From: Todd L. <tl...@iv...> - 2007-11-14 17:50:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 An email from work to home mail server (home mail server log snippet) that is successful with Beta3: Nov 14 09:27:26 mail dkim-filter[19065]: lAEHRPg9019079 DKIM verification successful Nov 14 09:27:26 mail imapd-ssl: Connection, ip=[::ffff:72.67.15.92] Nov 14 09:27:26 mail sm-mta[19079]: lAEHRPg9019079: Milter insert (1): header: Authentication-Results: mail.mrball.net; dkim=pass (1024-bit key) header.i=@ivenue.com Nov 14 09:27:26 mail sm-mta[19079]: lAEHRPg9019079: Milter insert (1): header: X-DKIM: Sendmail DKIM Filter v2.4.0.Beta3 mail.mrball.net lAEHRPg9019079 An email from work to home mail server that fails with Beta7, including lines logging startup: Nov 14 09:25:01 mail dkim-filter[18710]: Sendmail DKIM Filter v2.4.0.Beta7 starting (args: -x /etc/mail/dkim-milter-sign.conf) Nov 14 09:25:01 mail dkim-filter[18725]: Sendmail DKIM Filter v2.4.0.Beta7 starting (args: -x /etc/mail/dkim-milter-verify.conf) Nov 14 09:25:22 mail dkim-filter[18725]: Sendmail DKIM Filter: st_optionneg[-1222263920]: xxfi_negotiate returned 1 (protocol options=0x1fffff, actions=0xff) Nov 14 09:25:22 mail dkim-filter[18710]: Sendmail DKIM Filter: st_optionneg[-1222235248]: xxfi_negotiate returned 1 (protocol options=0x1fffff, actions=0xff) Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: milter_sys_read(dkim-milter-verify): cmd read returned 0, expecting 5 Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-verify): to error state Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-verify): init failed to open Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-verify): to error state Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: milter_sys_read(dkim-milter-sign): cmd read returned 0, expecting 5 Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-sign): to error state Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-sign): init failed to open Nov 14 09:25:22 mail sm-mta[18744]: lAEHPMY0018744: Milter (dkim-milter-sign): to error state I have not tried Betas between 3 and 7. I can do so if you request to see when the issue started appearing. This is on a Gentoo box, running: Sendmail 8.14.0/8.14.0 compiled via Gentoo ebuild dkim-milter-2.4.0.Beta{3,7} compiled from source OpenSSL 0.9.8g 19 Oct 2007 compiled via Gentoo ebuild site.config.m4: APPENDDEF(`confINCDIRS', `-I/usr/include/tre ') APPENDDEF(`confLIBS', `-ltre ') APPENDDEF(`confENVDEF', `-D_FFR_CAPTURE_UNKNOWN_ERRORS ') APPENDDEF(`confENVDEF', `-D_FFR_DIFFHEADERS ') APPENDDEF(`confENVDEF', `-D_FFR_PARSE_TIME ') APPENDDEF(`confENVDEF', `-D_FFR_REPLACE_RULES ') APPENDDEF(`confENVDEF', `-D_FFR_REQUIRED_HEADERS ') APPENDDEF(`confENVDEF', `-D_FFR_SELECT_CANONICALIZATION ') APPENDDEF(`confENVDEF', `-D_FFR_SELECTOR_HEADER ') APPENDDEF(`confENVDEF', `-D_FFR_STATS ') APPENDDEF(`confENVDEF', `-D_FFR_ZTAGS ') I can post my sign and verify configs if that is necessary. - -- Regards... Todd They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. --Benjamin Franklin Linux kernel 2.6.22.9-desktop-1mdv 2 users, load average: 0.20, 0.22, 0.21 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHOzVoY2VBGxIDMLwRAiiJAJ4+ikyJhZa3XNASL3K/0cB+w56XIQCfb72Q noiVzVF3y0+e5G8UUnqmcDQ= =Ibv0 -----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2007-11-14 18:06:51
|
The only difference between Beta3 and Beta7 in the mlfi_negotiate() function that could cause a rejection there is the fact that the filter now requests the SMFIF_SETSYMLIST action (which it should have been doing in the first place). According to the logs you're citing, sendmail is offering that among its available actions, so this test: if ((f0 & actions) != actions) return SMFIS_REJECT; ...should fail (i.e. the function should continue rather than returning SMFIS_REJECT). Does your configuration request any MTA macros (i.e. "-M" on the command line or "MacroList" in the configuration file)? Perhaps the actual call that requests the macro list be changed is failing. That would also result in and error being logged ("smfi_setsymlist() failed"). Do you see that in your logs? This isn't failing in my own sendmail 8.14.2 environment so I'm kind of stuck without more data. So I'll make the same request I made of Tonni yesterday: Can you step through mlfi_negotiate() in the debugger on some live/test e-mail and see what's going on in there? |
From: Todd L. <tl...@iv...> - 2007-11-14 20:19:43
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 14, 2007 at 10:06:47AM -0800, Murray S. Kucherawy wrote: >The only difference between Beta3 and Beta7 in the mlfi_negotiate() >function that could cause a rejection there is the fact that the filter >now requests the SMFIF_SETSYMLIST action (which it should have been doing >in the first place). > >Does your configuration request any MTA macros (i.e. "-M" on the command >line or "MacroList" in the configuration file)? Perhaps the actual call No MacroList settings in either config: # cat dkim-milter-sign.conf Background Yes Canonicalization simple Domain /etc/mail/dkim-milter.domains DNSTimeout 60 InternalHosts /etc/mail/dkim-milter.internalhosts KeyFile /etc/mail/domainkeys/test.pem Mode s MTA MSA OmitHeaders Subject,X-Greylist,X-Virus-Scanned,X-Virus-Status,X-Spam-Status,X-Spam-Report,X-Spam-Checker-Version On-BadSignature accept On-DNSError accept On-InternalError accept On-NoSignature accept On-SignatureMissing accept PIDFile /var/run/dkim/dkim-milter-sign.pid Selector test Socket inet:10037@localhost #Statistics /var/lib/dkim/test.db Syslog Yes UserID smmsp:smmsp X-Header Yes # cat dkim-milter-verify.conf Background Yes Canonicalization simple Domain /etc/mail/dkim-milter.domains DNSTimeout 60 InternalHosts /etc/mail/dkim-milter.internalhosts #KeyFile /etc/mail/domainkeys/test.pem Mode v MTA MSA On-BadSignature accept On-DNSError accept On-InternalError accept On-NoSignature accept On-SignatureMissing accept PIDFile /var/run/dkim/dkim-milter-verify.pid Selector test SendReports Yes Socket inet:10036@localhost Statistics /var/lib/dkim/test.db Syslog Yes SyslogSuccess Yes UserID smmsp:smmsp X-Header Yes >that requests the macro list be changed is failing. That would also >result in and error being logged ("smfi_setsymlist() failed"). Do you see >that in your logs? No, I pasted everything that the daemon spit out into the log file. >This isn't failing in my own sendmail 8.14.2 environment so I'm kind of Updated to sendmail-8.14.2. Beta3 was still working properly. Now Beta7 works properly. * I did competely rebuild Beta7 after the sendmail compile/install. That includes deleting the obj* directory, so that all the Makefiles get rebuilt. sh Build clean doesn't remove it, nor does sh Build fresh. Is there some other standard or preferred way other than rm -rf obj* to get rid of it? >stuck without more data. So I'll make the same request I made of Tonni >yesterday: Can you step through mlfi_negotiate() in the debugger on some >live/test e-mail and see what's going on in there? I still want to do this. gdb on a live program is new territory for me. I'll look up that email to Tonni and figure out the steps I need to do to get at the info you requested (for my own education, I won't bother you with that info). - -- Regards... Todd Exponential problems need logarithmic solutions. --Eddy Dreger Linux kernel 2.6.22.9-desktop-1mdv 2 users, load average: 0.08, 0.14, 0.10 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHO1hTY2VBGxIDMLwRAr0KAJ9NSbpl0x+a4VAvOQT9//eZBjxXygCfResb ZrPTwY9fRapohoJYZg9gQR4= =RESn -----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2007-11-14 20:31:20
|
On Wed, 14 Nov 2007, Todd Lyons wrote: > * I did competely rebuild Beta7 after the sendmail compile/install. That > includes deleting the obj* directory, so that all the Makefiles get > rebuilt. sh Build clean doesn't remove it, nor does sh Build fresh. > Is there some other standard or preferred way other than rm -rf obj* to > get rid of it? Try "sh Build -c". I'm fairly sure that blows away the obj.* tree. "sh Build clean" just passes "clean" to the "make" command which has sa different effect. > I still want to do this. gdb on a live program is new territory for me. > I'll look up that email to Tonni and figure out the steps I need to do > to get at the info you requested (for my own education, I won't bother > you with that info). % ps guaxww | fgrep dkim-filter % gdb <path-to-dkim-filter> (gdb) break mlfi_negotiate (gdb) attach <pid-of-dkim-filter> (gdb) cont [wait for breakpoint to trip] (gdb) next [hit RETURN repeatedly until you see it hit a "return" line (SMFIS_CONTINUE or SMFIS_REJECT)] (gdb) quit Send me the output of the entire gdb session. Note that there's a timeout between the filter and the MTA which defaults to about 10 seconds. You have about that long between the breakpoint being hit and the MTA giving up on you, which could cause a false failure of the smfi_setsymlist() call. You can either increase the milter timeouts (see libmilter/README) or try to contain the operations to within the current timeout. If you're feeling particularly quick or you do increase the timeouts, then these extra commands inside gdb might prove even more useful: - at line 1762: (gdb) print f0 (gdb) print actions - at line 1817: (gdb) print macrolist -MSK |
From: Daniel B. <dan...@in...> - 2007-11-15 10:31:50
|
> % ps guaxww | fgrep dkim-filter > > % gdb <path-to-dkim-filter> > > (gdb) break mlfi_negotiate > > (gdb) attach <pid-of-dkim-filter> > > (gdb) cont > > [wait for breakpoint to trip] > > (gdb) next > > [hit RETURN repeatedly until you see it hit a "return" line > (SMFIS_CONTINUE or SMFIS_REJECT)] > > (gdb) quit > > Send me the output of the entire gdb session. > > Note that there's a timeout between the filter and the MTA which defaults > to about 10 seconds. You have about that long between the breakpoint > being hit and the MTA giving up on you, which could cause a false failure > of the smfi_setsymlist() call. You can either increase the milter > timeouts (see libmilter/README) or try to contain the operations to within > the current timeout. > > If you're feeling particularly quick or you do increase the timeouts, then > these extra commands inside gdb might prove even more useful: > > - at line 1762: > (gdb) print f0 > (gdb) print actions > > - at line 1817: > (gdb) print macrolist > > -MSK >(gdb) run Not sure if you were still after these: Starting=20 program: /home/dan/software_projects/dkim-milter-2.4.0.Beta8/obj.Linux.2.6.= 22-gentoo-r9-grsec2.1.11-vs2.2.0.4.x86_64/dkim-filter/dkim-filter -f -x /et= c/mail/dkim-filter/dkim-filter.conf [New LWP 6760] [Switching to LWP 6760] Breakpoint 1, mlfi_negotiate (ctx=3D0x66c490, f0=3D63, f1=3D1044735, f2=3D0= , f3=3D0,=20 pf0=3D0x41001048, pf1=3D0x41001040, pf2=3D0x41001038, pf3=3D0x41001030) at dkim-filter.c:1773 1773 *pf1 =3D (protosteps & f1); (gdb) print f0 $7 =3D 63 (gdb) p wantactions $8 =3D 0 (gdb) p reqactions $9 =3D 17 (gdb) s 1777 if ((f1 & SMFIP_HDR_LEADSPC) !=3D 0) (gdb) s 1791 *pf2 =3D 0; (gdb) s 1792 *pf3 =3D 0; (gdb) s 1795 if (macros !=3D NULL && (wantactions & SMFIF_SETSYMLIST) != =3D 0) (gdb) seems as though macroslist is never defined as the last condition is false Breakpoint 2, mlfi_negotiate (ctx=3D0x66c490, f0=3D63, f1=3D1044735, f2=3D0= , f3=3D0,=20 pf0=3D0x41001048, pf1=3D0x41001040, pf2=3D0x41001038, pf3=3D0x41001030) at dkim-filter.c:1836 1836 if ((f1 & SMFIP_SKIP) !=3D 0) (gdb) 1839 return SMFIS_CONTINUE; (gdb) 1840 } (gdb) 0x0000000000413dee in st_optionneg () (gdb) c Continuing. [LWP 6760 exited] > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > dkim-milter-beta mailing list > dki...@li... > https://lists.sourceforge.net/lists/listinfo/dkim-milter-beta =2D-=20 Daniel Black =2D- Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x76677097 GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097 |
From: Daniel B. <dan...@in...> - 2007-11-15 11:24:31
|
er - clarifing - I ment postfix 2.4.5 not 2.4.6 =2D-=20 Daniel Black =2D- Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=3Dget&search=3D0x76677097 GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097 |
From: Murray S. K. <ms...@se...> - 2007-11-15 19:04:50
|
On Thu, 15 Nov 2007, Daniel Black wrote: > Breakpoint 1, mlfi_negotiate (ctx=0x66c490, f0=63, f1=1044735, f2=0, f3=0, > pf0=0x41001048, pf1=0x41001040, > pf2=0x41001038, pf3=0x41001030) at dkim-filter.c:1773 > 1773 *pf1 = (protosteps & f1); > (gdb) print f0 > $7 = 63 > (gdb) p wantactions > $8 = 0 OK, so postfix is offering flags 0x3f, which includes SMFIF_QUARANTINE, SMFIF_CHGHDRS, SMFIF_DELRCPT, SMFIF_ADDRCPT, SMFIF_CHGBODY and SMFIF_ADDHDRS. It doesn't include SMFIF_SETSYMLIST (which makes wanactions 0). The patch to Beta8 handled this correctly. Previous versions assumed that SMFIF_SETSYMLIST was available on any system where mlfi_negotiate() was supported. > (gdb) p reqactions > $9 = 17 That's 0x11 which is SMFIF_CHGHDRS and SMFIF_ADDHDRS, which are offered, so we're okay there. > (gdb) s > 1777 if ((f1 & SMFIP_HDR_LEADSPC) != 0) > (gdb) s > 1791 *pf2 = 0; > (gdb) s > 1792 *pf3 = 0; > (gdb) s > 1795 if (macros != NULL && (wantactions & SMFIF_SETSYMLIST) != 0) > (gdb) > > seems as though macroslist is never defined as the last condition is false Right. For previous Betas I was assuming that all milter v2 implementations supported SMFIF_SETSYMLIST, which is perhaps why there were problems with postfix. However I think the original report for the problem was from someone that wasn't using MacroList (or the command line equivalent) so I'm not sure why there was a problem. |