Viktor Dukhovni:
> On Thu, May 17, 2012 at 12:50:16AM +0200, Patrick Ben Koetter wrote:
>
> > > maillog: http://pastebin.com/k1EzFFY9
> > > postconf: http://pastebin.com/AjMGykjV
> >
> > You tell Postfix to keep the session cache databases in the queue_directory,
> > but that is owned by root (on my systems):
> >
> > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> >
> > Use $data_directory instead.
>
> That's likely not the direct cause of the problem, rather the
> existing cache likely contains entries from different OpenSSL
> version, and OpenSSL segfaults when one imports a cached session
> from an older (different) OpenSSL library.
>
> The cache lookup keys are by transport+destination, so sending mail
> to an address in the cache, causes an incompatible session to be
> loaded even if it is from a different library version. So we should
> probably add the library version to the lookup key.
Something along this line should do the job:
#define GEN_CACHE_ID(buf, id, len, service) \
do { \
buf = vstring_alloc(2 * (len) + 1 + strlen(service) + 3); \
hex_encode(buf, (char *) (id), (len)); \
vstring_sprintf_append(buf, "&s=%s", (service)); \
+ vstring_sprintf_append(buf, "&l=%ld", (long) OPENSSL_VERSION_NUMBER); \
} while (0)
This macro transforms the shared SSL/TLS session ID into a local
Postfix cache lookup key. If the OpenSSL library version changes,
then the Postfix lookup key will not match sessions that were stored
while Postfix was linked with a different OpenSSL library version.
Security analysis: the Postfix cache lookup key is never shared
with remote peers, so it is safe to include the local OpenSSL library
version number.
Wietse
