Add new option tls_ignore_missing_close_notify #94
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Introduced tls_ignore_missing_close_notify to handle servers that do not send the TLS close_notify alert on shutdown. - This addresses a common issue with both Gmail and Yandex servers, which intentionally omit close_notify to save a roundtrip, despite it being against the TLS protocol. - Without this option, the omission generates spurious errors in logs, such as: "2024-10-12 09:22:27 1szVWE-0071qn-2C H=gmail-smtp-in.l.google.com [142.250.102.27] TLS error on connection (recv_tls_read): The TLS connection was non-properly terminated." - The new option allows treating this as a normal EOF, equivalent to OpenSSL's SSL_OP_IGNORE_UNEXPECTED_EOF.
ametzler
reviewed
Oct 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
quoting php/php-src#8369
It's the same issue here, turns out that gmail and yandex is among the
huge amount of non-compliant servers, and it's triggering GnuTLS.The issue is so common that:
SSL_OP_IGNORE_UNEXPECTED_EOFbut GnuTLS (which Debian and Ubuntu's exim4 links to) does not have a setting to ignore it (or didn't last time I checked.. wouldn't surprise me if future versions of GnuTLS adds it)
The Exim Project does not use GitHub Issues
Hey, we want your input, but we want to make sure that we actually see it and
that your help is not wasted, so please read this.
The GitHub repo exists for convenience for some folks, and to host our Wiki.
The Git repo is an automated clone of our real repo over at
https://git.exim.org/exim.git.
Sometimes a maintainer will take a look at GitHub pull requests, just because
we care about the software and want to know about issues, but expect long
delays. It's not a really supported workflow.
Our bug-tracker takes code-patches and is the place to go:
https://bugs.exim.org/
If you've found a security bug, then please email [email protected].
All Exim Maintainers can and do use PGP.
Keyring: https://ftp.exim.org/pub/exim/Exim-Maintainers-Keyring.asc
We don't have a re-encrypting mailer, just encrypt to all of them please.
If this is too much hassle ...
We do periodically get around to checking GitHub Pull Requests.
It just won't be fast.
Patches should update the documentation,
doc/doc-docbook/spec.xfpt; if youlike, just provide the plaintext which should go in there and we can mark it
up.
If it's a whole new feature, then please guard it with a build
option
EXPERIMENTAL_FOO; docs are in plaintext indoc/doc-txt/experimental-spec.txt.If you're feeling particularly thorough, these files get updated too:
doc/doc-txt/ChangeLog: all changes; workflow pre-dates Gitdoc/doc-txt/NewStuff: if it's a change in intended behavior which postmasters should readdoc/doc-txt/OptionLists.txt: (we usually defer this until cutting a release)src/README.UPDATING: if you're breaking backwards compatibilityThanks!