• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved Sendmail process crash as soon as STARTTLS is received after FreeBSD upgrade

FKEinternet

Member

Thanks: 5
Messages: 65

#1
I just upgraded my server from FreeBSD 10.3 to 11.1. It's now running Sendmail 8.15.2 and OpenSSL 1.0.2k-freebsd 26 Jan 2017.

Since the upgrade, sending mail to my server is failing: Every time a remote MTA sends a STARTTLS command, the current sendmail instance crashes. I temporarily stopped the server and cranked up the log level to show all incoming and outgoing SMTP commands using /usr/sbin/sendmail -d95.99 -bD -X /tmp/test.log. A typical incoming connection looks like this:
Code:
34431 >>> 220 localhost.FKEinternet.net ESMTP Sendmail 8.15.2/8.15.2; Thu, 8 Mar 2018 11:35:32 -0500 (EST)
34431 <<< EHLO [192.168.14.73]
34431 >>> 250-localhost.FKEinternet.net Hello rrcs-184-74-100-26.nys.biz.rr.com [184.74.100.26], pleased to meet you
34431 >>> 250-ENHANCEDSTATUSCODES
34431 >>> 250-PIPELINING
34431 >>> 250-8BITMIME
34431 >>> 250-SIZE
34431 >>> 250-DSN
34431 >>> 250-ETRN
34431 >>> 250-STARTTLS
34431 >>> 250-DELIVERBY
34431 >>> 250 HELP
34431 <<< STARTTLS
and in /var/log/messages I find a corresponding
Code:
Mar  8 11:35:32 Dreamer kernel: pid 34431 (sendmail), uid 0: exited on signal 11

I ran find / -name "*.core" -ls to search for core dumps when there wasn't one in /usr/sbin where sendmail is launched from. The search turned up three files created during the upgrade - /usr/ports/distfiles/sh.core, /root/pkg-static.core and /root/pkg.core. All of the ten other core dumps on the system are more than a year old - so none of them are relevant to the current problem where a sendmail process is crashing over a hundred times an hour.

Since my /etc/sysctl.conf is empty, I don't see anything in this answer that would prevent sendmail from creating core dumps.
  1. What would be likely to prevent the .core files from being created?
  2. Is there a crash log somewhere I can look at to figure out what's going on?
  3. What else can I do to debug this problem?
  4. or, better yet, How can I stop sendmail from crashing when a STARTTLS command is received?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,998
Best answers: 11
Messages: 26,762

#2
Not sure if it's the cause but did you create a /etc/mail/certs/dh.param file?

openssl dhparam -out /etc/mail/certs/dh.param 4096
 

FKEinternet

Member

Thanks: 5
Messages: 65

#3
I re-created the mail-cert.pem yesterday, but the dh.param timestamp is nearly two years ago. I can try regenerating it...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,998
Best answers: 11
Messages: 26,762

#4
but the dh.param timestamp is nearly two years ago.
It might be the old 1024 bits one, try recreating it with at least 2048 bits. If I recall correctly the minimum changed some time ago.
 

FKEinternet

Member

Thanks: 5
Messages: 65

#5
Rebuilding dh.param didn't make a difference.

I'm rather puzzled by there not being any crash dumps resulting from the signal 11 process deaths.
 

FKEinternet

Member

Thanks: 5
Messages: 65

#6
I got it working, I found the answer in DutchDaemon's Dec 12, 2017 reply in the [sendmail] Lots of "did not issue MAIL/EXPN/VRFY/ETRN" logs thread:

A standard install will put something like this in your .mc file:
Code:
dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
I compared that code block with what was in my server's .mc file, and found it was missing the define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl line. I added that, restarted sendmail, and it's working now.

I would still like to know why there were never any .core files generated...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,998
Best answers: 11
Messages: 26,762

#7
Good find! Odd that it actually crashed though, I would have expected it to produce a failure message and refuse to run, not start and segfault when you try to use it.
 
Top