From owner-freebsd-net@freebsd.org Sun Nov 22 18:48:16 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0043A470CCB; Sun, 22 Nov 2020 18:48:16 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CfK6l66Dmz3qPH; Sun, 22 Nov 2020 18:48:15 +0000 (UTC) (envelope-from ronald-lists@klop.ws) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=klop.ws; s=mail; h=In-Reply-To:Message-ID:From:Content-Transfer-Encoding:MIME-Version: Date:References:Subject:Cc:To:Content-Type:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=F4Ab/7fTzJ9rdtDAIKB/70pILcE5wY8vdcIRoMkbk0E=; b=nhYz+Z2GeyhP3Du1rXck/gDi7e PTHfcqnn2yuJEwwvtPohlJO5RWc3pUOZm/fo5IIhswaLpiVGLV/cImQMV6RzKAK/MWWmwHFQUoFRN i7lUwneTwGU2AZF0e2YrM7HHVD2NVqE+CBrLqmO5TjgztoaAArdL8A7uFoNHVMuz1iYI=; Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: freebsd-net@freebsd.org, "FreeBSD-STABLE Mailing List" , "Michael Grimm" Cc: gnn@freebsd.org Subject: Re: 12.2-STABLE: Commit 367740 breaks IMAP/SMTP server authentication References: Date: Sun, 22 Nov 2020 19:31:41 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: Quoted-Printable From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.16 (FreeBSD) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.greenhost.nl X-Spam-Level: --- X-Spam-Score: -3.1 X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED, BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF autolearn=disabled version=3.4.2 X-Scan-Signature: 0420c3252dbee8b9b50dacb1a1909624 X-Rspamd-Queue-Id: 4CfK6l66Dmz3qPH X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Nov 2020 18:48:16 -0000 On Sun, 22 Nov 2020 14:37:33 +0100, Michael Grimm = = wrote: > Hi, > > I am running 12.2-STABLE and VNET jails, one of which host a recent = > Dovecot IMAP and a recent postfix SMTP server. Authentication is force= d = > via TLS/SSL for both services (ports 587 and 993). Setup is as follows= : > > extIF0/pf/NAT <=E2=80=94> epairXa (bridge0) epairXb <-> jail > > A recent upgrade broke mailing of IMAP clients running at macOS 10.14.= 6 = > (Mojave) und AVM's push service (Fritzbox), but *not* for IMAP clients= = > running at macOS 10.15.7 (Catalina). Strange. > > Findings at macOS 10.14.6 (examplified for IMAP): > > 1) mac$ nc -4vw 1 mail.xyz.zzz 993 > found 0 associations > found 1 connections: > 1: flags=3D82 > outif en0 > src 1.2.3.4 port 49583 > dst 11.22.33.44 port 993 > rank info not available > TCP aux info available > > Connection to mail.xyz.zzz port 993 [tcp/imaps] succeeded! > > 2) mac$ openssl s_client -crlf -connect mail.xyz.zzz:993 -debug > CONNECTED(00000005) > write to 0x7fa32ef01ae0 [0x7fa33080a803] (200 bytes =3D> 200 (0xC8)) > 0000 - 16 03 01 00 c3 01 00 00-bf 03 03 32 f7 fe fa b4 ...........2..= .. > 0010 - e8 9a 60 38 ef 34 99 70-84 ce dc 1a 08 b8 76 90 ..`8.4.p=E2=80= =A6=E2=80=A6v. > 0020 - 19 8c 81 f4 a6 37 19 37-09 70 6f 00 00 60 c0 30 = > .....7.7.po..`.0 > 0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39 = > .,.(.$.......k.9 > 0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d =E2=80=A6=E2= =80=A6=E2=80=A6=E2=80=A6=E2=80=A6. > 0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23 = > .=3D.5...../.+.'.# > 0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c = > .......g.3...E.. > 0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04 .<./...A=E2=80= =A6=E2=80=A6.. > 0080 - c0 12 c0 08 00 16 00 0a-00 15 00 09 00 ff 01 00 =E2=80=A6=E2= =80=A6=E2=80=A6=E2=80=A6=E2=80=A6. > 0090 - 00 36 00 0b 00 02 01 00-00 0a 00 08 00 06 00 1d .6=E2=80=A6=E2= =80=A6=E2=80=A6=E2=80=A6.. > 00a0 - 00 17 00 18 00 23 00 00-00 0d 00 1c 00 1a 06 01 .....#=E2=80= =A6=E2=80=A6=E2=80=A6. > 00b0 - 06 03 ef ef 05 01 05 03-04 01 04 03 ee ee ed ed =E2=80=A6=E2= =80=A6=E2=80=A6=E2=80=A6=E2=80=A6. > 00c0 - 03 01 03 03 02 01 02 03- ........ > > hanging at that stage forever > (and client complaining of its inability to authenticate and reports = = > timeout after 60 seconds) > > > I did identify commit 367740 being responsible for that: > > mike> svn up -r 367740 > Updating '.': > U sys/netinet/ip_fastfwd.c > U sys/netinet/ip_input.c > U sys/netinet/ip_var.h > U . > Updated to revision 367740. > > > Any Ideas, especially why clients at different OS behave different? > > FYI: I do have no access to AVM's push service, and very limited acces= s = > to the macOS 10.14.6 computer. > > Thanks in advance and with kind regards, > Michael > > P.S. How may I update a local svn copy and simultaneously omit commit = = > 367740 from being applied, or how may I revert commit 367740, only? From the top of my head you can do something like: Assuming your svn checkout is in /usr/src: cd /usr/src svn up svn diff -c -367740 | patch This will get the reverse of commit 367740 (because of the -) and patch = = the code with it. Regards, Ronald.