These are warning messages from postfix which makes it a little less bad - is that proper english?loocek wrote: ↑Thu Jan 09, 2025 9:39 pmAnd emails are being successfuly sent anyway so... But I don't like these lots of errors in log. Today about 4000.Code: Select all
postfix/smtps/smtpd[19907]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
I used Vince's search term and this thread came up and seems to be exactly what you are seeing: https://www.mail-archive.com/postfix-us ... 95796.html because the OP also saw client disconnects abruptly without sending QUIT.
If I understand that thread; a lot of applications using openssl 1.1.1 and earlier were not calling SSL_shutdown(). The TLS error 0A000126 is the important message because when they don't shutdown correctly (thinking SSL_Shutdown() calls close_notify()), the logic is to print out this 0A000126 message indicating unexpected EOF. At some point, the developers of openssl wanted developers to terminate correctly as there was an attack against this shutdown behavior in some instances. SMTP doesn't appear to be one of them.
When Zimbra moved to openssl 3.0, you got the "benefit" of this notification alert. Postfix used the "SSL_OP_IGNORE_UNEXPECTED_EOF" option to silence these notifications when an older client doesn't issue a SSL_shutdown(). Unfortunately, that resolution in postfix is in a newer version which you are not running.
Further background on this close_notify() and 0A000126:
Ref: https://www.ibm.com/docs/en/datapower-g ... tification
For a postfix server probably not going to be a problem because SMTP has it's own message framing and is somewhat resilient against any message truncation at the connection close which also explains why everything continues to work.
As for the extra noise, there are ways to filter this out with rsyslog. When we moved to RHEL8 from RHEL6 with systemd, I had a fit with all the extra "help" in the logs which you probably can relate to. So you could come up with a custom rule to not log this information. Here is an example if you are not familiar with the syntax.
Code: Select all
% cat /etc/rsyslog.d/mydomain-rsyslog.conf
# systemd
if $programname == "systemd" and
($msg contains "Starting Session" or
$msg contains "Started Session" or
$msg contains "Created slice" or
$msg contains "Starting user-" or
$msg contains "Starting User Slice of" or
$msg contains "Removed session" or
$msg contains "Removed slice User Slice of" or
$msg contains "Stopping User Slice of") then stop
Jim