freebsd stable - Nov 2020 - 12.2-STABLE: Commit 367740 breaks IMAP/SMTP server authentication

Hi,

I am running 12.2-STABLE and VNET jails, one of which host a recent Dovecot IMAP
and a recent postfix SMTP server. Authentication is forced via TLS/SSL for both
services (ports 587 and 993). Setup is as follows:

	extIF0/pf/NAT <?> epairXa (bridge0) epairXb <-> jail

A recent upgrade broke mailing of IMAP clients running at macOS 10.14.6 (Mojave)
und AVM's push service (Fritzbox), but *not* for IMAP clients running at
macOS 10.15.7 (Catalina). Strange.

Findings at macOS 10.14.6 (examplified for IMAP):

1) 	mac$ nc -4vw 1 mail.xyz.zzz 993
	found 0 associations
	found 1 connections:
 	    1:	flags=82<CONNECTED,PREFERRED>
		outif en0
		src 1.2.3.4 port 49583
		dst 11.22.33.44 port 993
		rank info not available
		TCP aux info available

	Connection to mail.xyz.zzz port 993 [tcp/imaps] succeeded!

2)	mac$ openssl s_client -crlf -connect mail.xyz.zzz:993 -debug
	CONNECTED(00000005)
	write to 0x7fa32ef01ae0 [0x7fa33080a803] (200 bytes => 200 (0xC8))
	0000 - 16 03 01 00 c3 01 00 00-bf 03 03 32 f7 fe fa b4 ...........2.... 
	0010 - e8 9a 60 38 ef 34 99 70-84 ce dc 1a 08 b8 76 90   ..`8.4.p??v.
	0020 - 19 8c 81 f4 a6 37 19 37-09 70 6f 00 00 60 c0 30   .....7.7.po..`.0
	0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39   .,.(.$.......k.9
	0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d   ?????.
	0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23   .=.5...../.+.'.#
	0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c   .......g.3...E..
	0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04   .<./...A??..
	0080 - c0 12 c0 08 00 16 00 0a-00 15 00 09 00 ff 01 00   ?????.
	0090 - 00 36 00 0b 00 02 01 00-00 0a 00 08 00 06 00 1d   .6????..
	00a0 - 00 17 00 18 00 23 00 00-00 0d 00 1c 00 1a 06 01   .....#???.
	00b0 - 06 03 ef ef 05 01 05 03-04 01 04 03 ee ee ed ed   ?????.
	00c0 - 03 01 03 03 02 01 02 03-                          ........

	hanging at that stage forever 
	(and client complaining of its inability to authenticate and reports timeout
after 60 seconds)


I did identify commit 367740 being responsible for that:

	mike>	svn up -r 367740
	Updating '.':
	U    sys/netinet/ip_fastfwd.c
	U    sys/netinet/ip_input.c
	U    sys/netinet/ip_var.h
	 U   .
	Updated to revision 367740.


Any Ideas, especially why clients at different OS behave different?

FYI: I do have no access to AVM's push service, and very limited access to
the macOS 10.14.6 computer.

Thanks in advance and with kind regards,
Michael

P.S. How may I update a local svn copy and simultaneously omit commit 367740
from being applied, or how may I revert commit 367740, only?

On Sun, 22 Nov 2020 14:37:33 +0100, Michael Grimm <trashcan at ellael.org>
wrote:
> Hi,
>
> I am running 12.2-STABLE and VNET jails, one of which host a recent  
> Dovecot IMAP and a recent postfix SMTP server. Authentication is forced  
> via TLS/SSL for both services (ports 587 and 993). Setup is as follows:
>
> 	extIF0/pf/NAT <?> epairXa (bridge0) epairXb <-> jail
>
> A recent upgrade broke mailing of IMAP clients running at macOS 10.14.6  
> (Mojave) und AVM's push service (Fritzbox), but *not* for IMAP clients
> running at macOS 10.15.7 (Catalina). Strange.
>
> Findings at macOS 10.14.6 (examplified for IMAP):
>
> 1) 	mac$ nc -4vw 1 mail.xyz.zzz 993
> 	found 0 associations
> 	found 1 connections:
>  	    1:	flags=82<CONNECTED,PREFERRED>
> 		outif en0
> 		src 1.2.3.4 port 49583
> 		dst 11.22.33.44 port 993
> 		rank info not available
> 		TCP aux info available
>
> 	Connection to mail.xyz.zzz port 993 [tcp/imaps] succeeded!
>
> 2)	mac$ openssl s_client -crlf -connect mail.xyz.zzz:993 -debug
> 	CONNECTED(00000005)
> 	write to 0x7fa32ef01ae0 [0x7fa33080a803] (200 bytes => 200 (0xC8))
> 	0000 - 16 03 01 00 c3 01 00 00-bf 03 03 32 f7 fe fa b4 ...........2....
> 	0010 - e8 9a 60 38 ef 34 99 70-84 ce dc 1a 08 b8 76 90   ..`8.4.p??v.
> 	0020 - 19 8c 81 f4 a6 37 19 37-09 70 6f 00 00 60 c0 30    
> .....7.7.po..`.0
> 	0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39    
> .,.(.$.......k.9
> 	0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d   ?????.
> 	0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23    
> .=.5...../.+.'.#
> 	0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c    
> .......g.3...E..
> 	0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04   .<./...A??..
> 	0080 - c0 12 c0 08 00 16 00 0a-00 15 00 09 00 ff 01 00   ?????.
> 	0090 - 00 36 00 0b 00 02 01 00-00 0a 00 08 00 06 00 1d   .6????..
> 	00a0 - 00 17 00 18 00 23 00 00-00 0d 00 1c 00 1a 06 01   .....#???.
> 	00b0 - 06 03 ef ef 05 01 05 03-04 01 04 03 ee ee ed ed   ?????.
> 	00c0 - 03 01 03 03 02 01 02 03-                          ........
>
> 	hanging at that stage forever
> 	(and client complaining of its inability to authenticate and reports  
> timeout after 60 seconds)
>
>
> I did identify commit 367740 being responsible for that:
>
> 	mike>	svn up -r 367740
> 	Updating '.':
> 	U    sys/netinet/ip_fastfwd.c
> 	U    sys/netinet/ip_input.c
> 	U    sys/netinet/ip_var.h
> 	 U   .
> 	Updated to revision 367740.
>
>
> Any Ideas, especially why clients at different OS behave different?
>
> FYI: I do have no access to AVM's push service, and very limited access
> to the macOS 10.14.6 computer.
>
> Thanks in advance and with kind regards,
> Michael
>
> P.S. How may I update a local svn copy and simultaneously omit commit  
> 367740 from being applied, or how may I revert commit 367740, only?

 From the top of my head you can do something like:

Assuming your svn checkout is in /usr/src:
cd /usr/src
svn up
svn diff -c -367740 | patch

This will get the reverse of commit 367740 (because of the -) and patch  
the code with it.

Regards,
Ronald.

Hi,

I finally managed to solve this issue: the MTU of all bridged network interfaces
had to be reduced from 1500 down to 1490. (The external interface was on 1490
already.)

I still don't understand why these patches of commit 367740 could cause
this, and I do not have the knowledge to understand it.

Anyway, I just wanted to let you know.

Regards,
Michael

> On 22. Nov 2020, at 14:37, Michael Grimm <trashcan at ellael.org>
wrote:
> 
> Hi,
> 
> I am running 12.2-STABLE and VNET jails, one of which host a recent Dovecot
IMAP and a recent postfix SMTP server. Authentication is forced via TLS/SSL for
both services (ports 587 and 993). Setup is as follows:
> 
> 	extIF0/pf/NAT <?> epairXa (bridge0) epairXb <-> jail
> 
> A recent upgrade broke mailing of IMAP clients running at macOS 10.14.6
(Mojave) und AVM's push service (Fritzbox), but *not* for IMAP clients
running at macOS 10.15.7 (Catalina). Strange.
> 
> Findings at macOS 10.14.6 (examplified for IMAP):
> 
> 1) 	mac$ nc -4vw 1 mail.xyz.zzz 993
> 	found 0 associations
> 	found 1 connections:
> 	    1:	flags=82<CONNECTED,PREFERRED>
> 		outif en0
> 		src 1.2.3.4 port 49583
> 		dst 11.22.33.44 port 993
> 		rank info not available
> 		TCP aux info available
> 
> 	Connection to mail.xyz.zzz port 993 [tcp/imaps] succeeded!
> 
> 2)	mac$ openssl s_client -crlf -connect mail.xyz.zzz:993 -debug
> 	CONNECTED(00000005)
> 	write to 0x7fa32ef01ae0 [0x7fa33080a803] (200 bytes => 200 (0xC8))
> 	0000 - 16 03 01 00 c3 01 00 00-bf 03 03 32 f7 fe fa b4 ...........2.... 
> 	0010 - e8 9a 60 38 ef 34 99 70-84 ce dc 1a 08 b8 76 90   ..`8.4.p??v.
> 	0020 - 19 8c 81 f4 a6 37 19 37-09 70 6f 00 00 60 c0 30   .....7.7.po..`.0
> 	0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39   .,.(.$.......k.9
> 	0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d   ?????.
> 	0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23  
.=.5...../.+.'.#
> 	0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c   .......g.3...E..
> 	0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04   .<./...A??..
> 	0080 - c0 12 c0 08 00 16 00 0a-00 15 00 09 00 ff 01 00   ?????.
> 	0090 - 00 36 00 0b 00 02 01 00-00 0a 00 08 00 06 00 1d   .6????..
> 	00a0 - 00 17 00 18 00 23 00 00-00 0d 00 1c 00 1a 06 01   .....#???.
> 	00b0 - 06 03 ef ef 05 01 05 03-04 01 04 03 ee ee ed ed   ?????.
> 	00c0 - 03 01 03 03 02 01 02 03-                          ........
> 
> 	hanging at that stage forever 
> 	(and client complaining of its inability to authenticate and reports
timeout after 60 seconds)
> 
> 
> I did identify commit 367740 being responsible for that:
> 
> 	mike>	svn up -r 367740
> 	Updating '.':
> 	U    sys/netinet/ip_fastfwd.c
> 	U    sys/netinet/ip_input.c
> 	U    sys/netinet/ip_var.h
> 	 U   .
> 	Updated to revision 367740.
> 
> 
> Any Ideas, especially why clients at different OS behave different?
> 
> FYI: I do have no access to AVM's push service, and very limited access
to the macOS 10.14.6 computer.
> 
> Thanks in advance and with kind regards,
> Michael
> 
> P.S. How may I update a local svn copy and simultaneously omit commit
367740 from being applied, or how may I revert commit 367740, only?
> 
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at
freebsd.org"