Postfix TLS crash on MacOS 10.13 (High Sierra)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix TLS crash on MacOS 10.13 (High Sierra)

AnotherGuyFromAlberta
Hi,

I recently upgraded a Mac server to 10.13 (High Sierra).  This server
has been running for about 5 years and hosts Postfix.  After upgrading the
OS I upgraded:
1.  dovecot to 2.2.33.2
2.  openssl to 1.1.0g
3.  pcre to 8.41
4.  postfix to 3.2.4

Everything appears to compile and work except TLS on Postfix.  It crashes
with the same error
every few minutes.  Here's a snippet of the crash:

--------------
Process:               smtpd [36390]
Path:                  /usr/local/libexec/postfix/smtpd
Identifier:            smtpd
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        master [35991]
Responsible:           smtpd [36390]
User ID:               27

Date/Time:             2017-11-20 20:19:18.120 -0700
OS Version:            Mac OS X 10.13.1 (17B48)
Report Version:        12
Anonymous UUID:        B1E6253F-2F8C-C8F2-A4D6-5C163ADD54DE


Time Awake Since Boot: 120000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
Assertion failed: (ctx->pctx == NULL || ctx->pctx_ops != NULL), function
EVP_MD_CTX_cleanup, file
/BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.20.5/crypto/digest/digest.c,
line 98.
 

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib         0x00007fff6b710fce __pthread_kill + 10
1   libsystem_pthread.dylib       0x00007fff6b84e150 pthread_kill + 333
2   libsystem_c.dylib             0x00007fff6b66d30a abort + 127
3   libsystem_c.dylib             0x00007fff6b635360 __assert_rtn + 320
4   libboringssl.dylib             0x00007fff69583017 EVP_MD_CTX_cleanup +
97
5   libboringssl.dylib             0x00007fff695830ce EVP_MD_CTX_copy_ex +
104
6   libboringssl.dylib             0x00007fff6955bcbb HMAC_Init_ex + 88
7   smtpd                         0x0000000101650433 ticket_cb + 227
(tls_server.c:328)
8   libssl.1.1.dylib               0x0000000101748089
tls_construct_new_session_ticket + 441
9   libssl.1.1.dylib               0x000000010173db32 state_machine + 2034
10  smtpd                         0x000000010164dc2c tls_bio + 140
(tls_bio_ops.c:198)
11  smtpd                         0x0000000101650911 tls_server_start + 433
(tls_server.c:828)
12  smtpd                         0x00000001016376b9 smtpd_start_tls + 409
(smtpd.c:4557)
13  smtpd                         0x0000000101639da6 starttls_cmd + 630
(smtpd.c:4769)
14  smtpd                         0x000000010163709f smtpd_proto + 2335
(smtpd.c:5236)
15  smtpd                         0x0000000101635d83 smtpd_service + 435
(smtpd.c:5480)
16  smtpd                         0x000000010164ce6e single_server_wakeup +
238 (single_server.c:283)
17  smtpd                         0x000000010167bc72 event_loop + 914
(events.c:1176)
18  smtpd                         0x000000010164c7ed single_server_main +
2941
19  smtpd                         0x0000000101635bc7 main + 263
(smtpd.c:5976)
20  libdyld.dylib                 0x00007fff6b5c1145 start + 1
-------------

I'm wondering if anyone has run into this issue and perhaps has a solution?
The library that the error occurs in "libboringssl.dylib" isn't one I used
in compiling so I assume it's OS internal.  Perhaps a bug in the OS itself?

Thanks!



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS crash on MacOS 10.13 (High Sierra)

Viktor Dukhovni


> On Nov 20, 2017, at 10:46 PM, AnotherGuyFromAlberta <[hidden email]> wrote:
>
> I recently upgraded a Mac server to 10.13 (High Sierra).  This server
> has been running for about 5 years and hosts Postfix.  After upgrading the
> OS I upgraded:
> 1.  dovecot to 2.2.33.2
> 2.  openssl to 1.1.0g
> 3.  pcre to 8.41
> 4.  postfix to 3.2.4
>
> Everything appears to compile and work except TLS on Postfix.  It crashes
> with the same error
> every few minutes.  Here's a snippet of the crash:
>
> Assertion failed: (ctx->pctx == NULL || ctx->pctx_ops != NULL), function
> EVP_MD_CTX_cleanup, file
> /BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.20.5/crypto/digest/digest.c,
> line 98.

The "BoringSSL" library is derived from and conflicts with OpenSSL.
With some care in the compiler options you may be able to build
a version of Postfix that is using OpenSSL and not Boring SSL.

I have (my own build of) OpenSSL 1.1.0 installed in /opt/openssl/1.1.0
and after configuration makedefs.out has:

  CCARGS=-I/opt/openssl/1.1.0/include -DUSE_TLS -DHAS_PCRE -DHAS_CDB -I/usr/local/include
  AUXLIBS=-L/opt/openssl/1.1.0/lib -lssl -lcrypto -L/usr/local/lib -ldb
  AUXLIBS_PCRE=-L/usr/local/lib -lpcre
  AUXLIBS_CDB=-L/usr/local/lib -lcdb
  shared=yes
  dynamicmaps=yes

This appears to produce a working Postfix with TLS.

  $ otool -L .../libexec/smtpd
  .../libexec/smtpd:
        @rpath/libpostfix-master.dylib (compatibility version 0.0.0, current version 0.0.0)
        @rpath/libpostfix-tls.dylib (compatibility version 0.0.0, current version 0.0.0)
        @rpath/libpostfix-dns.dylib (compatibility version 0.0.0, current version 0.0.0)
        @rpath/libpostfix-global.dylib (compatibility version 0.0.0, current version 0.0.0)
        @rpath/libpostfix-util.dylib (compatibility version 0.0.0, current version 0.0.0)
        /opt/openssl/1.1.0/lib/libssl-opt.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
        /opt/openssl/1.1.0/lib/libcrypto-opt.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
        /usr/local/opt/berkeley-db/lib/libdb-6.2.dylib (compatibility version 0.0.0, current version 0.0.0)
        /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/local/opt/icu4c/lib/libicui18n.59.dylib (compatibility version 59.0.0, current version 59.1.0)
        /usr/local/opt/icu4c/lib/libicuuc.59.dylib (compatibility version 59.0.0, current version 59.1.0)
        /usr/local/opt/icu4c/lib/libicudata.59.1.dylib (compatibility version 59.0.0, current version 59.1.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)

The "posttls-finger" command works, and connecting to a loopback server yields:

  $ posttls-finger -c -l may "[127.0.0.1]"
  posttls-finger: Anonymous TLS connection established to 127.0.0.1[127.0.0.1]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
  posttls-finger: Server is anonymous

That said, it has become increasingly difficult to support Postfix
on Apple's most recent operating systems.  I think you should either
run the Postfix supplied by Apple, or choose a different O/S (a BSD
or Linux) for your mail server.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix TLS crash on MacOS 10.13 (High Sierra)

AnotherGuyFromAlberta
Hi,

Thanks for the guidance Viktor.  I wanted to share what worked for me.  I was able to get Postfix compiling and working on High Sierra with the following command:

make -f Makefile.init makefiles \
CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DDEF_COMMAND_DIR=\"/usr/local/sbin\" -DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" -DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DUSE_TLS -DHAS_PCRE -I/usr/local/include -DHAS_SSL -I/usr/local/include/openssl -DHAS_MYSQL -I/usr/local/mysql/include' \
AUXLIBS='-L/usr/local/lib -lssl -lcrypto -L/usr/local/mysql/lib -lmysqlclient -lz -lm' \
AUXLIBS_PCRE='-L/usr/local/lib -lpcre’

This configuration includes PCRE, MySQL, and OpenSSL for SASL and TLS.  I found that I had to be very careful with the line continuations.  Either bash on High Sierra is very picky or my formatting was poor but I had to play with running the command until I was sure all of my options were being read correctly.

Hopefully this helps someone else.  I’d love to hear if someone figured out to get logging on MacOS back to normal.  It’s something I might investigate further.


On Nov 20, 2017, at 9:28 PM, Viktor Dukhovni <[hidden email]> wrote:



> On Nov 20, 2017, at 10:46 PM, AnotherGuyFromAlberta <[hidden email]> wrote:
>
> I recently upgraded a Mac server to 10.13 (High Sierra).  This server
> has been running for about 5 years and hosts Postfix.  After upgrading the
> OS I upgraded:
> 1.  dovecot to 2.2.33.2
> 2.  openssl to 1.1.0g
> 3.  pcre to 8.41
> 4.  postfix to 3.2.4
>
> Everything appears to compile and work except TLS on Postfix.  It crashes
> with the same error
> every few minutes.  Here's a snippet of the crash:
>
> Assertion failed: (ctx->pctx == NULL || ctx->pctx_ops != NULL), function
> EVP_MD_CTX_cleanup, file
> /BuildRoot/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-109.20.5/crypto/digest/digest.c,
> line 98.

The "BoringSSL" library is derived from and conflicts with OpenSSL.
With some care in the compiler options you may be able to build
a version of Postfix that is using OpenSSL and not Boring SSL.

I have (my own build of) OpenSSL 1.1.0 installed in /opt/openssl/1.1.0
and after configuration makedefs.out has:

 CCARGS=-I/opt/openssl/1.1.0/include -DUSE_TLS -DHAS_PCRE -DHAS_CDB -I/usr/local/include
 AUXLIBS=-L/opt/openssl/1.1.0/lib -lssl -lcrypto -L/usr/local/lib -ldb
 AUXLIBS_PCRE=-L/usr/local/lib -lpcre
 AUXLIBS_CDB=-L/usr/local/lib -lcdb
 shared=yes
 dynamicmaps=yes

This appears to produce a working Postfix with TLS.

 $ otool -L .../libexec/smtpd
 .../libexec/smtpd:
       @rpath/libpostfix-master.dylib (compatibility version 0.0.0, current version 0.0.0)
       @rpath/libpostfix-tls.dylib (compatibility version 0.0.0, current version 0.0.0)
       @rpath/libpostfix-dns.dylib (compatibility version 0.0.0, current version 0.0.0)
       @rpath/libpostfix-global.dylib (compatibility version 0.0.0, current version 0.0.0)
       @rpath/libpostfix-util.dylib (compatibility version 0.0.0, current version 0.0.0)
       /opt/openssl/1.1.0/lib/libssl-opt.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
       /opt/openssl/1.1.0/lib/libcrypto-opt.1.1.dylib (compatibility version 1.1.0, current version 1.1.0)
       /usr/local/opt/berkeley-db/lib/libdb-6.2.dylib (compatibility version 0.0.0, current version 0.0.0)
       /usr/lib/libresolv.9.dylib (compatibility version 1.0.0, current version 1.0.0)
       /usr/local/opt/icu4c/lib/libicui18n.59.dylib (compatibility version 59.0.0, current version 59.1.0)
       /usr/local/opt/icu4c/lib/libicuuc.59.dylib (compatibility version 59.0.0, current version 59.1.0)
       /usr/local/opt/icu4c/lib/libicudata.59.1.dylib (compatibility version 59.0.0, current version 59.1.0)
       /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)

The "posttls-finger" command works, and connecting to a loopback server yields:

 $ posttls-finger -c -l may "[127.0.0.1]"
 posttls-finger: Anonymous TLS connection established to 127.0.0.1[127.0.0.1]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
 posttls-finger: Server is anonymous

That said, it has become increasingly difficult to support Postfix
on Apple's most recent operating systems.  I think you should either
run the Postfix supplied by Apple, or choose a different O/S (a BSD
or Linux) for your mail server.

--
        Viktor.