Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #26 from Gedalya <gedalya@gedalya.net> ---
Created attachment 1420
--> https://bugs.exim.org/attachment.cgi?id=1420&action=edit
gedalya.vanilla.3.debug_and_bt (no preloading)

remote_smtp:
driver = smtp
tls_try_verify_hosts = :
tls_verify_hosts = :
tls_verify_cert_hostnames = :
hosts_try_dane = :
hosts_request_ocsp = :
tls_verify_certificates = ${if bool {0} {} {system}}
.ifdef _HAVE_TLS_RESUME
tls_resumption_hosts = *
.endif

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #27 from Gedalya <gedalya@gedalya.net> ---
${if bool {0} {} {}} just yields the same crash in
gnutls_x509_trust_list_deinit

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #28 from Gedalya <gedalya@gedalya.net> ---
set ${if bool {0} {} {}} for both remote_smtp and smarthost_smtp

GnuTLS global init required
TLS: basic cred init, client
TLS: not preloading client certs, for transport 'remote_smtp'
TLS: not preloading CA bundle, for transport 'remote_smtp'
TLS: basic cred init, client
TLS: not preloading client certs, for transport 'smarthost_smtp'
TLS: not preloading CA bundle, for transport 'smarthost_smtp'

First conn:
TLS: tls_verify_certificates expanded empty, ignoring
TLS: server certificate verification not required
second conn:
TLS: tls_verify_certificates expanded empty, ignoring
TLS: server certificate verification not required

Crashes in gnutls_x509_trust_list_deinit

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #29 from Jeremy Harris <jgh146exb@wizmail.org> ---
About line 3781 in src/tls-gnu.c there is a call to
gnutls_certificate_free_credentials().

Please test with that commented out. I think that is freeing the shared
CA-bundle, which we then try to re-use in the second connection within
the same process. That would account for the with-preload crash, and
perhaps for the without-preload also.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #30 from Gedalya <gedalya@gedalya.net> ---
That fixes all cases I've tested in the last 24 hours.
I'll confirm later with DKIM/ARC.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #31 from Gedalya <gedalya@gedalya.net> ---
So, the ARC thing is different.

Line 3781 is commented out.

remote_smtp:
driver = smtp
.ifdef _HAVE_TLS_RESUME
tls_resumption_hosts = *
.endif
arc_sign = gedalya.net : rsa2 : /usr/exim/rsa2.key : timestamps
dkim_domain = gedalya.net
dkim_selector = rsa1
dkim_private_key = /usr/exim/rsa1.key
dkim_canon = relaxed
dkim_sign_headers =
From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:=In-Reply-To:=References:=List-Id:=List-Help:=List-Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive

It crashes if all of the following conditions are met:

- TLS is used (no hosts_avoid_tls = *)
- First connection deferred
- DKIM signing is done
- ARC signing is done

Local/Makefile:

BIN_DIRECTORY=/usr/exim/bin
CONFIGURE_FILE=/usr/exim/configure
EXIM_USER=mail
SPOOL_DIRECTORY=/var/spool/exim
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls gnutls-dane
#USE_OPENSSL=yes
#USE_OPENSSL_PC=openssl
ROUTER_ACCEPT=yes
ROUTER_DNSLOOKUP=yes
ROUTER_IPLITERAL=yes
ROUTER_MANUALROUTE=yes
ROUTER_QUERYPROGRAM=yes
ROUTER_REDIRECT=yes
TRANSPORT_APPENDFILE=yes
TRANSPORT_AUTOREPLY=yes
TRANSPORT_PIPE=yes
TRANSPORT_SMTP=yes
LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_DNSDB=yes
PCRE2_CONFIG=yes
SUPPORT_DANE=yes
DISABLE_MAL_AVE=yes
DISABLE_MAL_KAV=yes
DISABLE_MAL_MKS=yes
EXPERIMENTAL_ARC=yes
FIXED_NEVER_USERS=root
AUTH_CRAM_MD5=yes
HEADERS_CHARSET="ISO-8859-1"
SYSLOG_LOG_PID=yes
EXICYCLOG_MAX=10
COMPRESS_COMMAND=/usr/bin/gzip
COMPRESS_SUFFIX=gz
ZCAT_COMMAND=/usr/bin/zcat
SUPPORT_SPF=yes
LDFLAGS += -lspf2
SYSTEM_ALIASES_FILE=/etc/aliases
EXIM_TMPDIR="/tmp"

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #32 from Gedalya <gedalya@gedalya.net> ---
Created attachment 1421
--> https://bugs.exim.org/attachment.cgi?id=1421&action=edit
gedalya.vanilla.ARC.1.debug_and_bt

debug output and backtrace for ARC crash

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #33 from Gedalya <gedalya@gedalya.net> ---
Created attachment 1422
--> https://bugs.exim.org/attachment.cgi?id=1422&action=edit
gedalya.vanilla.ARC.2.debug_and_bt

ARC bug reproduced pretty much the same way when built with OpenSSL 3.0.3

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #34 from Jeremy Harris <jgh146exb@wizmail.org> ---
I still can't duplicate the ARC-case segv. However, I did identify a lack
of re-initialization that might be relevant. Please add, at about
"src/arc.c" line 1532 :-

headers_rlist = NULL;


(I've managed a testcase for the non-ARC case; it doesn't consistently segv
on my platform but does, before the fix, consistently have identifiably bad
behavior).

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #35 from Gedalya <gedalya@gedalya.net> ---
I guess you mean in function arc_sign_init(), added, it fixes the issue.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #36 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/8c74b00980bc7e3e479e8dfcd7c0008b2ac3f543

commit 8c74b00980bc7e3e479e8dfcd7c0008b2ac3f543
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Thu May 19 14:23:02 2022 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Thu May 19 14:23:02 2022 +0100

gnutls: do not free the cached creds on transport connection close. bug
2886
----
doc/doc-txt/ChangeLog | 4 +++
src/src/tls-gnu.c | 8 ++---
test/confs/2011 | 72 +++++++++++++++++++++++++++++++++++++++++++
test/log/2011 | 13 ++++++++
test/rejectlog/2011 | 3 ++
test/scripts/2000-GnuTLS/2011 | 20 ++++++++++++
6 files changed, 115 insertions(+), 5 deletions(-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #37 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/5a8015582376ff3cc0c0d034d9237008b10d2164

commit 5a8015582376ff3cc0c0d034d9237008b10d2164
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Thu May 19 14:24:48 2022 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Thu May 19 14:24:48 2022 +0100

ARC: reset headers before signing for secondary MX. Bug 2886
---
src/src/arc.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/src/src/arc.c b/src/src/arc.c
index 4b6256e..86688f6 100644
--- a/src/src/arc.c
+++ b/src/src/arc.c
@@ -1527,6 +1527,7 @@ void
arc_sign_init(void)
{
memset(&arc_sign_ctx, 0, sizeof(arc_sign_ctx));
+headers_rlist = NULL;
}

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |WAIT_FIX_CONFIRMATION

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #38 from Gedalya <gedalya@gedalya.net> ---
Tested both issues with the latest commits, building with gnutls, working fine.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|WAIT_FIX_CONFIRMATION |RESOLVED

--- Comment #39 from Jeremy Harris <jgh146exb@wizmail.org> ---
Thanks for the confirm; closing.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #40 from Andreas Metzler <eximusers@bebt.de> ---
Also works for me. Thank you.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

Sergio Durigan Junior <sergio.durigan@canonical.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |sergio.durigan@canonical.co
| |m

--- Comment #41 from Sergio Durigan Junior <sergio.durigan@canonical.com> ---
Hi folks,

I'm working on backporting the patches that fix this issue into Ubuntu/Debian,
but I'm having trouble reproducing the bug locally.

I'm following the steps outlined on comment #16 (assuming that Gedalya's server
is still configured to defer the special email automatically), but I don't see
the segfault.

I'd like to know if you were able to reproduce this issue using
Debian's/Ubuntu's exim4 binary. Any suggestion is helpful.

Thanks.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #42 from Gedalya <gedalya@gedalya.net> ---
(In reply to Sergio Durigan Junior from comment #41)
> Hi folks,
>
> I'm working on backporting the patches that fix this issue into
> Ubuntu/Debian, but I'm having trouble reproducing the bug locally.
>
> I'm following the steps outlined on comment #16 (assuming that Gedalya's
> server is still configured to defer the special email automatically), but I
> don't see the segfault.
>

My server is still doing that.

> I'd like to know if you were able to reproduce this issue using
> Debian's/Ubuntu's exim4 binary. Any suggestion is helpful.
>

Debian's exim4-daemon-light 4.95 has shown this behavior. 4.95-6 is already
patched.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #43 from Gedalya <gedalya@gedalya.net> ---
(In reply to Sergio Durigan Junior from comment #41)
> I'm following the steps outlined on comment #16 (assuming that Gedalya's
> server is still configured to defer the special email automatically), but I
> don't see the segfault.

I'm not seeing your messages hitting my primary MX server (mail.gedalya.net)
which would be deferring. I do see two messages which hit mx2.gedalya.net,
apparently without going to the primary server first.

exim would crash on a second attempt if it gets deferred on the first attempt.

Wild guess, are you running this in an IPv6-only container? mail.gedalya.net is
IPv4-only, sorry :-)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #44 from Sergio Durigan Junior <sergio.durigan@canonical.com> ---
(In reply to Gedalya from comment #43)
> (In reply to Sergio Durigan Junior from comment #41)
> > I'm following the steps outlined on comment #16 (assuming that Gedalya's
> > server is still configured to defer the special email automatically), but I
> > don't see the segfault.
>
> I'm not seeing your messages hitting my primary MX server (mail.gedalya.net)
> which would be deferring. I do see two messages which hit mx2.gedalya.net,
> apparently without going to the primary server first.
>
> exim would crash on a second attempt if it gets deferred on the first
> attempt.
>
> Wild guess, are you running this in an IPv6-only container? mail.gedalya.net
> is IPv4-only, sorry :-)

Thanks for the help.

I'm testing this using an Ubuntu Jammy container, which has exim4 4.95-4ubuntu2
and is not patched. There's in fact a downstream bug related to this problem;
this is why I'm trying to come up with a reproducer.

Thanks for also confirming that your server is still deferring emails. My
container did have IPv6 enabled, so I completely disabled it just in case.
Unfortunately, I'm still unable to reproduce the problem.

Here's what I'm doing:

- Launch container, disable IPv6 and also add "disable_ipv6" to exim4's config
file.

- Run "dpkg-reconfigure exim4-config" and make sure to configure the package as
an "internet site; mail is sent and received directly using SMTP". Other than
that, everything is left as is.

- Run:

# exim4 -odq -f deferme@example.com gedalya@gedalya.net < 1.msg
# exim4 -bp
0m 333 1nxCYB-0000At-E1 <deferme@example.com>
gedalya@gedalya.net
# exim4 -d+all -q 1nxCYB-0000At-E1 2>&1 | tee /tmp/exim.debug

I get the following output:

https://dpaste.com//AVEDX2WT4

It seems strange that the second connectio (to mx2) didn't work either. I
don't see a segmentation fault anywhere, although the email isn't being sent
and keeps showing in "exim4 -bp".

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #45 from Gedalya <gedalya@gedalya.net> ---
(In reply to Sergio Durigan Junior from comment #44)
>
> Thanks for also confirming that your server is still deferring emails. My
> container did have IPv6 enabled, so I completely disabled it just in case.

You don't need to disable TPv6 as much as you need to enable IPv4.

> # exim4 -d+all -q 1nxCYB-0000At-E1 2>&1 | tee /tmp/exim.debug
>
> I get the following output:
>
> https://dpaste.com//AVEDX2WT4
>
> It seems strange that the second connectio (to mx2) didn't work either.

It's not working for the same reason mail.gedalya.net isn't working. It works
for you via IPv6 but you can't reach my servers on IPv4.

> I don't see a segmentation fault anywhere, although the email isn't being sent
> and keeps showing in "exim4 -bp".

You need to successfully connect to the first server and receive a deferral
(4xx SMTP code).

Figure out why you can't reach my servers out of this container. Ordinary
network troubleshooting.

Note that some "cloud" providers block outbound TCP connections to destination
port 25, some block only for IPv6 but not for IPv4, maybe you have a reverse
case? But whatever, just do network troubleshooting, or set up a local
reproducer.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #47 from Gedalya <gedalya@gedalya.net> ---
(In reply to Sergio Durigan Junior from comment #46)
>
> I tried something simpler here:
>
> $ telnet mail.gedalya.net 25
>
> It doesn't connect. I can connect to my personal email server via port 25,
> though, so I'm thinking that maybe my IP has been blocked on your side?

Not in any way that I can tell. Fail2ban chains are empty.

> Anyway, I was able to get ahold of another server (with another IP) and
> finally reproduced the bug.
>
> Are you OK with me writing a test case for
> https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1974214 using your
> server? Only a member of the Ubuntu SRU team will eventually check it, and
> the test case can be deleted afterwards if you'd like.

That's OK.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2886

--- Comment #48 from Jeremy Harris <jgh146exb@wizmail.org> ---
The fix commit included a testcase.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##