Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni:

Hello Viktor,

you are correct, it is compiled & install from the source, like I did the last 
ten+? years on all of my machines. No issues on ubuntu 14.04, opensuse, or 
others. Only on 16.04. it causes me a pain.

I installed postfix from scratch with the default packages that come with 
16.04, then compiled the pf snapshot that was available at that time, with the 
configure file I slightly modified to pay tribute to the new system.

See the attached configure.postfix file with the args.

>> Since there is no tlsproxy running at the moment (removed the modifications
>> from Wietse and restarted pf, let's wait...?) I can't provide that output
>> at the moment. Or do you have a suggestion how to get one up & running?
> 
> You could go back to the previous configuration, but read on...
> 
>> On the other hand, my pf is the snapshot from 1101 and not any longer the 
>> default package that ubuntu delivered.
>>
>> root@blueberry:/var/lib/postfix# l /usr/sbin/post*
>> -rwxr-xr-x 1 root root      45160 Nov  1 22:04 /usr/sbin/postalias*
>> -rwxr-xr-x 1 root root      34216 Nov  1 22:04 /usr/sbin/postcat*
>> -rwxr-xr-x 1 root root     422752 Nov  1 22:04 /usr/sbin/postconf*
>> -rwxr-sr-x 1 root postdrop  34504 Nov  1 22:04 /usr/sbin/postdrop*
>> -rwxr-xr-x 1 root root      28960 Nov  1 22:04 /usr/sbin/postfix*
>> -rwxr-xr-x 1 root root       5017 Apr 13  2016 /usr/sbin/postfix-add-filter*
>> -rwxr-xr-x 1 root root       3923 Apr 13  2016 /usr/sbin/postfix-add-policy*
>> -rwxr-xr-x 1 root root      37856 Okt 26  2014 /usr/sbin/postgrey*
>> -rwxr-xr-x 1 root root      20696 Nov  1 22:04 /usr/sbin/postkick*
>> -rwxr-xr-x 1 root root      22608 Nov  1 22:04 /usr/sbin/postlock*
>> -rwxr-xr-x 1 root root      22384 Nov  1 22:04 /usr/sbin/postlog*
>> -rwxr-xr-x 1 root root      48512 Nov  1 22:04 /usr/sbin/postmap*
>> -rwxr-xr-x 1 root root      69928 Nov  1 22:04 /usr/sbin/postmulti*
>> -rwxr-sr-x 1 root postdrop  54304 Nov  1 22:04 /usr/sbin/postqueue*
>> -rwxr-xr-x 1 root root      60552 Nov  1 22:04 /usr/sbin/postsuper*
>> -rwxr-xr-x 1 root root      34768 Apr 13  2016 /usr/sbin/posttls-finger*
> 
> Perhaps "posttls-finger" is left over from an earlier install? Did
> you build and install Postfix from source?

posttls-finger most probably is a relic of the default packages installation. 
pf is installed from source.

 
> The OpenSSL version looks typical enough, is that "/usr/bin/openssl"
> or some other version?  What does "ldd" show for this binary?

yes, it is that version.
root@blueberry:/home/software# ldd /usr/bin/openssl
        linux-vdso.so.1 =>  (0x00007ffca5320000)
        libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 
(0x00007fcc7780a000)
        libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 
(0x00007fcc773c6000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcc76ffc000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcc76df8000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fcc77a7d000)


>     # openssl version -a
>     OpenSSL 1.0.2g  1 Mar 2016
>     built on: reproducible build, date unspecified
>     platform: debian-amd64
>     options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
>     compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS 
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 
> -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time 
> -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack 
> -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM 
> -DGHASH_ASM -DECP_NISTZ256_ASM
>     OPENSSLDIR: "/usr/lib/ssl"
> 
> Here we see that the same "unknown state" issue happens with Postfix
> out of the picture.  Both for local connections and connections to
> Gmail. So this should be pursued on a suitable Ubuntu forum.

OK, I understand it then is more of an OS issue than a specific to pf. Correct?

>     # (sleep 1; printf "quit\r\n") |
>       openssl s_client -quiet -state -starttls smtp -connect localhost:25
>       SSL_connect:before/connect initialization
>       SSL_connect:SSLv2/v3 write client hello A
>       SSL_connect:unknown state
>       depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing 
> Authority, emailAddress = supp...@cacert.org
>       verify return:1
>       depth=0 CN = yabba.dadd-do.de
>       verify return:1
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       250 DSN
>       221 2.0.0 Bye
>       SSL3 alert read:warning:close notify
>       SSL3 alert write:warning:close notify
> 
>     # (sleep 1; printf "quit\r\n") |
>        openssl s_client -quiet -state -starttls smtp -connect 
> smtp.gmail.com:587
>       SSL_connect:before/connect initialization
>       SSL_connect:SSLv2/v3 write client hello A
>       SSL_connect:unknown state
>       depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
>       verify return:1
>       depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>       verify return:1
>       depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
>       verify return:1
>       depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN 
> = smtp.gmail.com
>       verify return:1
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       SSL_connect:unknown state
>       250 SMTPUTF8
>       221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp
>       read:errno=0
>       SSL3 alert write:warning:close notify
>   
>> postconf mail_version
>> -> mail_version = 3.2-20161101
> 
> I very much doubt that Ubuntu shipped this Postfix version.  Looks
> like you've built your own, and installed it on top of Ubuntu's
> package.  That requires some care and skill.  You're typically
> better off sticking with the bundled package or a "backport".

See above.
 
>> root@blueberry:/etc/postfix# posttls-finger 
>> posttls-finger: symbol lookup error: posttls-finger: undefined symbol: 
>> midna_domain_to_ascii
> 
> Not surprising, that's left over from the Ubuntu package.

Yes.


-- 

Florian Piekert                                           flo...@floppy.org

Spargelweg 5                                Telephone+Fax: +49-700-00floppy
38179 Schwülper-Walle/Germany                              +49-179- 3928582
===========================================================================
Note:  this message was  send by me *only* if the  eMail message contains a
correct pgp signature corresponding to my address at  flo...@floppy.org. Do
you need my  PGP  public key? Check out http://www.floppy.org or send me an
email with  the subject "send pgp public key" to this address of mine. Thx!
#!/bin/bash
#
sleep 1
#
#
export CCARGS="`pkg-config --cflags openssl libpcre libcdb` -DUSE_TLS 
-DHAS_PCRE -DHAS_CDB -DHAS_LDAP -DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
-I/usr/include/sasl" \
export AUXLIBS="`pkg-config --libs  openssl` -lnsl 
-L/usr/lib/x86_64-linux-gnu/sasl2 -lsasl2 -lcrypto" \
export AUXLIBS_CDB="`pkg-config --libs libcdb`" \
export AUXLIBS_PCRE="`pkg-config --libs libpcre`" \
export AUXLIBS_LDAP="-lldap -llber" \
make tidy
make makefiles pie=yes shared=yes dynamicmaps=yes &&
#
make
#
postfix stop
rm -f /var/lib/postfix/master.lock
PROC=`ps axw|grep postfix|grep master|cut -d "?" -f 1|tr -d [:space:]`
if [ "$PROC" != "" ] ; then
   kill $PROC
fi

make upgrade
postfix start

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to