DevHeads.net

tlsproxy failed / flooded log

Hello,

today I enabled smtp_tls_connection_reuse on some production server.
after approx. an hour and ~70 reused SMTP connections, tlsproxy on two
machines logged this:

...
Sep 6 09:03:52 idvmailout03 postfix/tlsproxy[18637]: DISCONNECT
[213.23.92.204]:25
Sep 6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS
library problem: error:1409F07F:SSL routines:ssl3_write_pending:bad
write retry:ssl/record/rec_layer_s3.c:1131:
Sep 6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
Sep 6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
Sep 6 09:03:59 idvmailout03 postfix/tlsproxy[18637]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
...

...
Sep 6 09:03:47 idvmailout04 postfix/tlsproxy[22852]: DISCONNECT
[77.75.78.42]:25
Sep 6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS
library problem: error:1409F07F:SSL routines:ssl3_write_pending:bad
write retry:ssl/record/rec_layer_s3.c:1131:
Sep 6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
Sep 6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
Sep 6 09:03:49 idvmailout04 postfix/tlsproxy[22852]: warning: TLS
library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown
while in init:ssl/ssl_lib.c:2077:
...

that continue until the logfile occupied all diskspace with up to 15k
lines per second

After I enabled smtp_tls_connection_reuse, there was only one tlsproxy process

Sep 6 08:26:21 idvmailout04 postfix/tlsproxy[21687]: CONNECT to
[80.67.18.126]:25
Sep 6 08:28:19 idvmailout04 postfix/tlsproxy[21687]: DISCONNECT
[193.158.9.202]:25

Sep 6 08:28:25 idvmailout04 postfix/tlsproxy[21832]: CONNECT to
[176.9.125.207]:25
Sep 6 08:31:19 idvmailout04 postfix/tlsproxy[21832]: DISCONNECT
[64.233.166.27]:25

but very fast postfix begun to spawn two instances overlapping

Sep 6 08:30:43 idvmailout04 postfix/tlsproxy[21961]: CONNECT to
[104.47.4.36]:25
Sep 6 08:32:05 idvmailout04 postfix/tlsproxy[21961]: DISCONNECT
[193.143.77.14]:25

Sep 6 08:31:25 idvmailout04 postfix/tlsproxy[22024]: CONNECT to
[194.8.120.225]:25
Sep 6 08:32:48 idvmailout04 postfix/tlsproxy[22024]: DISCONNECT
[185.15.192.56]:25

Sep 6 08:32:55 idvmailout04 postfix/tlsproxy[22075]: CONNECT to
[95.130.253.60]:25
Sep 6 08:36:18 idvmailout04 postfix/tlsproxy[22075]: DISCONNECT
[91.220.42.201]:25

these are the nondefault options for tlsproxy
tls_high_cipherlist =
HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS:!ARIA
tls_medium_cipherlist = aNULL:-aNULL:CHACHA20:HIGH:MEDIUM:+RC4:@STRENGTH
tls_preempt_cipherlist = yes

interesting:
# postconf tls_fast_shutdown_enable
postconf: warning: tls_fast_shutdown_enable: unknown parameter

<a href="http://www.postfix.org/postconf.5.html#tls_fast_shutdown_enable" title="http://www.postfix.org/postconf.5.html#tls_fast_shutdown_enable">http://www.postfix.org/postconf.5.html#tls_fast_shutdown_enable</a> say
nothing about a specific postfix version number is required for this
parameter
but <a href="http://www.postfix.org/tlsproxy.8.html" title="http://www.postfix.org/tlsproxy.8.html">http://www.postfix.org/tlsproxy.8.html</a> do say,
tls_fast_shutdown_enable is available in 3.4.6
also, it' a very new feature:
<a href="http://www.postfix.org/announcements/postfix-3.4.6.html" title="http://www.postfix.org/announcements/postfix-3.4.6.html">http://www.postfix.org/announcements/postfix-3.4.6.html</a>

# postconf mail_version
mail_version = 3.4.6

A grep in the source also found "tls_fast_shutdown" without "_enable"

# postconf tls_fast_shutdown
tls_fast_shutdown = yes

Looks, like the documentation is incorrect. But may that be related to
the problem?
postconf -Mf and postfonf -f attached.
Just disabled smtp_tls_connection_reuse again...

Andreas