1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Postfix and SSH broken

Discussion in 'Web and Network Services' started by xy16644, Apr 21, 2012.

  1. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    I just ran a full update on all the ports on my FreeBSD 8.2 server and I now have two problems:

    1) When I receive an email from someone or I send myself a test email the subject line is blank and it says it is from "SpamAssasin user". The contents of the email are blank.

    This is all I can see in the message header:

    Code:
    
    Return-Path: <xxxxx@googlemail.com>
    X-Original-To: xxxx@xxxx.com
    Delivered-To: xxxx@xxxx.com
    Received: by mail.xxxx.com (Postfix, from userid 58)
    	id 03562217168; Sat, 21 Apr 2012 22:26:22 +0100 (BST)
    Message-Id: <20120421212622.03562217168@mail.xxxx.com>
    Date: Sat, 21 Apr 2012 22:26:22 +0100 (BST)
    From: xxxx@googlemail.com (SpamAssassin user)
    X-Clamav-Status: No
    
    


    In the maillog logfile:

    Code:
    
    Apr 21 22:28:51 alpha postfix/smtpd[80688]: 5BCBC216F4F: client=mail-ob0-f170.google.com[209.85.214.170]
    Apr 21 22:28:51 alpha postfix/cleanup[80692]: 5BCBC216F4F: message-id=
     <CANf_VzpDkh5qwaJK3k5vTvxoDGEvEOUqjLs8vHSR9xqQjzjXdA@mail.gmail.com>
    Apr 21 22:28:51 alpha postfix/qmgr[42825]: 5BCBC216F4F: from=<xxxx@googlemail.com>, size=1763, nrcpt=1 (queue active)
    Apr 21 22:28:51 alpha postfix/pipe[80693]: 5BCBC216F4F: to=<admin@xxxxx.com>, relay=spamd, delay=0.47, delays=0.45/0.01/0/0.02,
     dsn=2.0.0, status=sent (delivered via spamd service)
    Apr 21 22:28:51 alpha postfix/qmgr[42825]: 5BCBC216F4F: removed
    Apr 21 22:28:51 alpha postfix/pickup[42826]: AAF39217168: uid=58 from=<xxxx@googlemail.com>
    Apr 21 22:28:51 alpha postfix/cleanup[80692]: AAF39217168: message-id=<20120421212851.AAF39217168@mail.xxxx.com>
    Apr 21 22:28:51 alpha postfix/qmgr[42825]: AAF39217168: from=<xxxx@googlemail.com>, size=270, nrcpt=1 (queue active)
    Apr 21 22:28:51 alpha postfix/local[80698]: AAF39217168: to=<xxxx@xxxx.com>, orig_to=<xxxx@xxxx.com>, relay=local, delay=0.04,
     delays=0.01/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail)
    Apr 21 22:28:51 alpha postfix/qmgr[42825]: AAF39217168: removed
    
    


    2) There must have been a major change in OpenSSH because when I run the following script to check the share libraries:

    Code:
    #!/bin/sh
    localbase="/usr/local"
    libdirs="/bin /sbin /libexec /lib /usr/bin /usr/sbin /usr/lib /usr/libexec \
      ${localbase}/bin ${localbase}/sbin ${localbase}/lib ${localbase}/libexec"
    
      echo "===> Checking for unresolvable libraries"
    
      for d in ${libdirs}; do
        echo "Checking ${d}..."
        for f in $(find ${d} -type f); do
          check=$(ldd "${f}" 2>&1 | grep -v "not a dynamic" | grep "found")
          if [ $? -eq 0 ]; then
            echo "Found a problem in ${f}"
            echo "${check}"
          fi
        done
      done
    
    


    I now get the following results:

    Code:
    
    Found a problem in /usr/local/bin/ssh-add
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/ssh-keygen
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/ssh-keyscan
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/spamc
            libssl.so.7 => not found (0x0)
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/ssh-agent
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/sftp
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/ssh
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/bin/scp
            libcrypto.so.7 => not found (0x0)
    Checking /usr/local/sbin...
    Found a problem in /usr/local/sbin/sshd
            libcrypto.so.7 => not found (0x0)
    Checking /usr/local/lib...
    Found a problem in /usr/local/lib/libsslspamc.so.0
            libssl.so.7 => not found (0x0)
            libcrypto.so.7 => not found (0x0)
    Checking /usr/local/libexec...
    Found a problem in /usr/local/libexec/ssh-keysign
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/libexec/sftp-server
            libcrypto.so.7 => not found (0x0)
    Found a problem in /usr/local/libexec/ssh-pkcs11-helper
            libcrypto.so.7 => not found (0x0)
    
    


    Also, if I run /usr/local/sbin/sshd, I get:
    Code:
    /libexec/ld-elf.so.1: Shared object "libcrypto.so.7" not found, required by "sshd"
    


    Can someone please help me with my email and SSH issue :e I have tried going through the logs and restarted the services since they were updated but to no avail. I am now stumped.

    Thanks for any help.
     
  2. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    When I try to restart SSH I get:
    Code:
    OpenSSL version mismatch. Built against 1000007f, you have 1000101f
    /etc/rc.d/sshd: WARNING: failed to start sshd
    
     
  3. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    See entry 20120419 in /usr/ports/UPDATING.
     
  4. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Mine only goes up to 20120418!
     
  5. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Receiving email seems to be working now but I'm not sure what fixed it.

    Do I just need to run:
    Code:
    portmaster -r openssl
    


    and that will fix my SSH issue?
     
  6. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    That entry was added after OpenSSL was updated. Update the ports tree now and it will be there. But yes, portmaster -r openssl is what is advised there.
     
  7. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    If I uninstall OpenSSL and then reinstall the port will this also fix the problem I am experiencing?

    I am busy running:
    Code:
    portmaster -r openssl 
    

    but it's now given me a stop error saying that the make failed and that it is aborting the update. This occurs on the texinfo and krb5 port.
     
  8. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    No, or probably not, depending on how you do it. The problem is that after upgrading openssl, the applications that depend on it have to be rebuilt to use the new version.

    I have neither of those, but again, make sure you have the latest ports tree.
     
  9. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    I do have the latest ports tree now but I still get those stop errors when running portmaster -r openssl

    I'm not really sure what to do next.
     
  10. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    Capture the error output, including the lines where the error happened, not just the end, and post it. If you are using some custom settings in /etc/make.conf like a newer version of gcc or custom CFLAGS, post those too.
     
  11. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Normally I would but since I can't SSH into the server I can't copy and paste the error from Puttys screen into a post ;-)

    Is there another way? The server doesn't run a GUI but I can physically get to it and logon at the console with a keyboard.
     
  12. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
  13. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Thanks Wblock.

    I have attached the output from using the script command you mentioned. I still can't get my SSH service to start again. I hope the log file helps because I am stumped!
     

    Attached Files:

  14. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    The build of kbr5 failed because it could not download a dependency, print/texinfo.

    Code:
    # cd /usr/ports/print/texinfo
    # make distclean
    # make fetch
    


    Do that last step until it manages to download the file, then use the portmaster line shown in that capture file to continue.

    If it was an emergency, you could try rebuilding security/openssh-portable by itself.
     
  15. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Thank you! I will give this a try tomorrow. When I run the portmaster line in the capture file, do I run this entire command:
    Code:
    portmaster <flags> security/krb5 print/texinfo print/latex-cjk print/teTeX print/xdvik www/links1 
    
    sysutils/munin-common security/p5-Net-SSLeay sysutils/munin-node shells/bash net/ntp mail/opendkim 
    
    security/openssh-portable security/p5-Crypt-OpenSSL-Bignum security/p5-Crypt-OpenSSL-RSA security/p5-Crypt-
    
    OpenSSL-Random security/p5-IO-Socket-SSL mail/p5-Mail-DKIM mail/p5-Mail-SpamAssassin www/p5-libwww net/p5-
    
    Net-HTTP devel/pecl-intl ftp/php5-curl textproc/php5-dom graphics/php5-gd devel/php5-gettext security/php5-
    
    hash converters/php5-iconv devel/php5-json converters/php5-mbstring security/php5-mcrypt databases/php5-mysqli 
    
    security/php5-openssl databases/php5-pdo databases/php5-pdo_mysql databases/php5-pdo_sqlite textproc/php5-
    
    pspell textproc/php5-simplexml databases/php5-sqlite devel/php5-tokenizer archivers/php5-zip ports-
    
    mgmt/portupgrade databases/ruby-bdb lang/ruby18 mail/postfix mail/roundcube mail/squirrelmail sysutils/webmin 
    
    www/wordpress chinese/docproj 
    
    
     
  16. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    Yes, but take out the <flags>, or replace it with any portmaster flags you were using.
     
  17. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    Thanks wblock, SSH is now working!

    I had to completely uninstall texinfo:
    Code:
    cd /usr/ports/print/texinfo
    make deinstall
    


    and then I ran:
    portmaster -r openssl

    After doing this I was able to start SSH again. The only thing is when I did start the service it said:
    Code:
    error: Could not load host key: /usr/local/etc/ssh/ssh_host_ecdsa_key
    


    Is this worth worrying about?

    Also when I ran:
    pkg_version -vIL=

    I get this:
    Code:
    bn-freebsd-doc-20111014             <   needs updating (index has 20120308)
    munin-main-1.2.6_1                  !   Comparison failed
    pkg_version: corrupted record (pkgdep line without argument), ignoring
    pkg_version: corrupted record (pkgdep line without argument), ignoring
    pkg_version: corrupted record (pkgdep line without argument), ignoring
    pkg_version: corrupted record (pkgdep line without argument), ignoring
    


    Is there a way to sort out these errors?

    Many thanks for your help. It's nice to be able to SSH to my server again :e
     
  18. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    The missing key may or may not be a problem, depending on how the system is used. Look up whatever caused you to install openssh-portable in the first place.

    # portmaster --check-depends
    will try to fix those corrupted records. Or to just find which they are:
    % find /var/db/pkg -name "+CONTENTS" -exec egrep -B1 -H 'pkgdep $' {} \; | less

    Rebuilding them is probably the easiest way to fix them.
     
  19. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    I currently use an OpenPGP smart card to access my system via SSH. No password logons are allowed at all remotely. I can login with a password at the console though. SSH seems fine so far and I have had no issues logging in with the smart card.

    I ran:
    portmaster --check-depends

    and I had several of these:
    Code:
    ===>>> Checking zh-docproj-0.1.20060303_5
            ===>>> Updating zh-docproj-0.1.20060303_5/+REQUIRED_BY
            ===>>> Updating @pkgdep for x11-toolkits/libXaw
            ===>>> print/ghostscript8 is listed as a dependency
            ===>>> but there is no installed version
    
            ===>>> Delete this dependency data? y/n [n]
    
            ===>>> print/cmpsfont is listed as a dependency
            ===>>> but there is no installed version
    
            ===>>> Delete this dependency data? y/n [n]
    
            ===>>> print/amspsfnt is listed as a dependency
            ===>>> but there is no installed version
    
            ===>>> Delete this dependency data? y/n [n]
    


    I said "no" to all these prompts as I wasn't sure what the consequences would be?

    Running:
    find /var/db/pkg -name "+CONTENTS" -exec egrep -B1 -H 'pkgdep $' {} \; | less

    returned:
    Code:
    /var/db/pkg/peps-2.0_4/+CONTENTS-@comment DEPORIGIN:devel/gettext
    /var/db/pkg/peps-2.0_4/+CONTENTS:@pkgdep
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/gsfonts
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
    --
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/cups-client
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/cmpsfont
    /var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/gsfonts
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
    --
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/teTeX-texmf
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/cmpsfont
    /var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
    
     
  20. xy16644

    xy16644 New Member

    Messages:
    830
    Thanks Received:
    8
    I think it's all working now as when I run portmanager -u it says that all the ports are up to date with no errors. I did also uninstall the bn-freebsd-doc and docproj-jadetex port manually. After that I ran portmaster --check-depends
    and that seems to have done the trick! Many thanks for all your help.
     
  21. wblock@

    wblock@ Administrator Staff Member Administrator Moderator Developer

    Messages:
    11,507
    Thanks Received:
    2,212
    The filename of the port with the problem is shown first. The comment line above the missing pkgdep line shows what dependency is missing, possibly due to errors during rebuild.

    Rebuilding graphics/peps should fix the first one, either just fixing the pkgdep line or installing print/gsfonts if it is really missing.

    Likewise with misc/freebsd-doc-zh_cn (or _tw) and textproc/docproj-jadetext. Those could be deinstalled if you don't use those local copies of the FreeBSD documentation.