Date: Thu, 27 Aug 2015 13:55:37 -0400 From: Robert Sargent <robtsgt@sgt.com> To: freebsd-security@freebsd.org Subject: sendmail server sending milter data after latest FreeBSD upgrade Message-ID: <201508271755.t7RHtdjO009327@sgt.com>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-17-681953737 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, After rebuilding my systems after the latest openssl/iret handler I = noticed some incoming email sessions were failing. The failures were = primarily from hotmail.com, outlook.com, google.com and me.com. The = SMTP server [sendmail v 8.15.2] logs contained lines like this: Aug 27 14:41:22 tusk sm-mta[18366]: t7REfKQd018366: = col004-omc4s12.hotmail.com [65.55.34.214] did not issue = MAIL/EXPN/VRFY/ETRN during connection to IPv4 I captured some packets with tcpdump and read them with wireshark. The = failed session packets' contents indicated after the SYN, SYN, ACK = 3-way handshake I would send out=20 Response: milter_negotiate(milter-regex): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n I then rec'd an ACK from the client and then I would send out more = milter data like: Response: milter_negotiate(milter-regex): received: version 6, fflags = 0x20, pflags 0x300\n Response: milter_negotiate(opendkim): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(opendkim): received: version 6, fflags 0x111, = pflags 0x100702\n Response: milter_negotiate(smf-spf): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(smf-spf): received: version 6, fflags 0x1d, = pflags 0x350\n Response: milter_negotiate(greylist): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(greylist): received: version 6, fflags 0x13, = pflags 0x100\n Response: milter_negotiate(clmilter): send: version 6, fflags 0x1ff, = pflags 0x1fffff\n Response: milter_negotiate(clmilter): received: version 6, fflags 0x31, = pflags 0x342\n The client would then ACK and I would send out my normal SMTP greeting: Response: 220 tusk.sgt.com ESMTP Sendmail 8.15.2/8.14.9; Thu, 27 Aug = 2015 12:24:38 GMT\r\n Then the client would send a FIN ------------------- Needless to say I was concerned and tried restarting sendmail and = associated milters, no change, I kept sending out milter data to the = client. I tried reinstalling sendmail from both pkgs and ports, no change. I finally rebooted the system and the problem "went away". There was no problem with incoming hotmail, google, apple emails prior = to this latest OS upgrade. uname -a: FreeBSD tusk.sgt.com 9.3-RELEASE-p24 FreeBSD 9.3-RELEASE-p24 = #10 r287147: Tue Aug 25 23:19:33 UTC 2015 = root@tusk.sgt.com:/usr/obj/usr/src/sys/SGT93AMD64ZFS amd64 Is this a known problem? Any ideas WTF is [was] going on? Any = suggestions on what to do next time it happens [short of rebooting]? Please do not publicly release any of my site/domain specific data. tcpdumpfile attached. Thanks, Rob --Apple-Mail-17-681953737 Content-Disposition: attachment; filename=tcpdumpfile Content-Type: application/octet-stream; name="tcpdumpfile" Content-Transfer-Encoding: base64 1MOyoQIABAAAAAAAAAAAAP//AAABAAAAhgHfVcrPCwBCAAAAQgAAAAAfKdHikETTytSJ6AgARQAA NCIHQAAxBnTnQTciy8xrgmjd7AAZmX3jvQAAAACAAiAAQTUAAAIEBXgBAwMIAQEEAoYB31XjzwsA QgAAAEIAAABE08rUiegAHynR4pAIAEUAADQijEAAQAYAAMxrgmhBNyLLABnd7KP8XkaZfeO+gBL/ /7L8AAACBAV4AQMDBgQCAACGAd9VClwNADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoInNAADEG dIdBNyLLzGuCaN3sABmZfeO+o/xeR1AQAQGedwAAAAAAAAAAhgHfVRV3DgCFAAAAhQAAAETTytSJ 6AAfKdHikAgARQAAdyKyQABABgAAzGuCaEE3IssAGd3so/xeR5l9475QGAQEsz8AAG1pbHRlcl9u ZWdvdGlhdGUobWlsdGVyLXJlZ2V4KTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBm bGFncyAweDFmZmZmZgqHAd9VI+QDADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoJANAADEGcvdB NyLLzGuCaN3sABmZfeO+o/xellAQAQCeKQAAAAAAAAAAhwHfVTfkAwDfAgAA3wIAAETTytSJ6AAf KdHikAgARQAC0SK6QABABgAAzGuCaEE3IssAGd3so/xelpl9475QGAQEtZkAAG1pbHRlcl9uZWdv dGlhdGUobWlsdGVyLXJlZ2V4KTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MjAsIHBm bGFncyAweDMwMAptaWx0ZXJfbmVnb3RpYXRlKG9wZW5ka2ltKTogc2VuZDogdmVyc2lvbiA2LCBm ZmxhZ3MgMHgxZmYsIHBmbGFncyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKG9wZW5ka2ltKTog cmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MTExLCBwZmxhZ3MgMHgxMDA3MDIKbWlsdGVy X25lZ290aWF0ZShzbWYtc3BmKTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBmbGFn cyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKHNtZi1zcGYpOiByZWNlaXZlZDogdmVyc2lvbiA2 LCBmZmxhZ3MgMHgxZCwgcGZsYWdzIDB4MzUwCm1pbHRlcl9uZWdvdGlhdGUoZ3JleWxpc3QpOiBz ZW5kOiB2ZXJzaW9uIDYsIGZmbGFncyAweDFmZiwgcGZsYWdzIDB4MWZmZmZmCm1pbHRlcl9uZWdv dGlhdGUoZ3JleWxpc3QpOiByZWNlaXZlZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxMywgcGZsYWdz IDB4MTAwCm1pbHRlcl9uZWdvdGlhdGUoY2xtaWx0ZXIpOiBzZW5kOiB2ZXJzaW9uIDYsIGZmbGFn cyAweDFmZiwgcGZsYWdzIDB4MWZmZmZmCm1pbHRlcl9uZWdvdGlhdGUoY2xtaWx0ZXIpOiByZWNl aXZlZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgzMSwgcGZsYWdzIDB4MzQyCocB31X44wgAPAAAADwA AAAAHynR4pBE08rUiegIAEUAACgmZEAAMQZwlkE3IsvMa4Jo3ewAGZl9476j/GE/UBAA/puCAAAA AAAAAACIAd9Vjn4OAIQAAACEAAAARNPK1InoAB8p0eKQCABFAAB2IrxAAEAGAADMa4JoQTciywAZ 3eyj/GE/mX3jvlAYBASzPgAAMjIwIHR1c2suc2d0LmNvbSBFU01UUCBTZW5kbWFpbCA4LjE1LjIv OC4xNC45OyBUaHUsIDI3IEF1ZyAyMDE1IDEyOjI0OjM4IEdNVA0KiQHfVefQAAA8AAAAPAAAAAAf KdHikETTytSJ6AgARQAAKCleQAAxBm2cQTciy8xrgmjd7AAZmX3jvqP8YY1QEQD9mzQAAAAAAAAA AIkB31X40AAAPAAAADwAAABE08rUiegAHynR4pAIAEUAACgiv0AAQAYAAMxrgmhBNyLLABnd7KP8 YY2ZfeO/UBAEBLLwAAAAAAAAAACJAd9VRdEAADwAAAA8AAAARNPK1InoAB8p0eKQCABFAAAoIsBA AEAGAADMa4JoQTciywAZ3eyj/GGNmX3jv1ARBASy8AAAAAAAAAAAiQHfVedlAgA8AAAAPAAAAAAf KdHikETTytSJ6AgARQAAKCmRQAAxBm1pQTciy8xrgmjd7AAZmX3jv6P8YY5QEAD9mzMAAAAAAAAA AIkB31VGuQcAQgAAAEIAAAAAHynR4pBE08rUiegIAEUAADRVpEAAKwarvkE2vlfMa4JoxmEAGc9e NIgAAAAAgAIgADaJAAACBAV4AQMDCAEBBAKJAd9VWrkHAEIAAABCAAAARNPK1InoAB8p0eKQCABF AAA0IsxAAEAGAADMa4JoQTa+VwAZxmG1uQDFz140iYAS//9OiAAAAgQFeAEDAwYEAgAAiQHfVVMg CQA8AAAAPAAAAAAfKdHikETTytSJ6AgARQAAKFZDQAArBqsrQTa+V8xrgmjGYQAZz140ibW5AMZQ EAEB348AAAAAAAAAAIkB31UKSAoAhQAAAIUAAABE08rUiegAHynR4pAIAEUAAHci8kAAQAYAAMxr gmhBNr5XABnGYbW5AMbPXjSJUBgEBE7LAABtaWx0ZXJfbmVnb3RpYXRlKG1pbHRlci1yZWdleCk6 IHNlbmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgxZmZmZmYKiQHfVZLfDgA8 AAAAPAAAAAAfKdHikETTytSJ6AgARQAAKFhCQAArBqksQTa+V8xrgmjGYQAZz140ibW5ARVQEAEA 30EAAAAAAAAAAIkB31Wr3w4A3wIAAN8CAABE08rUiegAHynR4pAIAEUAAtEi+UAAQAYAAMxrgmhB Nr5XABnGYbW5ARXPXjSJUBgEBFElAABtaWx0ZXJfbmVnb3RpYXRlKG1pbHRlci1yZWdleCk6IHJl Y2VpdmVkOiB2ZXJzaW9uIDYsIGZmbGFncyAweDIwLCBwZmxhZ3MgMHgzMDAKbWlsdGVyX25lZ290 aWF0ZShvcGVuZGtpbSk6IHNlbmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgx ZmZmZmYKbWlsdGVyX25lZ290aWF0ZShvcGVuZGtpbSk6IHJlY2VpdmVkOiB2ZXJzaW9uIDYsIGZm bGFncyAweDExMSwgcGZsYWdzIDB4MTAwNzAyCm1pbHRlcl9uZWdvdGlhdGUoc21mLXNwZik6IHNl bmQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWZmLCBwZmxhZ3MgMHgxZmZmZmYKbWlsdGVyX25lZ290 aWF0ZShzbWYtc3BmKTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MWQsIHBmbGFncyAw eDM1MAptaWx0ZXJfbmVnb3RpYXRlKGdyZXlsaXN0KTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3Mg MHgxZmYsIHBmbGFncyAweDFmZmZmZgptaWx0ZXJfbmVnb3RpYXRlKGdyZXlsaXN0KTogcmVjZWl2 ZWQ6IHZlcnNpb24gNiwgZmZsYWdzIDB4MTMsIHBmbGFncyAweDEwMAptaWx0ZXJfbmVnb3RpYXRl KGNsbWlsdGVyKTogc2VuZDogdmVyc2lvbiA2LCBmZmxhZ3MgMHgxZmYsIHBmbGFncyAweDFmZmZm ZgptaWx0ZXJfbmVnb3RpYXRlKGNsbWlsdGVyKTogcmVjZWl2ZWQ6IHZlcnNpb24gNiwgZmZsYWdz IDB4MzEsIHBmbGFncyAweDM0MgqKAd9VoF8EADwAAAA8AAAAAB8p0eKQRNPK1InoCABFAAAoWXdA ACsGp/dBNr5XzGuCaMZhABnPXjSJtbkDvlAQAP7cmgAAAAAAAAAAiwHfVVVQCgCEAAAAhAAAAETT ytSJ6AAfKdHikAgARQAAdiL8QABABgAAzGuCaEE2vlcAGcZhtbkDvs9eNIlQGAQETsoAADIyMCB0 dXNrLnNndC5jb20gRVNNVFAgU2VuZG1haWwgOC4xNS4yLzguMTQuOTsgVGh1LCAyNyBBdWcgMjAx NSAxMjoyNDo0MSBHTVQNCosB31VYvQsAPAAAADwAAAAAHynR4pBE08rUiegIAEUAAChgLkAAKwah QEE2vlfMa4JoxmEAGc9eNIm1uQQMUBEA/dxMAAAAAAAAAACLAd9Var0LADwAAAA8AAAARNPK1Ino AB8p0eKQCABFAAAoIv5AAEAGAADMa4JoQTa+VwAZxmG1uQQMz140ilAQBAROfAAAAAAAAAAAiwHf Vbu9CwA8AAAAPAAAAETTytSJ6AAfKdHikAgARQAAKCL/QABABgAAzGuCaEE2vlcAGcZhtbkEDM9e NIpQEQQETnwAAAAAAAAAAIsB31VsKw0APAAAADwAAAAAHynR4pBE08rUiegIAEUAAChgwkAAKwag rEE2vlfMa4JoxmEAGc9eNIq1uQQNUBAA/dxLAAAAAAAAAAA= --Apple-Mail-17-681953737 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii --Apple-Mail-17-681953737--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508271755.t7RHtdjO009327>