Date: Fri, 22 Jul 2016 14:24:36 +0300 From: =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCdLiDQm9GD0L3QtdCy?= <lan@zato.ru> To: freebsd-questions@freebsd.org Subject: exim error SSL_write: (from <unknown>) syscall: Permission denied after upgrade 9.1 -> 10.3 Message-ID: <f96fdd10-79ea-b2bc-4728-3fe2024d644e@zato.ru>
next in thread | raw e-mail | index | archive | help
Hello everyone.
After upgrading FreeBSD 9.1 to 10.3 with appropriate upgrading of
packages a mysterious error started to show. (exim-4.87 was rebuilded
and reinstalled from ports, because prebuilt package doesn't include
LDAP, which is used in our system). FreeBSD send periodic(8) mail to
root@, and all root@ mail (by aliases file) are going to my @gmail.com
account.
And in the morning i see in my @gmail.com account mail from
mailer-daemon@, in example: "Warning: message 1bPLy3-000C8V-O5 delayed
24 hours".
On server i see this:
# mailq
26h 6.5M 1bPLy3-000C8V-O5 <root@domain.ru>
root@domain.ru
If i try to force exim to deliver message, it shows this:
# exim -v -M 1bPLy3-000C8V-O5
...skip...
SMTP>> STARTTLS
SMTP<< 220 2.0.0 Ready to start TLS
...skip...
SMTP<< 354 Go ahead 77si558883lfu.292 - gsmtp
SMTP>> writing message and terminating "."
LOG: MAIN
SSL_write: (from <unknown>) syscall: Permission denied
LOG: MAIN
H=gmail-smtp-in.l.google.com [108.177.14.26]:
gmail-smtp-in.l.google.com [108.177.14.26]: Permission denied
But if I try to send mail from root@ to @gmail.com from command line
(and also from lan@ via thunderbird), it will be sent right away:
2016-07-20 08:34:40 1bPk9Y-000NP6-6u <= root@domain.ru U=root P=local S=695
2016-07-20 08:34:41 1bPk9Y-000NP6-6u => myaccountongmail@gmail.com
R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [64.233.163.26]
X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK
1468992881 m4si562022lfd.328 - gsmtp"
2016-07-20 08:34:41 1bPk9Y-000NP6-6u Completed
If i try to send night mail from queue, it is always SSL_write: error.
I've already tried to rebuild exim, to remove old spool dir, to use
gnutls instead of openssl with no avail - night mail from queue is not
sended, SSL_write error, but i can send mail via exim right now. Also,
some emails give me this error everytime, i.e. i couldn't send email to
exim-users@ list from this server, because of SSL_write error.
exim is:
# exim -d
Exim version 4.87 (FreeBSD 10.3) uid=0 gid=0 pid=90040 D=fbb95cfd
Support for: crypteq iconv() IPv6 use_setclassresources PAM Perl
Expand_dlfunc OpenSSL Content_Scanning Old_Demime DKIM DNSSEC PRDR
Experimental_SPF
...skip...
Library version: OpenSSL: Compile: OpenSSL 1.0.2h 3 May 2016
Runtime: OpenSSL 1.0.2h 3 May 2016
: built on: reproducible build, date
unspecified
...skip...
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=90040
auxiliary group list: 0
...skip...
changed uid/gid: calling tls_validate_require_cipher
uid=26 gid=6 pid=90041
auxiliary group list: 6
tls_validate_require_cipher child 90041 ended: status=0x0
openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
openssl option, adding from 1100000: 2000000 (no_sslv3)
I wrote this question to exim-users mailing list (using other mail
server) and received this answer:
=================================================================
> SSL_write: (from <unknown>) syscall: Permission denied
Some form of permissions or security-enforcement issue with
the build you did. You may get better help from a FreeBSD
mailing list or forum than here; this looks like a pretty
low-level problem between the exim user process and the kernel.
=================================================================
I have this IPFW rules in firewall:
# ipfw show
00050 10935146 1162976580 fwd 127.0.0.1,3129 tcp from 192.168.75.0/24
to any dst-port 80,8080,8000 in recv bge0
00100 494798 869115690 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 3 244 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 2 172 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6
icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6
icmp6types 2,135,136
01100 3322447 1364993954 allow ip from 192.168.75.0/24 to
192.168.75.0/24
01200 2584569 197934553 nat 122 ip from any to 10.88.1.0/24
01300 2182578 174237565 nat 121 ip from any to 10.90.90.0/24
01400 0 0 nat 120 ip from any to 10.44.44.0/24
01500 63842 3235008 nat 119 ip from 192.168.75.0/24 to
10.60.60.0/24
01600 0 0 nat 119 ip from 10.60.60.0/24 to 10.60.60.127
01700 0 0 nat 118 ip from 192.168.75.0/24 to 10.3.3.0/24
01800 0 0 nat 118 ip from 10.3.3.0/24 to 10.3.3.2
01900 2087132 194863649 nat 123 ip from 192.168.75.50 to any out
xmit bge1.5
02000 49098822 4894965993 nat 123 tcp from any to any dst-port
2222,8888,20,21,7071,110,25,465,995,143,993,443,5223,222,22 out xmit bge1.5
02100 1141 521449 nat 123 udp from any to any dst-port
1194-1196 out xmit bge1.5
02200 339310 19901782 nat 123 icmp from any to any out xmit bge1.5
02300 124574754 152157798928 nat 123 ip from any to me in recv bge1.5
02400 0 0 deny ip from any to table(2)
02500 0 0 allow tcp from any to me dst-port
222,80,25,1194
02600 0 0 allow tcp from 192.168.75.0/24 to me
dst-port 3128
02700 243411 14335521 allow tcp from 192.168.75.0/24 to me
02800 0 0 deny log ip from table(1) to me
02900 0 0 deny log ip from table(2) to me
03000 179641895 173847999372 allow tcp from any to any established
03100 4948751 849323309 allow ip from me to any
03200 0 0 allow ip from any to me
03300 2153299 275535558 allow ip from 192.168.75.0/24 to any
03400 180977 56263582 allow ip from any to 192.168.75.0/24
03500 0 0 allow ip from 10.60.60.0/24 to any
03600 0 0 allow ip from any to 10.60.60.0/24
03700 0 0 allow ip from 10.19.0.0/24 to any
03800 0 0 allow ip from any to 10.19.0.0/24
03900 0 0 deny ip from 10.88.1.0/24 to any
04000 0 0 deny log ip from not 192.168.75.0/24 to me
65000 48716 6677994 deny log ip from any to any
65535 23 1486 deny ip from any to any
In security log nothing about SSL or mail ports. In maximum level of
exim debug i see this:
SMTP>> DATA
tls_do_write(0xbfbfa43c, 76)
SSL_write(SSL, 0xbfbfa43c, 76)
outbytes=76 error=0
Calling SSL_read(0x291ef200, 0xbfbfb43c, 4096)
read response data: size=42
SMTP<< 250 2.1.0 OK a78si15464344pfj.35 - gsmtp
Calling SSL_read(0x291ef200, 0xbfbfb43c, 4096)
read response data: size=42
SMTP<< 250 2.1.5 OK a78si15464344pfj.35 - gsmtp
Calling SSL_read(0x291ef200, 0xbfbfb43c, 4096)
read response data: size=43
SMTP<< 354 Go ahead a78si15464344pfj.35 - gsmtp
SMTP>> writing message and terminating "."
writing data block fd=7 size=8189 timeout=300
tls_do_write(0x29058000, 8189)
SSL_write(SSL, 0x29058000, 8189)
outbytes=-1 error=5
LOG: MAIN
SSL_write: (from <unknown>) syscall: Permission denied
writing error 13: Permission denied
ok=0 send_quit=0 send_rset=1 continue_more=0 yield=1 first_address is NULL
tls_close(): shutting down SSL
LOG: MAIN
H=alt1.gmail-smtp-in.l.google.com [64.233.189.26]:
alt1.gmail-smtp-in.l.google.com [64.233.189.26]: Permission denied
--
Best regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f96fdd10-79ea-b2bc-4728-3fe2024d644e>