Solved Sendmail process crash as soon as STARTTLS is received after FreeBSD upgrade

FKEinternet

Member

Thanks: 5
Messages: 65

#1
I just upgraded my server from FreeBSD 10.3 to 11.1. It's now running Sendmail 8.15.2 and OpenSSL 1.0.2k-freebsd 26 Jan 2017.

Since the upgrade, sending mail to my server is failing: Every time a remote MTA sends a STARTTLS command, the current sendmail instance crashes. I temporarily stopped the server and cranked up the log level to show all incoming and outgoing SMTP commands using /usr/sbin/sendmail -d95.99 -bD -X /tmp/test.log. A typical incoming connection looks like this:
Code:
34431 >>> 220 localhost.FKEinternet.net ESMTP Sendmail 8.15.2/8.15.2; Thu, 8 Mar 2018 11:35:32 -0500 (EST)
34431 <<< EHLO [192.168.14.73]
34431 >>> 250-localhost.FKEinternet.net Hello rrcs-184-74-100-26.nys.biz.rr.com [184.74.100.26], pleased to meet you
34431 >>> 250-ENHANCEDSTATUSCODES
34431 >>> 250-PIPELINING
34431 >>> 250-8BITMIME
34431 >>> 250-SIZE
34431 >>> 250-DSN
34431 >>> 250-ETRN
34431 >>> 250-STARTTLS
34431 >>> 250-DELIVERBY
34431 >>> 250 HELP
34431 <<< STARTTLS
and in /var/log/messages I find a corresponding
Code:
Mar  8 11:35:32 Dreamer kernel: pid 34431 (sendmail), uid 0: exited on signal 11

I ran find / -name "*.core" -ls to search for core dumps when there wasn't one in /usr/sbin where sendmail is launched from. The search turned up three files created during the upgrade - /usr/ports/distfiles/sh.core, /root/pkg-static.core and /root/pkg.core. All of the ten other core dumps on the system are more than a year old - so none of them are relevant to the current problem where a sendmail process is crashing over a hundred times an hour.

Since my /etc/sysctl.conf is empty, I don't see anything in this answer that would prevent sendmail from creating core dumps.
  1. What would be likely to prevent the .core files from being created?
  2. Is there a crash log somewhere I can look at to figure out what's going on?
  3. What else can I do to debug this problem?
  4. or, better yet, How can I stop sendmail from crashing when a STARTTLS command is received?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,526
Messages: 27,977

#2
Not sure if it's the cause but did you create a /etc/mail/certs/dh.param file?

openssl dhparam -out /etc/mail/certs/dh.param 4096
 
OP
OP
FKEinternet

FKEinternet

Member

Thanks: 5
Messages: 65

#3
I re-created the mail-cert.pem yesterday, but the dh.param timestamp is nearly two years ago. I can try regenerating it...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,526
Messages: 27,977

#4
but the dh.param timestamp is nearly two years ago.
It might be the old 1024 bits one, try recreating it with at least 2048 bits. If I recall correctly the minimum changed some time ago.
 
OP
OP
FKEinternet

FKEinternet

Member

Thanks: 5
Messages: 65

#5
Rebuilding dh.param didn't make a difference.

I'm rather puzzled by there not being any crash dumps resulting from the signal 11 process deaths.
 
OP
OP
FKEinternet

FKEinternet

Member

Thanks: 5
Messages: 65

#6
I got it working, I found the answer in DutchDaemon's Dec 12, 2017 reply in the [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" logs thread:

A standard install will put something like this in your .mc file:
Code:
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
I compared that code block with what was in my server's .mc file, and found it was missing the define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl line. I added that, restarted sendmail, and it's working now.

I would still like to know why there were never any .core files generated...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,526
Messages: 27,977

#7
Good find! Odd that it actually crashed though, I would have expected it to produce a failure message and refuse to run, not start and segfault when you try to use it.
 
Top