Wietse Venema:
> Christian Roessner:
> > I double checked that cacert.org's cert is in that path as well
> > and that the c_hash exists, too. I did not find an answer and so
> > I only changed the log level of smtpd_tls_loglevel = 1 to 3. This
> > brought the segfault and this in the logs:
> >
> > Feb 6 19:11:54 mx postfix/master[14500]: warning: process
> > /usr/lib/postfix/smtpd pid 14526 killed by signal 11
> > Feb 6 19:13:15 mx postfix/master[14736]: warning: process
> > /usr/lib/postfix/smtpd pid 14784 killed by signal 11
> >
>
> That's easy enough to verify with default configuration and
>
> openssl s_client -starttls smtp -connect 127.0.0.1:25
>
> For now, just don't set smtpd_tls_loglevel >= 3.
Or apply the patch below (Postfix 2.8 and later).
Wietse
diff -cr /var/tmp/postfix-2.9-20110205/src/tls/tls_server.c src/tls/tls_server.c
*** /var/tmp/postfix-2.9-20110205/src/tls/tls_server.c Fri Dec 31 19:01:44 2010
--- src/tls/tls_server.c Mon Feb 7 09:35:39 2011
***************
*** 658,663 ****
--- 658,675 ----
SSL_set_accept_state(TLScontext->con);
/*
+ * Connect the SSL connection with the network socket.
+ */
+ if (SSL_set_fd(TLScontext->con, props->stream == 0 ? 0 :
+ vstream_fileno(props->stream)) != 1) {
+ msg_info("SSL_set_fd error to %s", props->namaddr);
+ tls_print_errors();
+ uncache_session(app_ctx->ssl_ctx, TLScontext);
+ tls_free_context(TLScontext);
+ return (0);
+ }
+
+ /*
* If the debug level selected is high enough, all of the data is dumped:
* 3 will dump the SSL negotiation, 4 will dump everything.
*
***************
*** 676,692 ****
return (TLScontext);
/*
- * Connect the SSL connection with the network socket.
- */
- if (SSL_set_fd(TLScontext->con, vstream_fileno(props->stream)) != 1) {
- msg_info("SSL_set_fd error to %s", props->namaddr);
- tls_print_errors();
- uncache_session(app_ctx->ssl_ctx, TLScontext);
- tls_free_context(TLScontext);
- return (0);
- }
-
- /*
* Turn on non-blocking I/O so that we can enforce timeouts on network
* I/O.
*/
--- 688,693 ----
