=''

-- System Information:
Debian Release: 9.9
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  exim4-base             4.92-8+deb10u1~bpo9+1
ii  exim4-daemon-heavy     4.92-8+deb10u1~bpo9+1

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
  exim4/drec: