After upgrade from RoL 9.6 to 9.7 warning messages start to appear in the Postfix log:
postfix/smtpd[727080]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.5.0 may not be compatible with OpenSSL 3.2.0
Postfix works fine but this message is logged each connection. If it is expected behavior is there a way how to suppress these messages?
Googling this error message gives lots of hits on this problem. But nothing to worry about. And no, there doesn’t seem to be a way of suppressing it.
Assuming postfix daemon has already been restarted after the update, and the problem didn’t go away.
Actually this means, that postfix was not rebuild against newer openssl.
Explanation
OpenSSL provides TWO variants of getting the version:
If they differ, the client-app (in this case: postfix) was not rebuilt against the newer libs that came in the 9.7 update.
The only way to get rid of this, is to rebuild postfix.
Verifying that on a rocky9..6 system that just was upgraded to rocky9.7
rpm -qi postfix reports:
Install Date: Fri Nov 22 17:03:26 2024 which is from before the 9.7 upgrade.
So:
Either RedHat forgot to rebuild postfix against the newer openssl or maybe not all packages are distributed on all mirrors yet.
Cheers
-Fritz
From the google results I read, it isn’t a big problem. Mainly because the most important part is the OpenSSL major version, so 3. So doesn’t matter if 3.0, 3.1, 3.2 or 3.5. Sure, postfix complains about it, and yes rebuilding will fix that. Other than the warning, there is no need to rebuild it since it still works.
Red Hat would have rebuilt it, if postfix would have completely stopped working, for example, OpenSSL 4 instead of OpenSSL 3. The minor point release isn’t a big problem. Unfortunately the log entries cause a little bit of spam.
I’m having the same issue. However, in my case my Postfix stopped being able to connect to my external mail relay after the upgrade (running in FIPS mode). So, it may be more than just noise.
FYI the fix for my issue is adding the following to /etc/postfix/main.cf
tls_eecdh_auto_curves = prime256v1 secp521r1 secp384r1
Apparently there is some change in latest OpenSSL that causes issues with TLS establishment and restricting to the allowed curves fixes the problem.
I can confirm issue with TLS with FIPS enabled, also I can confirm that fix is working for us. Really thanks for saving time in debugging this issue.
BTW real warning which tells about issue is:
warning: TLS library problem: error:0A000438:SSL routines::tlsv1 alert internal error:ssl/record/rec_layer_s3.c:916:SSL alert number 80:
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.