Hi, yesterday I encountered a problem. I already sent it to Wietse and he in turn suggests to contact this list and ask, if somebody else out there can reproduce this bug.
Here is the mail I sent to him:
----
Hi,
for some reason I encountered a segfault in smtpd - Postfix 2.8.0.
[1584207.718333] smtpd[14526]: segfault at 8 ip 00007fe896496620 sp
00007fff8baaff88 error 6 in libcrypto.so.0.9.8[7fe8963d6000+168000]
[1584287.876688] smtpd[14784]: segfault at 8 ip 00007fc43532b620 sp
00007fffaef24198 error 6 in libcrypto.so.0.9.8[7fc43526b000+168000]
Before I start enabling gdb in debugging_command, can you tell me, if this is
libcrypto-related or postfix? Or, if this is impossible to say so, what
information could help you?
What happened:
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
tls_append_default_CA = no
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file =
${config_directory}/ssl/mx_deltaweb_de.crt
smtpd_tls_key_file =
${config_directory}/ssl/mx_deltaweb_de.key
smtpd_tls_session_cache_database =
sdbm:${data_directory}/smtpd_session_cache
smtpd_sasl_tls_security_options = noanonymous
smtpd is running chroot. I copied /etc/ssl/certs/* to the chroot environment.
Because under Debian/Ubuntu, these files are just symlinks, I also copied the
corresponding folder /usr/share/ca-certificates into the jail.
I saw in postconf(5) that it is required to concatenate the client cert with
the CA file, if a remote MTA shall be able to verify the cert. So I did on my
server, which is another machine. From that I sent a test mail to the MTA, I
just described above. In the logs, it always told me "Untrusted":
Feb 6 19:10:44 mx postfix/smtpd[14222]: mx0.roessner-net.de[78.46.253.227]:
Untrusted: subject_CN=mx0.roessner-net.de, issuer=CA Cert Signing Authority,
fingerprint=F3:2D:15:E3:08:93:53:12:A2:93:3D:CC:AA:B8:AF:26
Feb 6 19:10:44 mx postfix/smtpd[14222]: Untrusted TLS connection established
from mx0.roessner-net.de[78.46.253.227]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
I double checked that cacert.org's cert is in that path as well and that the
c_hash exists, too. I did not find an answer and so I only changed the log
level of smtpd_tls_loglevel = 1 to 3. This brought the segfault and this in the
logs:
Feb 6 19:11:54 mx postfix/master[14500]: warning: process
/usr/lib/postfix/smtpd pid 14526 killed by signal 11
Feb 6 19:13:15 mx postfix/master[14736]: warning: process
/usr/lib/postfix/smtpd pid 14784 killed by signal 11
Turning the loglevel back, everything works as before.
So I thought, you might be interested in that report.
----
Tonight I am going to turn on GDB and try to get a backtrace. But maybe someone
else might confirm this in the meantime.
Best wishes
Christian
---
Roessner-Network-Solutions
Bachelor of Science Informatik
Nahrungsberg 81, 35390 Gießen
F: +49 641 5879091, M: +49 176 93118939
USt-IdNr.: DE225643613
http://www.roessner-network-solutions.com
PGP.sig
Description: Signierter Teil der Nachricht
