This is a site-specific problem. I ran "openssl s_client" and
"posttls-finger -w" against one of the affected servers, and reliably
crashed their postscreen daemon. I've been doing similar tests
against my own servers without any problems.
Unless proven otherwise, this is no longer a Postfix problem.
I think that the problem is is one or more of:
1 - Bad build, perhaps a compiler-from-hell optimized away some boundary check
2 - Postfix / library mismatch (include files and object library
from different builds)
3 - Library / kernel mismatch (library expects kernel API X, but the
kernel provides API Y, because the system was not rebooted after update)
4 - Antivirus DLL, or other run-time evil such as VM manipulation
[3] Could be the result of an incomplete update process.
[1-2] are non-trivial to reproduce for me, because the FreeBSD base
system and ports evolve independently, and the affected system is
updated every few weeks. There is no simple way to exactly reproduce
the affected system locally.
The true cause is yet to be determined, and it may not be one
of the above.
Wietse
