Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni: Hello Viktor,
you are correct, it is compiled & install from the source, like I did the last ten+? years on all of my machines. No issues on ubuntu 14.04, opensuse, or others. Only on 16.04. it causes me a pain. I installed postfix from scratch with the default packages that come with 16.04, then compiled the pf snapshot that was available at that time, with the configure file I slightly modified to pay tribute to the new system. See the attached configure.postfix file with the args. >> Since there is no tlsproxy running at the moment (removed the modifications >> from Wietse and restarted pf, let's wait...?) I can't provide that output >> at the moment. Or do you have a suggestion how to get one up & running? > > You could go back to the previous configuration, but read on... > >> On the other hand, my pf is the snapshot from 1101 and not any longer the >> default package that ubuntu delivered. >> >> root@blueberry:/var/lib/postfix# l /usr/sbin/post* >> -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias* >> -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat* >> -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf* >> -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop* >> -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix* >> -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter* >> -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy* >> -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey* >> -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick* >> -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock* >> -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog* >> -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap* >> -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti* >> -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue* >> -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper* >> -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* > > Perhaps "posttls-finger" is left over from an earlier install? Did > you build and install Postfix from source? posttls-finger most probably is a relic of the default packages installation. pf is installed from source. > The OpenSSL version looks typical enough, is that "/usr/bin/openssl" > or some other version? What does "ldd" show for this binary? yes, it is that version. root@blueberry:/home/software# ldd /usr/bin/openssl linux-vdso.so.1 => (0x00007ffca5320000) libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fcc7780a000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fcc773c6000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcc76ffc000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcc76df8000) /lib64/ld-linux-x86-64.so.2 (0x00007fcc77a7d000) > # openssl version -a > OpenSSL 1.0.2g 1 Mar 2016 > built on: reproducible build, date unspecified > platform: debian-amd64 > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) > compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM > OPENSSLDIR: "/usr/lib/ssl" > > Here we see that the same "unknown state" issue happens with Postfix > out of the picture. Both for local connections and connections to > Gmail. So this should be pursued on a suitable Ubuntu forum. OK, I understand it then is more of an OS issue than a specific to pf. Correct? > # (sleep 1; printf "quit\r\n") | > openssl s_client -quiet -state -starttls smtp -connect localhost:25 > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:unknown state > depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing > Authority, emailAddress = supp...@cacert.org > verify return:1 > depth=0 CN = yabba.dadd-do.de > verify return:1 > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > 250 DSN > 221 2.0.0 Bye > SSL3 alert read:warning:close notify > SSL3 alert write:warning:close notify > > # (sleep 1; printf "quit\r\n") | > openssl s_client -quiet -state -starttls smtp -connect > smtp.gmail.com:587 > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:unknown state > depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority > verify return:1 > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA > verify return:1 > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 > verify return:1 > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN > = smtp.gmail.com > verify return:1 > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > 250 SMTPUTF8 > 221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp > read:errno=0 > SSL3 alert write:warning:close notify > >> postconf mail_version >> -> mail_version = 3.2-20161101 > > I very much doubt that Ubuntu shipped this Postfix version. Looks > like you've built your own, and installed it on top of Ubuntu's > package. That requires some care and skill. You're typically > better off sticking with the bundled package or a "backport". See above. >> root@blueberry:/etc/postfix# posttls-finger >> posttls-finger: symbol lookup error: posttls-finger: undefined symbol: >> midna_domain_to_ascii > > Not surprising, that's left over from the Ubuntu package. Yes. -- Florian Piekert flo...@floppy.org Spargelweg 5 Telephone+Fax: +49-700-00floppy 38179 Schwülper-Walle/Germany +49-179- 3928582 =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine. Thx!
#!/bin/bash # sleep 1 # # export CCARGS="`pkg-config --cflags openssl libpcre libcdb` -DUSE_TLS -DHAS_PCRE -DHAS_CDB -DHAS_LDAP -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl" \ export AUXLIBS="`pkg-config --libs openssl` -lnsl -L/usr/lib/x86_64-linux-gnu/sasl2 -lsasl2 -lcrypto" \ export AUXLIBS_CDB="`pkg-config --libs libcdb`" \ export AUXLIBS_PCRE="`pkg-config --libs libpcre`" \ export AUXLIBS_LDAP="-lldap -llber" \ make tidy make makefiles pie=yes shared=yes dynamicmaps=yes && # make # postfix stop rm -f /var/lib/postfix/master.lock PROC=`ps axw|grep postfix|grep master|cut -d "?" -f 1|tr -d [:space:]` if [ "$PROC" != "" ] ; then kill $PROC fi make upgrade postfix start
signature.asc
Description: OpenPGP digital signature