postfix/smtpd killed by signal 9, bad command startup

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix/smtpd killed by signal 9, bad command startup

Peter Lindgren-2

Hi!

I build postfix 3.5.7 from source on OpenBSD 6.7. I seem to have problem with the certificate I generated. They work fine with Dovecot, though.

In the moment postfix/master starts the smtpd and it's trying to do something with the certificate (on the smtp submission port 587), it crashes:

Sep 20 23:03:50 neptunus postfix/master[30686]: warning: process /usr/local/libexec/postfix/smtpd pid 84403 killed by signal 9
Sep 20 23:03:50 neptunus postfix/master[30686]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling

I added a lot of debugging/logging code to find where it crashes, and for a moment I thought I had found it, line 522 in tls/tls_server.c. So I added -DOPENSSL_NO_TLSEXT and built again, but now it crashes further down, the call tls_set_my_certificate_key_info() on line 606 in tls/tls_server.c, function tls_server_init().

However, I take a step back and I assume there is something wrong with the certificate or my configuration? It's a self-signed certificate. Or am I on to some real bug here?

Here's my postconf -n output:

neptunus# postconf -n | sort
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/postfix
debug_peer_level = 2
debug_peer_list = localhost
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix/html
inet_protocols = all
mail_owner = _postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/local/libexec/dovecot/deliver
mailbox_size_limit = 80000000
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
message_size_limit = 80000000
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks_style = subnet
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
recipient_delimiter = +
relay_domains = $mydestination
relayhost = [in.mailjet.com]:587
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
shlib_directory = /usr/lib/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = no
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version $service_name)
smtpd_recipient_restrictions = permit_auth_destination, permit_sasl_authenticated, reject
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

And the relevant part of master.cf:

submission inet  n       -       y       -       -       smtpd -v
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_tls_security_options=noanonymous
  -o smtpd_sasl_local_domain=$mydomain
  -o smtpd_tls_chain_files=/etc/ssl/private/dovecot-priv-key.pem,/etc/ssl/dovecot-pub-cert.pem
#  -o smtpd_tls_auth_only=yes
  -o smtpd_use_tls=yes
  -o smtpd_tls_loglevel=2
#kraschar:  -o smtpd_enforce_tls=yes
#kraschar:  -o smtpd_tls_security_level=encrypt
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_sender_login_mismatch
#  -o smtpd_sender_login_maps=unix:passwd.byname
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,permit_auth_destination,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Here's my 'make makefiles' command:

make makefiles shared=yes CCARGS='-DUSE_SASL_AUTH -DUSE_TLS -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DOPENSSL_NO_TLSEXT -I/usr/local/include/sasl' AUXLIBS="-lssl -lcrypto -L/usr/local/lib -lsasl2"

Thanks,
Peter

-- 
Peter Lindgren [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: postfix/smtpd killed by signal 9, bad command startup

Viktor Dukhovni
On Mon, Sep 21, 2020 at 08:09:41PM +0200, Peter Lindgren wrote:

> I build postfix 3.5.7 from source on OpenBSD 6.7. I seem to have problem
> with the certificate I generated. They work fine with Dovecot, though.

If you're linking against LibreSSL, and not OpenSSL, that's not
supported.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: postfix/smtpd killed by signal 9, bad command startup

Wietse Venema
In reply to this post by Peter Lindgren-2
Peter Lindgren:

> Hi!
>
> I build postfix 3.5.7 from source on OpenBSD 6.7. I seem to have problem
> with the certificate I generated. They work fine with Dovecot, though.
>
> In the moment postfix/master starts the smtpd and it's trying to do
> something with the certificate (on the smtp submission port 587), it
> crashes:
>
> Sep 20 23:03:50 neptunus postfix/master[30686]: warning: process
> /usr/local/libexec/postfix/smtpd pid 84403 killed by signal 9

This reminds me of GnuTLS library code that would send text to
stderr and terminate the process. That was a very unusual way to
report that the random number generator was unavailable.

Calling a library with a bad certificate should never cause
a process to terminate. Instead the library should return an
error code to Postfix.

Perhaps some OpenBSD code is sending a signal 9 (SIGKILL) when
it does not like what Postfix does? It would be a very unusual
way to report a problem.

Try this:

        postfix stop
        /path/to/master -d

This will leave stderr open and display any stderr output that
some non-Postfix library code might send.

        Wietse

> Sep 20 23:03:50 neptunus postfix/master[30686]: warning:
> /usr/local/libexec/postfix/smtpd: bad command startup -- throttling
>
> I added a lot of debugging/logging code to find where it crashes, and
> for a moment I thought I had found it, line 522 in tls/tls_server.c. So
> I added -DOPENSSL_NO_TLSEXT and built again, but now it crashes further
> down, the call tls_set_my_certificate_key_info() on line 606 in
> tls/tls_server.c, function tls_server_init().
>
> However, I take a step back and I assume there is something wrong with
> the certificate or my configuration? It's a self-signed certificate. Or
> am I on to some real bug here?
>
> Here's my postconf -n output:
>
> neptunus# postconf -n | sort
> command_directory = /usr/local/sbin
> compatibility_level = 2
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/postfix
> debug_peer_level = 2
> debug_peer_list = localhost
> disable_vrfy_command = yes
> home_mailbox = Maildir/
> html_directory = /usr/local/share/doc/postfix/html
> inet_protocols = all
> mail_owner = _postfix
> mail_spool_directory = /var/mail
> mailbox_command = /usr/local/libexec/dovecot/deliver
> mailbox_size_limit = 80000000
> mailq_path = /usr/local/sbin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 80000000
> meta_directory = /etc/postfix
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mynetworks_style = subnet
> newaliases_path = /usr/local/sbin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/local/share/doc/postfix/readme
> recipient_delimiter = +
> relay_domains = $mydestination
> relayhost = [in.mailjet.com]:587
> sample_directory = /etc/postfix
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = _postdrop
> shlib_directory = /usr/lib/postfix
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_tls_security_level = encrypt
> smtp_tls_wrappermode = no
> smtpd_banner = $myhostname ESMTP $mail_name ($mail_version $service_name)
> smtpd_recipient_restrictions = permit_auth_destination, permit_sasl_authenticated, reject
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
>
> And the relevant part of master.cf:
>
> submission inet? n?????? -?????? y?????? -?????? -?????? smtpd -v
>  ? -o smtpd_sasl_auth_enable=yes
>  ? -o smtpd_sasl_type=dovecot
>  ? -o smtpd_sasl_path=private/auth
>  ? -o smtpd_sasl_security_options=noanonymous
>  ? -o smtpd_sasl_tls_security_options=noanonymous
>  ? -o smtpd_sasl_local_domain=$mydomain
>  ? -o smtpd_tls_chain_files=/etc/ssl/private/dovecot-priv-key.pem,/etc/ssl/dovecot-pub-cert.pem
> #? -o smtpd_tls_auth_only=yes
>  ? -o smtpd_use_tls=yes
>  ? -o smtpd_tls_loglevel=2
> #kraschar:? -o smtpd_enforce_tls=yes
> #kraschar:? -o smtpd_tls_security_level=encrypt
>  ? -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>  ? -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_sender_login_mismatch
> #? -o smtpd_sender_login_maps=unix:passwd.byname
>  ? -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,permit_sasl_authenticated,permit_auth_destination,reject
>  ? -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>
> Here's my 'make makefiles' command:
>
> make makefiles shared=yes CCARGS='-DUSE_SASL_AUTH -DUSE_TLS -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DOPENSSL_NO_TLSEXT -I/usr/local/include/sasl' AUXLIBS="-lssl -lcrypto -L/usr/local/lib -lsasl2"
>
> Thanks,
> Peter
>
> --
> Peter Lindgren<[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: postfix/smtpd killed by signal 9, bad command startup

Peter Lindgren-2
In reply to this post by Viktor Dukhovni
On 2020-09-21 20.39, Viktor Dukhovni wrote:
On Mon, Sep 21, 2020 at 08:09:41PM +0200, Peter Lindgren wrote:

I build postfix 3.5.7 from source on OpenBSD 6.7. I seem to have problem 
with the certificate I generated. They work fine with Dovecot, though.
If you're linking against LibreSSL, and not OpenSSL, that's not
supported.

There was something fishy in my build, I installed a packaged release and it didn't have any SSL errors. I'll go with that release.

Thanks,
Peter

-- 
Peter Lindgren [hidden email]
+46 705 87 88 99