Peter Lindgren:
> Hi!
>
> I build postfix 3.5.7 from source on OpenBSD 6.7. I seem to have problem
> with the certificate I generated. They work fine with Dovecot, though.
>
> In the moment postfix/master starts the smtpd and it's trying to do
> something with the certificate (on the smtp submission port 587), it
> crashes:
>
> Sep 20 23:03:50 neptunus postfix/master[30686]: warning: process
> /usr/local/libexec/postfix/smtpd pid 84403 killed by signal 9
This reminds me of GnuTLS library code that would send text to
stderr and terminate the process. That was a very unusual way to
report that the random number generator was unavailable.
Calling a library with a bad certificate should never cause
a process to terminate. Instead the library should return an
error code to Postfix.
Perhaps some OpenBSD code is sending a signal 9 (SIGKILL) when
it does not like what Postfix does? It would be a very unusual
way to report a problem.
Try this:
postfix stop
/path/to/master -d
This will leave stderr open and display any stderr output that
some non-Postfix library code might send.
Wietse
> Sep 20 23:03:50 neptunus postfix/master[30686]: warning:
> /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
>
> I added a lot of debugging/logging code to find where it crashes, and
> for a moment I thought I had found it, line 522 in tls/tls_server.c. So
> I added -DOPENSSL_NO_TLSEXT and built again, but now it crashes further
> down, the call tls_set_my_certificate_key_info() on line 606 in
> tls/tls_server.c, function tls_server_init().
>
> However, I take a step back and I assume there is something wrong with
> the certificate or my configuration? It's a self-signed certificate. Or
> am I on to some real bug here?
>
> Here's my postconf -n output:
>
> neptunus# postconf -n | sort
> command_directory = /usr/local/sbin
> compatibility_level = 2
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/postfix
> debug_peer_level = 2
> debug_peer_list = localhost
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = /usr/local/share/doc/postfix/html
> inet_protocols = all
> mail_owner = _postfix
> mail_spool_directory = /var/mail
> mailbox_command = /usr/local/libexec/dovecot/deliver
> mailbox_size_limit = 80000000
> mailq_path = /usr/local/sbin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 80000000
> meta_directory = /etc/postfix
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mynetworks_style = subnet
> newaliases_path = /usr/local/sbin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix/readme
> recipient_delimiter = +
> relay_domains = $mydestination
> relayhost = [in.mailjet.com]:587
> sample_directory = /etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = _postdrop
> shlib_directory = /usr/lib/postfix
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_tls_security_level = encrypt
> smtp_tls_wrappermode = no
> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version $service_name)
> smtpd_recipient_restrictions = permit_auth_destination,
> permit_sasl_authenticated, reject
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
>
> And the relevant part of master.cf:
>
> submission inet? n?????? -?????? y?????? -?????? -?????? smtpd -v
> ? -o smtpd_sasl_auth_enable=yes
> ? -o smtpd_sasl_type=dovecot
> ? -o smtpd_sasl_path=private/auth
> ? -o smtpd_sasl_security_options=noanonymous
> ? -o smtpd_sasl_tls_security_options=noanonymous
> ? -o smtpd_sasl_local_domain=$mydomain
> ? -o
> smtpd_tls_chain_files=/etc/ssl/private/dovecot-priv-key.pem,/etc/ssl/dovecot-pub-cert.pem
> #? -o smtpd_tls_auth_only=yes
> ? -o smtpd_use_tls=yes
> ? -o smtpd_tls_loglevel=2
> #kraschar:? -o smtpd_enforce_tls=yes
> #kraschar:? -o smtpd_tls_security_level=encrypt
> ? -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> ? -o
> smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_sender_login_mismatch
> #? -o smtpd_sender_login_maps=unix:passwd.byname
> ? -o
> smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,permit_auth_destination,reject
> ? -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>
> Here's my 'make makefiles' command:
>
> make makefiles shared=yes CCARGS='-DUSE_SASL_AUTH -DUSE_TLS
> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DOPENSSL_NO_TLSEXT
> -I/usr/local/include/sasl' AUXLIBS="-lssl -lcrypto -L/usr/local/lib -lsasl2"
>
> Thanks,
> Peter
>
> --
> Peter Lindgren<pe...@norrskenkonsult.com>
>
