Ubuntu
exim4 package

exim4 GnuTLS breakage with outgoing TLS 1.3 "Resource temporarily unavailable"

Bug #1971489 reported by Kamal Mostafa
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
exim
Fix Released
Unknown
exim4 (Ubuntu)
Fix Released
High
Unassigned
Trusty
Won't Fix
Undecided
Unassigned
Xenial
Won't Fix
Undecided
Unassigned
Bionic
Incomplete
Undecided
Bryce Harrington

Bug Description

Very recently, my (unchanged for years) bionic exim4 flow ( outgoing SMTP -> smtp.canonical.com ) abruptly stopped working, with exim4 log as follows:

  SMTP<< 220 smtp-relay-canonical-1.canonical.com ESMTP Postfix (Ubuntu)
  SMTP>> EHLO myhostname
  SMTP<< 250-smtp-relay-canonical-1.canonical.com
         250-PIPELINING
         250-SIZE 61440000
         250-VRFY
         250-ETRN
         250-STARTTLS
         250-ENHANCEDSTATUSCODES
         250-8BITMIME
         250-DSN
         250-SMTPUTF8
         250 CHUNKING
  SMTP>> STARTTLS
  SMTP<< 220 2.0.0 Ready to start TLS
  SMTP>> EHLO myhostname
  H=smtp.canonical.com [185.125.188.121] TLS error on connection (recv): Resource temporarily unavailable, try again.
  SMTP(close)>>
  H=smtp.canonical.com [185.125.188.121]: Remote host closed connection in response to EHLO myhostname

This appears to be a manifestation of this exim4 bug which was fixed in exim4 (4.92): https://bugs.exim.org/show_bug.cgi?id=2359
See also: https://<email address hidden>/msg53121.html

I found and installed a PPA version of exim4 (4.94) for bionic, which did fix the problem for me.

I believe that all Ubuntu versions which supply exim4 < 4.92 {Bionic, Xenial, Trusty} are affected by this bug, which leaves exim4 mysteriously broken when the server side happens to move to TLS 1.3.

I suggest updating exim4 on the affected Ubuntu versions.

Related branches

~bryce/ubuntu/+source/exim4:fix-lp1927755-bionic
git-ubuntu bot: Approve
Athos Ribeiro (community): Approve
Canonical Server Reporter: Pending requested
Diff: 71 lines (+49/-0)
3 files modified
debian/changelog (+10/-0)
debian/patches/fix-coding-typo.patch (+38/-0)
debian/patches/series (+1/-0)
Revision history for this message
In , Jgh146exb (jgh146exb) wrote :

[jgh: edited to hide identifying info]

Created attachment 1160 [details]
First shot at a fix.

Hello,

exim (4.92 rc2) built against gnutls >= 3.6.5 supports TLS 1.3. However while incoming connections seem to work, outgoing TLS 1.3 is totally broken, mails are stuck in the queue.
----------------------
16:09:51 23494 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
16:09:51 23494 Have channel bindings cached for possible auth usage.
16:09:51 23494 SMTP>> EHLO <elided>
16:09:51 23494 cmd buf flush 22 bytes
16:09:51 23494 tls_write(0x7ffe02af0cd0, 22)
16:09:51 23494 gnutls_record_send(SSL, 0x7ffe02af0cd0, 22)
16:09:51 23494 outbytes=22
16:09:51 23494 Calling gnutls_record_recv(0x559451c5fe30, 0x7ffe02aefcd0, 4096)
16:09:51 23494 GnuTLS<3>: ASSERT: ../../lib/buffers.c[get_last_packet]:1171
16:09:51 23494 GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_handshake_io_recv_int]:1431
16:09:51 23494 GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_in_buffers]:1560
16:09:51 23494 GnuTLS<3>: ASSERT: ../../lib/record.c[_gnutls_recv_int]:1759
16:09:51 23494 tls_read: err from gnutls_record_recv(
16:09:51 23494 LOG: MAIN
16:09:51 23494 H=<elided> [<elided>] TLS error on connection (recv): Resource temporarily unavailable, try again.
16:09:51 23494 SMTP(No such file or directory)<<
16:09:51 23494 tls_close(): shutting down TLS
16:09:51 23494 GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
16:09:51 23494 SMTP(close)>>
16:09:51 23494 LOG: MAIN
----------------------

(Thanks, Jeremy Harris, for help with this and providing a test server to connect to.)

The error seems to be caused by exim regarding gnutls_record_recv() returning a
value <0 as a fatal error, while GNUTLS_E_AGAIN will happen in a normal TLS1.3 connection, due to the changed handshake.
See https://gitlab.com/gnutls/gnutls/issues/644#note_123363338

Attached patch seems to work for, Jeremy said he had tested something similarily, so we better use his version.

Revision history for this message
In , Git-p (git-p) wrote :

Git commit: https://git.exim.org/exim.git/commitdiff/518b70e9d6f6e221e08aebd117bf85745f52c06d

commit 518b70e9d6f6e221e08aebd117bf85745f52c06d
Author: Heiko Schlittermann (HS12-RIPE) <email address hidden>
AuthorDate: Wed Dec 26 12:04:29 2018 +0100
Commit: Heiko Schlittermann (HS12-RIPE) <email address hidden>
CommitDate: Thu Dec 27 14:36:19 2018 +0100

    Update Changelog for GnuTLS and TLS 1.3 Bug 2359

    Fix is in 4896a3192ffac48885347460377edcd893eb9600
---
 doc/doc-txt/ChangeLog | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ec7c8ac..806081b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -5,13 +5,6 @@ affect Exim's operation, with an unchanged configuration file. For new
 options, and new features, see the NewStuff file next to this ChangeLog.

-Exim version 4.93
------------------
-
-JH/01 GnuTLS: repeat lowlevel read and write operations while they return error
- codes indicating retry. Under TLS1.3 this becomes required.
-
-
 Exim version 4.92
 -----------------

@@ -187,6 +180,9 @@ JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth
       accept; this results in impossible error messages when a later operation
       actually does fail.

+AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they return error
+ codes indicating retry. Under TLS1.3 this becomes required.
+

 Exim version 4.91
 -----------------

Revision history for this message
In , Git-p (git-p) wrote :

Git commit: https://git.exim.org/exim.git/commitdiff/2cf48743cc4bf8b99b4db880fa06a4768222d257

commit 2cf48743cc4bf8b99b4db880fa06a4768222d257
Author: Heiko Schlittermann (HS12-RIPE) <email address hidden>
AuthorDate: Thu Dec 27 14:34:56 2018 +0100
Commit: Heiko Schlittermann (HS12-RIPE) <email address hidden>
CommitDate: Thu Dec 27 14:34:56 2018 +0100

    Update Changelog for GnuTLS 1.3 related fix Bug 2359

    Fix is in 06faf21f3a84a3ac4aa4f7b1512087423d8c8541
---
 doc/doc-txt/ChangeLog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index db6df25..f78b200 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -8,7 +8,7 @@ options, and new features, see the NewStuff file next to this ChangeLog.
 Exim version 4.93
 -----------------

-JH/01 GnuTLS: repeat lowlevel read and write operations while they return error
+AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they return error
       codes indicating retry. Under TLS1.3 this becomes required.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in exim4 (Ubuntu Bionic):
status: New → Confirmed
Changed in exim4 (Ubuntu Trusty):
status: New → Confirmed
Changed in exim4 (Ubuntu Xenial):
status: New → Confirmed
Changed in exim4 (Ubuntu):
status: New → Confirmed
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

This is the patch for the bug referenced by the reporter:

https://git.exim.org/exim.git/commitdiff/06faf21f3a84a3ac4aa4f7b1512087423d8c8541

Next steps would be to verify if the patch apply cleanly and find a minimal reproducer to ensure it does fix the issue.

Kamal, would you be able to come up with such reproducer?

Changed in exim4 (Ubuntu Trusty):
status: Confirmed → Won't Fix
Changed in exim4 (Ubuntu Xenial):
status: Confirmed → Won't Fix
Changed in exim4 (Ubuntu Bionic):
status: Confirmed → Triaged
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Note that Xenial and Trusty are no longer under standard support.

Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

| Kamal, would you be able to come up with such reproducer?

No, but I would be happy to attempt repro'ing it with the old package and the same environment, and then try a test fix .deb package ... if someone wants to construct one.

Revision history for this message
Lena Voytek (lvoytek) wrote :

Hello Kamal,

I added the patch Athos provided to bionic in the ppa located here:

https://launchpad.net/~lvoytek/+archive/ubuntu/exim4-fix-gnutls-retry-rw

If this fixes the issue for you then we can confirm that the patch provided is correct.

Thanks!

Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

@lvoytek, Yes, I confirm that your patched PPA build does fix the problem for me. Thanks!

Received: from kamal by ascalon with local (Exim 4.90_1) (envelope-from <kamal@ascalon>) id 1noVcW-0000Xb-Rp for <email address hidden>; Tue, 10 May 2022 12:34:08 -0700
From: Kamal Mostafa <email address hidden>
To: <email address hidden>
Subject: does this PPA version work?
Date: Tue, 10 May 2022 12:34:04 -0700
Message-Id: <email address hidden>
X-Mailer: git-send-email 2.17.1

exim4:
  Installed: 4.90.1-1ubuntu1.9~ppa1
  Candidate: 4.90.1-1ubuntu1.9~ppa1
  Version table:
 *** 4.90.1-1ubuntu1.9~ppa1 500
        500 http://ppa.launchpad.net/lvoytek/exim4-fix-gnutls-retry-rw/ubuntu bionic/main amd64 Packages
        500 http://ppa.launchpad.net/lvoytek/exim4-fix-gnutls-retry-rw/ubuntu bionic/main i386 Packages
        100 /var/lib/dpkg/status

Lucas Kanashiro (lucaskanashiro)
tags: added: server-todo
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for taking the time to test the patch, Kamal :-).

As Athos already mentioned above, we will need a reproducer in order to move forward with the SRU. Unfortunately this means that the bug will be put in our queue until someone has the time to work more on it and come up with a way to reproduce the problem.

As a side note: because Kinetic is not affected by the bug, I've marked its task as "Fix Released".

Thanks.

Changed in exim4 (Ubuntu):
status: Confirmed → Fix Released
Christian Ehrhardt  (paelzer)
Changed in exim4 (Ubuntu Bionic):
assignee: nobody → Bryce Harrington (bryce)
Revision history for this message
Bryce Harrington (bryce) wrote :
Revision history for this message
Bryce Harrington (bryce) wrote :

I reviewed the upstream mailing list discussion, and tried some of the example commands they discussed but was not able to reproduce the issue.

I'm guessing this could be constructed by setting up a bionic LXC container with exim4 installed, then attempt to send email to a gmail host?

    $ sudo apt-get install exim4
    $ sudo exim4 -d-all+tls <...something...> <gmail host>

And then observe log output such as in the original bug description.

Advice on how to set up a reproducer would be appreciated.

Changed in exim4 (Ubuntu Bionic):
status: Triaged → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in exim:
status: Unknown → Fix Released
Christian Ehrhardt  (paelzer)
tags: removed: server-todo
Bryce Harrington (bryce)
Changed in exim4 (Ubuntu Bionic):
status: Incomplete → New
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.