Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

2.8.0 smtpd killed while using TLS + SASL AUTH

12 views
Skip to first unread message

D G Teed

unread,
Feb 22, 2011, 3:46:20 PM2/22/11
to
Hi,

I have postfix-2.8-20101007 working fine for all features for some time.
The problem is specific to my 2.8.0 build.

This is on Debian.  I built 2.8.0. with:

make makefiles CCARGS='-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I /usr/include/sasl -I /usr/include -DSNAPSHOT' \
AUXLIBS='-L/usr/local/lib -lsasl2 -lssl -lcrypto -L/usr/lib'

which seemed to be how I had built postfix-2.8-20101007 (on same machine
some months ago).

If I make upgrade from the 2.8.0, I get most features working, but
attempts to connect to secure SMTP fail with:

Feb 22 16:15:18 myserv postfix-internal/smtpd[18103]: initializing the server-side TLS engine
Feb 22 16:15:18 myserv postfix-internal/tlsmgr[18104]: open smtpd TLS cache btree:/var/lib/postfix-internal/smtpd_tls_session_cache
Feb 22 16:15:18 myserv postfix-internal/tlsmgr[18104]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Feb 22 16:15:18 myserv postfix-internal/smtpd[18103]: connect from client.example.com[xxx.yyy.137.93]
Feb 22 16:15:18 myserv postfix-internal/smtpd[18103]: setting up TLS connection from client.example.com[xxx.yyy.137.93]
Feb 22 16:15:18 myserv postfix-internal/smtpd[18103]: client.example.com[xxx.yyy.137.93]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Feb 22 16:15:18 myserv postfix-internal/master[18086]: warning: process /usr/libexec/postfix/smtpd pid 18103 killed by signal 11
Feb 22 16:15:18 myserv postfix-internal/master[18086]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

I can immediately fix this by going back to my postfix-2.8-20101007
build area and running make upgrade to replace the binaries.
With 2.8-20101007 installed I can submit over secure ports.

The ldd links from both smtpd binaries are to the same library files.

I'm using TLS+SASL, set up within master.cf like so:

# Secure submission server on port 465 for Outlook Clients
131.162.201.5:465 inet n       -       n       -       -       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_use_tls=yes
        -o smtpd_enforce_tls=yes
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_tls_security_options=noanonymous
        -o smtpd_sasl_security_options=noanonymous
#
# Secure submission server on port 587 for non-Outlook Clients
131.162.201.5:587 inet n       -       n       -       -       smtpd
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_use_tls=yes
        -o smtpd_enforce_tls=yes
        -o smtpd_tls_wrappermode=no
        -o smtpd_sasl_tls_security_options=noanonymous
        -o smtpd_sasl_security_options=noanonymous


Probably something small I'm overlooking again - most likely build related, but I can't spot it.

--Donald

Wietse Venema

unread,
Feb 22, 2011, 3:58:58 PM2/22/11
to
D G Teed:

> Hi,
>
> I have postfix-2.8-20101007 working fine for all features for some time.
> The problem is specific to my 2.8.0 build.
>
> This is on Debian. I built 2.8.0. with:
>
> make makefiles CCARGS='-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I
> /usr/include/sasl -I /usr/include -DSNAPSHOT' \
> AUXLIBS='-L/usr/local/lib -lsasl2 -lssl -lcrypto -L/usr/lib'

postfix-2.8.1-RC1 fixes a "signal 11" when you run with
smtpd_tls_loglevel=3 or higher.

Wietse

Victor Duchovni

unread,
Feb 22, 2011, 4:05:25 PM2/22/11
to

By the way, the OP should NOT be compiling an official release with
"-DSNAPSHOT". If a snapshot is desired, download a snapshot release.

--
Viktor.

Steve Jenkins

unread,
Feb 22, 2011, 6:05:55 PM2/22/11
to
On Tue, Feb 22, 2011 at 1:05 PM, Victor Duchovni
<Victor....@morganstanley.com> wrote:
> By the way, the OP should NOT be compiling an official release with
> "-DSNAPSHOT". If a snapshot is desired, download a snapshot release.

Googling "DSNAPSHOT" didn't answer the question for me, so please
allow a non-programmer to ask what this argument does when compiling
Postfix?

Thanks,

SteveJ

Victor Duchovni

unread,
Feb 22, 2011, 6:19:44 PM2/22/11
to

Enables features that are only enabled in snapshot releases.

--
Viktor.

Wietse Venema

unread,
Feb 22, 2011, 7:31:27 PM2/22/11
to
Steve Jenkins:

> On Tue, Feb 22, 2011 at 1:05 PM, Victor Duchovni
> <Victor....@morganstanley.com> wrote:
> > By the way, the OP should NOT be compiling an official release with
> > "-DSNAPSHOT". If a snapshot is desired, download a snapshot release.
>
> Googling "DSNAPSHOT" didn't answer the question for me, so please
> allow a non-programmer to ask what this argument does when compiling
> Postfix?

As with all non-documented Postfix features, you break the warranty
when you tweak it.

D G Teed

unread,
Feb 22, 2011, 9:43:36 PM2/22/11
to


On Tue, Feb 22, 2011 at 4:58 PM, Wietse Venema <wie...@porcupine.org> wrote:
D G Teed:
> Hi,
>
> I have postfix-2.8-20101007 working fine for all features for some time.
> The problem is specific to my 2.8.0 build.
>
> This is on Debian.  I built 2.8.0. with:
>
> make makefiles CCARGS='-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -DUSE_TLS -I
> /usr/include/sasl -I /usr/include -DSNAPSHOT' \
> AUXLIBS='-L/usr/local/lib -lsasl2 -lssl -lcrypto -L/usr/lib'

postfix-2.8.1-RC1 fixes a "signal 11" when you run with
smtpd_tls_loglevel=3 or higher.


Tonight I noticed 2.8.1 is released as well.  Thanks.
I've compiled this.  It wasn't clear to
me at first, but I see 3 is a default log level
if we don't specify anything for smtpd_tls_loglevel.
I have verified TLS is working on 2.8.1.

I've also removed -DSNAPSHOT as suggested.

--Donald

Victor Duchovni

unread,
Feb 23, 2011, 11:21:03 AM2/23/11
to
On Tue, Feb 22, 2011 at 10:43:36PM -0400, D G Teed wrote:

> Tonight I noticed 2.8.1 is released as well. Thanks.
> I've compiled this. It wasn't clear to
> me at first, but I see 3 is a default log level
> if we don't specify anything for smtpd_tls_loglevel.

No, the default loglevel is "0".

--
Viktor.

0 new messages