From owner-freebsd-stable@FreeBSD.ORG Tue Mar 11 17:24:36 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73B33BE5 for ; Tue, 11 Mar 2014 17:24:36 +0000 (UTC) Received: from mail-ve0-x244.google.com (mail-ve0-x244.google.com [IPv6:2607:f8b0:400c:c01::244]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2ED7B167 for ; Tue, 11 Mar 2014 17:24:36 +0000 (UTC) Received: by mail-ve0-f196.google.com with SMTP id cz12so3312980veb.7 for ; Tue, 11 Mar 2014 10:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=XXcRbJlLfC7VNKV7KGpDy5z2BrRSLMlXWR68Ii+EakY=; b=DFnk/EZXyUkgiAmHdJMmZO6IaZxqH8HP5aEAXw/ltnoHkLBsjWxe4vEQ9bcmFtr9I0 BxYCfXGAmUj6rw+oeT/W3iz/M5BvtBfuwB860xROdSEhEeAB4/FRNqJIn1YvCndgwIvv Vi4vMntS66QSCfFWJCBlXRXtc4TBNeLBhpPRGmYuzv9X+yrOPm+gnYLsEhZE2z7ny+qI KajfvrdABr2AgxVF/s993uA8fdqBgNVCXYtHu3P6EXECPxfhoso6l2/qrVCzSK8EAEX3 nrga+LFtnM0azTdRiFVgpjZDq4yurXeS0xDuw2+/TpcmaP9AdeDV9NUxb1zWjDUKRuAH UZPQ== MIME-Version: 1.0 X-Received: by 10.220.164.80 with SMTP id d16mr27913222vcy.15.1394558675198; Tue, 11 Mar 2014 10:24:35 -0700 (PDT) Received: by 10.220.150.132 with HTTP; Tue, 11 Mar 2014 10:24:35 -0700 (PDT) In-Reply-To: <20140311155948.GR32089@funkthat.com> References: <20140311155948.GR32089@funkthat.com> Date: Tue, 11 Mar 2014 12:24:35 -0500 Message-ID: Subject: Re: Two odd problems with STABLE-10 r262921 From: Karl Denninger To: Karl Denninger , freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Mar 2014 17:24:36 -0000 Yeah it hasn't changed...... I turned on verbose logging and I'm not getting anything in the logs on it -- what's even more-odd is that I can telnet to port 25 on the MX gateway and hand-feed an email in there, and it works. If I turn off the signatures, it ALSO works. That makes no sense; STARTTLS starts up on port 25, so if I can telnet there from a shell prompt how's this happening? The only thing I can come up with is that sendmail is (for an unknown reason) choosing to elect to bind to an inappropriate address (this box has a number of addresses on the interfaces and not all of them can get out!) Check out the log here: Mar 11 12:13:59 NewFS sm-mta[11023]: STARTTLS=client, relay= gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128 Mar 11 12:13:59 NewFS sm-mta[11023]: STARTTLS: write error=syscall error (-1), errno=13, get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=5 Mar 11 12:13:59 NewFS sm-mta[11023]: s2BGax4D095381: SYSERR(root): putbody: write error: Permission denied Mar 11 12:13:59 NewFS sm-mta[11023]: s2BGax4D095381: SYSERR(root): timeout writing message to gmail-smtp-in.l.google.com.: Permission denied This fails..... then I send another message, from the same email client, with no signature less than a minute later and I get this: Mar 11 12:14:38 NewFS sm-mta[11321]: STARTTLS=client, relay= gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128 Mar 11 12:14:39 NewFS sm-mta[11321]: s2BHEcNn011282: to=< tickerguydenninger@gmail.com>, ctladdr= (1001/1001), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30766, relay= gmail-smtp-in.l.google.com. [74.125.29.26], dsn=2.0.0, stat=Sent (OK 1394558079 v4si11548175qap.151 - gsmtp) Huh? The MX record only has one address too -- 74.125.29.26 Same cipher negotiated, same everything -- one fails with EPERM the other succeeds, and the only difference between the two emails is the presence of a MIME signature block. I think it's safe to believe (given that I've got all "deny" lines marked with the log key and nothing is showing up) this is not being blocked by the firewall. It's also new with 10.0; never happened with 9.2..... On Tue, Mar 11, 2014 at 10:59 AM, John-Mark Gurney wrote: > Karl Denninger wrote this message on Tue, Mar 11, 2014 at 08:29 -0500: > > 1. I am getting errors coming from mail transmissions to certain MX > relays > > -- and only those relays. One of them is (ironically) mx1.freebsd.org, > > which precludes emailing the list from my primary email address! The > error > > logs in the maillog file show: > > > > Mar 11 08:17:46 NewFS sm-mta[3605]: STARTTLS=client, relay= > mx1.freebsd.org., > > version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, > > bits=256/256 > > Mar 11 08:17:46 NewFS sm-mta[3605]: STARTTLS: write error=syscall error > > (-1), errno=13, get_error=error:00000000:lib(0):func(0):reason(0), > > retry=99, ssl_err=5 > > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: SYSERR(root): > putbody: > > write error: Permission denied > > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: SYSERR(root): timeout > > writing message to mx1.freebsd.org.: Permission denied > > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: to=< > > freebsd-fs@freebsd.org>, ctladdr= (1001/1001), > > delay=16:33:50, xdelay=00:00:05, mailer=esmtp, pri=4186247, relay= > > mx1.freebsd.org. [8.8.178.115], dsn=4.0.0, stat=Deferred > > > > Permission denied -- on a socket? As root? What am I missing here? > > > > (Shutting off TLS does not resolve this.) However, this is not > universal; > > it only impacts *some* emails.... > > > > > > Mar 11 08:20:37 NewFS sm-mta[5433]: s2BDKbF4005433: from=< > > ticker@fs.denninger.net>, size=962, class=0, nrcpts=1, msgid=< > > 201403111320.s2BDKTF3005412@fs.denninger.net>, proto=ESMTP, daemon=IPv4, > > relay=localhost [127.0.0.1] > > Mar 11 08:20:37 NewFS sendmail[5412]: s2BDKTF3005412: to= > xxxxxxxx@yahoo.com, > > ctladdr=ticker (20098/20098), delay=00:00:08, xdelay=00:00:05, > > mailer=relay, pri=3 > > 0494, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Message > accepted) > > Mar 11 08:20:37 NewFS sm-mta[5461]: STARTTLS=client, relay= > > mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, > > cipher=DHE-RSA-CAMELLIA256-SHA, bits=256/256 > > Mar 11 08:20:39 NewFS sm-mta[5461]: s2BDKbF4005433: to=< > xxxxxxx@yahoo.com>, > > ctladdr= (20098/20098), delay=00:00:02, > > xdelay=00:00:02, > > mailer=esmtp, pri=30962, relay=mta5.am0.yahoodns.net. [66.196.118.35], > > dsn=2.0.0, stat=Sent (ok dirdel) > > > > That one went through successfully.... > > > > This is new; I didn't have any trouble on 9.2-STABLE at all. Ideas? > > This is usually due to a firewall not allowing some packets out... > Make sure that your firewall is properly configured, and disable it > for testing to see if the errors go away... > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." >