Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni: Hello Viktor,
you are correct, it is compiled & install from the source, like I did the last
ten+? years on all of my machines. No issues on ubuntu 14.04, opensuse, or
others. Only on 16.04. it causes me a pain.
I installed postfix from scratch with the default packages that come with
16.04, then compiled the pf snapshot that was available at that time, with the
configure file I slightly modified to pay tribute to the new system.
See the attached configure.postfix file with the args.
>> Since there is no tlsproxy running at the moment (removed the modifications
>> from Wietse and restarted pf, let's wait...?) I can't provide that output
>> at the moment. Or do you have a suggestion how to get one up & running?
>
> You could go back to the previous configuration, but read on...
>
>> On the other hand, my pf is the snapshot from 1101 and not any longer the
>> default package that ubuntu delivered.
>>
>> root@blueberry:/var/lib/postfix# l /usr/sbin/post*
>> -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias*
>> -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat*
>> -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf*
>> -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop*
>> -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix*
>> -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter*
>> -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy*
>> -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey*
>> -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick*
>> -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock*
>> -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog*
>> -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap*
>> -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti*
>> -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue*
>> -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper*
>> -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger*
>
> Perhaps "posttls-finger" is left over from an earlier install? Did
> you build and install Postfix from source?
posttls-finger most probably is a relic of the default packages installation.
pf is installed from source.
> The OpenSSL version looks typical enough, is that "/usr/bin/openssl"
> or some other version? What does "ldd" show for this binary?
yes, it is that version.
root@blueberry:/home/software# ldd /usr/bin/openssl
linux-vdso.so.1 => (0x00007ffca5320000)
libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0
(0x00007fcc7780a000)
libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0
(0x00007fcc773c6000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcc76ffc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcc76df8000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcc77a7d000)
> # openssl version -a
> OpenSSL 1.0.2g 1 Mar 2016
> built on: reproducible build, date unspecified
> platform: debian-amd64
> options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
> compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack
> -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM
> -DGHASH_ASM -DECP_NISTZ256_ASM
> OPENSSLDIR: "/usr/lib/ssl"
>
> Here we see that the same "unknown state" issue happens with Postfix
> out of the picture. Both for local connections and connections to
> Gmail. So this should be pursued on a suitable Ubuntu forum.
OK, I understand it then is more of an OS issue than a specific to pf. Correct?
> # (sleep 1; printf "quit\r\n") |
> openssl s_client -quiet -state -starttls smtp -connect localhost:25
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:unknown state
> depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing
> Authority, emailAddress = supp...@cacert.org
> verify return:1
> depth=0 CN = yabba.dadd-do.de
> verify return:1
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> 250 DSN
> 221 2.0.0 Bye
> SSL3 alert read:warning:close notify
> SSL3 alert write:warning:close notify
>
> # (sleep 1; printf "quit\r\n") |
> openssl s_client -quiet -state -starttls smtp -connect
> smtp.gmail.com:587
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:unknown state
> depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
> verify return:1
> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> verify return:1
> depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> verify return:1
> depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN
> = smtp.gmail.com
> verify return:1
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> SSL_connect:unknown state
> 250 SMTPUTF8
> 221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp
> read:errno=0
> SSL3 alert write:warning:close notify
>
>> postconf mail_version
>> -> mail_version = 3.2-20161101
>
> I very much doubt that Ubuntu shipped this Postfix version. Looks
> like you've built your own, and installed it on top of Ubuntu's
> package. That requires some care and skill. You're typically
> better off sticking with the bundled package or a "backport".
See above.
>> root@blueberry:/etc/postfix# posttls-finger
>> posttls-finger: symbol lookup error: posttls-finger: undefined symbol:
>> midna_domain_to_ascii
>
> Not surprising, that's left over from the Ubuntu package.
Yes.
--
Florian Piekert flo...@floppy.org
Spargelweg 5 Telephone+Fax: +49-700-00floppy
38179 Schwülper-Walle/Germany +49-179- 3928582
===========================================================================
Note: this message was send by me *only* if the eMail message contains a
correct pgp signature corresponding to my address at flo...@floppy.org. Do
you need my PGP public key? Check out http://www.floppy.org or send me an
email with the subject "send pgp public key" to this address of mine. Thx!
#!/bin/bash # sleep 1 # # export CCARGS="`pkg-config --cflags openssl libpcre libcdb` -DUSE_TLS -DHAS_PCRE -DHAS_CDB -DHAS_LDAP -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" \ export AUXLIBS="`pkg-config --libs openssl` -lnsl -L/usr/lib/x86_64-linux-gnu/sasl2 -lsasl2 -lcrypto" \ export AUXLIBS_CDB="`pkg-config --libs libcdb`" \ export AUXLIBS_PCRE="`pkg-config --libs libpcre`" \ export AUXLIBS_LDAP="-lldap -llber" \ make tidy make makefiles pie=yes shared=yes dynamicmaps=yes && # make # postfix stop rm -f /var/lib/postfix/master.lock PROC=`ps axw|grep postfix|grep master|cut -d "?" -f 1|tr -d [:space:]` if [ "$PROC" != "" ] ; then kill $PROC fi make upgrade postfix start
signature.asc
Description: OpenPGP digital signature
