From: Banyan He (banyanrootong.com)
Date: Wed Oct 17 2007 - 19:34:51 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Justin,

I think auth.log and message can help you detect the issue you are meeting.

Justin L Graham wrote:
> I have a system running Postfix 2.4.5 (Debian packages) with Cyrus
> SASL 2.1.22 configured for SASL authentication against my Kerberos 5
> realm. Sometimes when a user authenticates via GSSAPI the smtpd
> process segfaults right after calling "xsasl_cyrus_server_first:
> decoded initial response":
>
> postfix/smtpd[6251]: connect from client.fqdn[xxx.xxx.xxx.xxx]
> postfix/smtpd[6251]: match_list_match: client.fqdn: no match
> postfix/smtpd[6251]: match_list_match: xxx.xxx.xxx.xxx: no match
> postfix/smtpd[6251]: match_list_match: client.fqdn: no match
> postfix/smtpd[6251]: match_list_match: xxx.xxx.xxx.xxx: no match
> postfix/smtpd[6251]: match_hostname: client.fqdn ~?
> hash:/etc/postfix/debugpeers(0,lock|fold_fix)
> postfix/smtpd[6251]: match_hostname: lookup
> hash:/etc/postfix/debugpeers.db client.fqdn: notfound
> postfix/smtpd[6251]: match_hostname: lookup
> hash:/etc/postfix/debugpeers.db sub.domain.here: notfound
> postfix/smtpd[6251]: match_hostname: lookup
> hash:/etc/postfix/debugpeers.db domain.here: notfound
> postfix/smtpd[6251]: match_hostname: lookup
> hash:/etc/postfix/debugpeers.db here: notfound
> postfix/smtpd[6251]: match_hostaddr: xxx.xxx.xxx.xxx ~?
> hash:/etc/postfix/debugpeers(0,lock|fold_fix)
> postfix/smtpd[6251]: dict_lookup: xxx.xxx.xxx.xxx = (notfound)
> postfix/smtpd[6251]: match_list_match: client.fqdn: no match
> postfix/smtpd[6251]: match_list_match: xxx.xxx.xxx.xxx: no match
> postfix/smtpd[6251]: auto_clnt_open: connected to private/tlsmgr
> postfix/smtpd[6251]: send attr request = seed
> postfix/smtpd[6251]: send attr size = 32
> postfix/smtpd[6251]: private/tlsmgr: wanted attribute: status
> postfix/smtpd[6251]: input attribute name: status
> postfix/smtpd[6251]: input attribute value: 0
> postfix/smtpd[6251]: private/tlsmgr: wanted attribute: seed
> postfix/smtpd[6251]: input attribute name: seed
> postfix/smtpd[6251]: input attribute value:
> C5TNzm5fR3u2XJhL5pXFWwzN1kYRyutOstRp38WdQ4U=
> postfix/smtpd[6251]: private/tlsmgr: wanted attribute: (list terminator)
> postfix/smtpd[6251]: input attribute name: (end)
> postfix/smtpd[6251]: send attr request = update
> postfix/smtpd[6251]: send attr cache_type = smtpd
> postfix/smtpd[6251]: send attr cache_id =
> 9C892B591B553048D82D14CC6543B068381A11C8F4F65E50CDBBE46437AB0537&s=smtps
> postfix/smtpd[6251]: send attr session = [data 127 bytes]
> postfix/smtpd[6251]: private/tlsmgr: wanted attribute: status
> postfix/smtpd[6251]: input attribute name: status
> postfix/smtpd[6251]: input attribute value: 0
> postfix/smtpd[6251]: private/tlsmgr: wanted attribute: (list terminator)
> postfix/smtpd[6251]: input attribute name: (end)
> postfix/smtpd[6251]: match_hostname: client.fqdn ~? 127.0.0.0/8
> postfix/smtpd[6251]: match_hostaddr: xxx.xxx.xxx.xxx ~? 127.0.0.0/8
> postfix/smtpd[6251]: match_hostname: client.fqdn ~? xxx.xxx.xxx.xxx/yy
> postfix/smtpd[6251]: match_hostaddr: xxx.xxx.xxx.xxx ~?
> xxx.xxx.xxx.xxx/yy
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 220 server.fqdn
> ESMTP Postfix
> postfix/smtpd[6251]: watchdog_pat: 0x80a1dd8
> postfix/smtpd[6251]: < client.fqdn[xxx.xxx.xxx.xxx]: EHLO
> [xxx.xxx.xxx.xxx]
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-server.fqdn
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-PIPELINING
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-SIZE 10240000
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-VRFY
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-ETRN
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-AUTH PLAIN
> LOGIN GSSAPI
> postfix/smtpd[6251]: match_list_match: client.fqdn: no match
> postfix/smtpd[6251]: match_list_match: xxx.xxx.xxx.xxx: no match
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-AUTH=PLAIN
> LOGIN GSSAPI
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]:
> 250-ENHANCEDSTATUSCODES
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250-8BITMIME
> postfix/smtpd[6251]: > client.fqdn[xxx.xxx.xxx.xxx]: 250 DSN
> postfix/smtpd[6251]: watchdog_pat: 0x80a1dd8
> postfix/smtpd[6251]: < client.fqdn[xxx.xxx.xxx.xxx]: AUTH GSSAPI
> [content removed]
> postfix/smtpd[6251]: xsasl_cyrus_server_first: sasl_method GSSAPI,
> init_response [content removed]
> postfix/smtpd[6251]: xsasl_cyrus_server_first: decoded initial
> response `??&??*?H???????
> postfix/master[4922]: warning: process /usr/lib/postfix/smtpd pid 6251
> killed by signal 11
>
>
> The issue does not appear with PLAIN or LOGIN (TLS or non).
>
> I've recompiled the sasl libs and postfix without luck.
>
> From master.cf:
>
> smtp inet n - n - 5 smtpd
> -o smtpd_sasl_auth_enable=yes
> smtps inet n - n - 5 smtpd
> -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
>
> SASL section from main.cf:
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = KRB.REALM.NAME
> smtpd_sasl_application_name = smtpd
> broken_sasl_auth_clients = yes
>
>
> The SASL pwcheck_method is saslauthd. The test clients as well as
> Cyrus IMAP/POP (running on the same system) work just fine.
>
> All users are LDAP accounts, lookups are directly from Postfix,
> NSS-LDAP is not configured. Sometimes this issue seems to crop up in
> bunches, for instance postfix will start, accumulate 10 or so smtpd
> processes and then they all die. Other times the processes will die
> individually seemingly at random.
>
>
> Any help or suggestions would be greatly appreciated,
>
> Justin Graham
> Network Specialist
> Department of Mathematics
> University of Kansas
>
>
>
>

--
Banyan He
Mail&Web Security
Mobile: +86 13641777622
MSN: banyan.hehotmail.com
Skype: banyan.he
Email: banyanrootong.com
AntiSpam Test: antispammail.rootong.com
AntiVirus Test: antivirusmail.rootong.com
Wemaster Mail: webmastermail.rootong.com
Website: http://www.rootong.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]