Re: OpenSMTPD on CentOS 8.
On 7. Mar 2020, at 04:27, Ihor Antonov wrote: > > On 2020-03-07 02:30, Reio Remma wrote: >>> On 07.03.2020 0:41, Ihor Antonov wrote: >>> On 2020-03-06 23:05, Reio Remma wrote: Hello! I was forced to upgrade our mail server to CentOS 8 (thanks to hardware failure on the old machine). I've successfully built an RPM of OpenSMTPD for CentOS 8 and it's running nicely, however I've a problem with the global crypto policies in CentOS 8. Namely the DEFAULT crypto policy disables TLSv1 for OpenSMTPD. Has anyone got any experience on how to allow TLSv1 for OpenSMTPD without downgrading the whole system from DEFAULT to LEGACY crypto policy? >>> Just out of curiosity - why do you need TLSv1 on OpenSMTPD? (Especially >>> sinice it is considered to be not safe) >> >> Because my thinking is it's better than the plain text the clients fall back >> to. Or is it not so? > > Good question. Will other smtp servers fall back to plaintext if > TLSv1.1+ is not available? TLS 1.2 is about 10 years old.. I would not > force TLSv1.3 yet, but I also really dont want to communicate with > systems that are so outdated that they dont support TLSv1.2. But that is > a matter of personal choice probably. I did have an overly optimistic experiment some time ago where IIRC I restricted smtpd to TLSv1.2. Unfortunately that resulted in several mails per day from banks, government agencies, etc. being lost. Unfortunately there are a lot of outdated set and forget servers out there (like our old qmail setup that had TLSv1 as max). Reio
Re: opensmtpd 6.6.4p1 crashes on netbsd 9.0
On Fri, 6 Mar 2020, Andi Vajda wrote: Hi, I've been running opensmtpd 6.6.4p1 on netbsd 7.2 just fine. I'm now upgrading to netbsd 9.0 and I'm seeing that opensmtpd 6.6.4p1 crashes when mail is submitted to it. The crash seems to happen right after 'message begin': --- snip --- smtp: 0x7ad646215000: fd 24 from queue smtp: 0x7ad646215000: message fd 24 smtp: 0x7ad646215000: message begin debug: parent -> pony: pipe closed debug: control -> pony express: pipe closed debug: control agent exiting smtpd: process pony socket closed debug: ca -> pony express: pipe closed --- snip --- If I copy the smtpd binary built on netbsd 7.2 to netbsd 9.0 then smtpd works fine again: --- snip --- smtp: 0x76e3f19b8000: fd 24 from queue smtp: 0x76e3f19b8000: message fd 24 smtp: 0x76e3f19b8000: message begin debug: 0x76e3f19b8000: end of message, error=0 ad1ae4fedfe423f1 smtp message msgid=c931775c size=567 nrcpt=1 proto=ESMTP --- snip --- and mail is delivered as expected. There is an ldd difference between the two binaries: on netbsd 7.2: -lz.1 => /usr/pkg/lib/libz.so.1 -lgcc_s.1 => /usr/lib/libgcc_s.so.1 -lc.12 => /usr/lib/libc.so.12 -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1 -lpthread.1 => /usr/lib/libpthread.so.1 -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1 -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7 -lasr.0 => /usr/pkg/lib/libasr.so.0 -lcrypt.1 => /usr/lib/libcrypt.so.1 on netbsd 9.0: -lz.1 => /usr/pkg/lib/libz.so.1 -lc.12 => /usr/lib/libc.so.12 -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1 -lpthread.1 => /usr/lib/libpthread.so.1 -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1 -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7 -lasr.0 => /usr/pkg/lib/libasr.so.0 -lcrypt.1 => /usr/lib/libcrypt.so.1 The -lgcc_s.1 entry is not present on 9.0. The compiler used on netbsd 7.2: gcc (nb2 20150115) 4.8.5 The compiler used on netbsd 9.0: gcc (nb3 20190319) 7.4.0 I also tried building opensmtpd 6.6.2p1 on netbsd 9.0, with the same result. Is there something about netbsd 9.0 (and its gcc 7.4.0 system compiler) that is known to cause this ? Is there some configure setting I need to change ? (on both OSs, I'm only changing paths, ie --prefix, --with-libssl, --with-libasr, --with-libevent as I'm using the pkgsrc installations (also built from sources) of these libraries). I'm going to try building opensmtpd with llvm next... Compiling it with llvm/clang 9.0.1 didn't make a difference. Same crash. Trying with libressl next... Andi.. Thank you for your insights ! Andi..
Re: opensmtpd 6.6.4p1 crashes on netbsd 9.0
On Sat, 7 Mar 2020, Andi Vajda wrote: On Fri, 6 Mar 2020, Andi Vajda wrote: Hi, I've been running opensmtpd 6.6.4p1 on netbsd 7.2 just fine. I'm now upgrading to netbsd 9.0 and I'm seeing that opensmtpd 6.6.4p1 crashes when mail is submitted to it. The crash seems to happen right after 'message begin': --- snip --- smtp: 0x7ad646215000: fd 24 from queue smtp: 0x7ad646215000: message fd 24 smtp: 0x7ad646215000: message begin debug: parent -> pony: pipe closed debug: control -> pony express: pipe closed debug: control agent exiting smtpd: process pony socket closed debug: ca -> pony express: pipe closed --- snip --- If I copy the smtpd binary built on netbsd 7.2 to netbsd 9.0 then smtpd works fine again: --- snip --- smtp: 0x76e3f19b8000: fd 24 from queue smtp: 0x76e3f19b8000: message fd 24 smtp: 0x76e3f19b8000: message begin debug: 0x76e3f19b8000: end of message, error=0 ad1ae4fedfe423f1 smtp message msgid=c931775c size=567 nrcpt=1 proto=ESMTP --- snip --- and mail is delivered as expected. There is an ldd difference between the two binaries: on netbsd 7.2: -lz.1 => /usr/pkg/lib/libz.so.1 -lgcc_s.1 => /usr/lib/libgcc_s.so.1 -lc.12 => /usr/lib/libc.so.12 -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1 -lpthread.1 => /usr/lib/libpthread.so.1 -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1 -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7 -lasr.0 => /usr/pkg/lib/libasr.so.0 -lcrypt.1 => /usr/lib/libcrypt.so.1 on netbsd 9.0: -lz.1 => /usr/pkg/lib/libz.so.1 -lc.12 => /usr/lib/libc.so.12 -lcrypto.1.1 => /usr/pkg/lib/libcrypto.so.1.1 -lpthread.1 => /usr/lib/libpthread.so.1 -lssl.1.1 => /usr/pkg/lib/libssl.so.1.1 -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7 -lasr.0 => /usr/pkg/lib/libasr.so.0 -lcrypt.1 => /usr/lib/libcrypt.so.1 The -lgcc_s.1 entry is not present on 9.0. The compiler used on netbsd 7.2: gcc (nb2 20150115) 4.8.5 The compiler used on netbsd 9.0: gcc (nb3 20190319) 7.4.0 I also tried building opensmtpd 6.6.2p1 on netbsd 9.0, with the same result. Is there something about netbsd 9.0 (and its gcc 7.4.0 system compiler) that is known to cause this ? Is there some configure setting I need to change ? (on both OSs, I'm only changing paths, ie --prefix, --with-libssl, --with-libasr, --with-libevent as I'm using the pkgsrc installations (also built from sources) of these libraries). I'm going to try building opensmtpd with llvm next... Compiling it with llvm/clang 9.0.1 didn't make a difference. Same crash. Trying with libressl next... And, build with libressl 3.0.2 (and system gcc), it works fine, mail is delivered, no crash ! Here is my new ldd output: -lz.1 => /usr/pkg/lib/libz.so.1 -lc.12 => /usr/lib/libc.so.12 -lssl.47 => /home/vajda/opensmtpd-6.6.4p1/local/lib/libssl.so.47 -lcrypto.45 => /home/vajda/opensmtpd-6.6.4p1/local/lib/libcrypto.so.45 -lpthread.1 => /usr/lib/libpthread.so.1 -levent-2.1.7 => /usr/pkg/lib/libevent-2.1.so.7 -lasr.0 => /usr/pkg/lib/libasr.so.0 -lcrypt.1 => /usr/lib/libcrypt.so.1 Andi..
