Re: SSL LDAP maps cause SEGV in cleanup

Fri, 23 May 2014 10:48:13 -0700 

On Fri, May 23, 2014 at 12:21:38PM -0500, Jeff Larsen wrote:

> Ubuntu 14.04 64-bit, using packages from distro.

So to confirm Postfix, OpenSSL and OpenLDAP are all from Ubuntu
14.04 packages?  Does cleanup run in a chroot jail (report master.cf
entry).  If so, have you tried disabling chroot:

    cleanup    unix  n       -       n       -       0       cleanup

> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
> 
> /etc/postfix/ldap-aliases.cf
> 
> server_host = ldaps://dc.domain.com:636
> search_base = OU=Mail Aliases,OU=XYZ,DC=domain,DC=com
> version = 3
> query_filter = (&(objectclass=group)(name=%s))
> special_result_attribute = member
> result_attribute = mail
> bind = yes
> bind_dn = CN=<removed>
> bind_pw = <removed>
> tls_ca_cert_file = /etc/ssl/certs/myca.crt

Looks fine, the "tls_ca_cert_file" is not needed, but should be
harmless.

> Manual lookup via "postmap -q al...@domain.com
> ldap:/etc/postfix/ldap-aliases.cf" works without issue

The only obvious difference is that cleanup drops privs to run as
the "postfix" user (after reading the table .cf file) and may run
chrooted.

> But we get this in the logs when any message is received by postfix
> (not just aliases)

Virtual alias lookups apply to all addresses.

> May 23 12:07:57 postfix/pickup[15854]: warning: maildrop/D5CDC22C:
> error writing 5CD3DAE7: queue file write error
> May 23 12:07:57 postfix/master[15356]: warning: process
> /usr/lib/postfix/cleanup pid 15907 killed by signal 11

Get a stack trace:

    http://www.postfix.org/DEBUG_README.html#auto_trace
    http://www.postfix.org/DEBUG_README.html#screen
    http://www.postfix.org/DEBUG_README.html#gdb

> If we change the server_host to just "ldap://dc.domain.com"; (no SSL)
> then all is well.

OpenLDAP is handling the TLS logistics in this case, so the difference
betweent the two is not even in Postfix code.  Seems likely that the
issue is in Ubuntu's OpenLDAP library.

> I can't tell if something is misconfigured, a library is missing, or
> if this is just a bug in the Ubuntu build.

The stack trace may help.  Plus a test without chroot if chroot is
enabled by default (typical in Debian/Ubuntu).  Still the signal 11
should not happen even if OpenLDAP is operating in a chroot jail.

-- 
        Viktor.

Reply via email to