Two odd problems with STABLE-10 r262921

Karl Denninger tickerguydenninger at gmail.com
Tue Mar 11 17:24:36 UTC 2014 

Yeah it hasn't changed...... I turned on verbose logging and I'm not
getting anything in the logs on it -- what's even more-odd is that I can
telnet to port 25 on the MX gateway and hand-feed an email in there, and it
works.  If I turn off the signatures, it ALSO works.

That makes no sense; STARTTLS starts up on port 25, so if I can telnet
there from a shell prompt how's this happening?  The only thing I can come
up with is that sendmail is (for an unknown reason) choosing to elect to
bind to an inappropriate address (this box has a number of addresses on the
interfaces and not all of them can get out!)

Check out the log here:

Mar 11 12:13:59 NewFS sm-mta[11023]: STARTTLS=client, relay=
gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Mar 11 12:13:59 NewFS sm-mta[11023]: STARTTLS: write error=syscall error
(-1), errno=13, get_error=error:00000000:lib(0):func(0):reason(0),
retry=99, ssl_err=5
Mar 11 12:13:59 NewFS sm-mta[11023]: s2BGax4D095381: SYSERR(root): putbody:
write error: Permission denied
Mar 11 12:13:59 NewFS sm-mta[11023]: s2BGax4D095381: SYSERR(root): timeout
writing message to gmail-smtp-in.l.google.com.: Permission denied

This fails..... then I send another message, from the same email client,
with no signature less than a minute later and I get this:

Mar 11 12:14:38 NewFS sm-mta[11321]: STARTTLS=client, relay=
gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Mar 11 12:14:39 NewFS sm-mta[11321]: s2BHEcNn011282: to=<
tickerguydenninger at gmail.com>, ctladdr=<karl at denninger.net> (1001/1001),
delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30766, relay=
gmail-smtp-in.l.google.com. [74.125.29.26], dsn=2.0.0, stat=Sent (OK
1394558079 v4si11548175qap.151 - gsmtp)

Huh?

The MX record only has one address too -- 74.125.29.26

Same cipher negotiated, same everything -- one fails with EPERM the other
succeeds, and the only difference between the two emails is the presence of
a MIME signature block.

I think it's safe to believe (given that I've got all "deny" lines marked
with the log key and nothing is showing up) this is not being blocked by
the firewall.

It's also new with 10.0; never happened with 9.2.....


On Tue, Mar 11, 2014 at 10:59 AM, John-Mark Gurney <jmg at funkthat.com> wrote:

> Karl Denninger wrote this message on Tue, Mar 11, 2014 at 08:29 -0500:
> > 1. I am getting errors coming from mail transmissions to certain MX
> relays
> > -- and only those relays.  One of them is (ironically) mx1.freebsd.org,
> > which precludes emailing the list from my primary email address!  The
> error
> > logs in the maillog file show:
> >
> > Mar 11 08:17:46 NewFS sm-mta[3605]: STARTTLS=client, relay=
> mx1.freebsd.org.,
> > version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384,
> > bits=256/256
> > Mar 11 08:17:46 NewFS sm-mta[3605]: STARTTLS: write error=syscall error
> > (-1), errno=13, get_error=error:00000000:lib(0):func(0):reason(0),
> > retry=99, ssl_err=5
> > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: SYSERR(root):
> putbody:
> > write error: Permission denied
> > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: SYSERR(root): timeout
> > writing message to mx1.freebsd.org.: Permission denied
> > Mar 11 08:17:46 NewFS sm-mta[3605]: s2AKht3B064414: to=<
> > freebsd-fs at freebsd.org>, ctladdr=<karl at denninger.net> (1001/1001),
> > delay=16:33:50, xdelay=00:00:05, mailer=esmtp, pri=4186247, relay=
> > mx1.freebsd.org. [8.8.178.115], dsn=4.0.0, stat=Deferred
> >
> > Permission denied -- on a socket?  As root?  What am I missing here?
> >
> > (Shutting off TLS does not resolve this.)  However, this is not
> universal;
> > it only impacts *some* emails....
> >
> >
> > Mar 11 08:20:37 NewFS sm-mta[5433]: s2BDKbF4005433: from=<
> > ticker at fs.denninger.net>, size=962, class=0, nrcpts=1, msgid=<
> > 201403111320.s2BDKTF3005412 at fs.denninger.net>, proto=ESMTP, daemon=IPv4,
> > relay=localhost [127.0.0.1]
> > Mar 11 08:20:37 NewFS sendmail[5412]: s2BDKTF3005412: to=
> xxxxxxxx at yahoo.com,
> > ctladdr=ticker (20098/20098), delay=00:00:08, xdelay=00:00:05,
> > mailer=relay, pri=3
> > 0494, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Message
> accepted)
> > Mar 11 08:20:37 NewFS sm-mta[5461]: STARTTLS=client, relay=
> > mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL,
> > cipher=DHE-RSA-CAMELLIA256-SHA, bits=256/256
> > Mar 11 08:20:39 NewFS sm-mta[5461]: s2BDKbF4005433: to=<
> xxxxxxx at yahoo.com>,
> > ctladdr=<ticker at fs.denninger.net> (20098/20098), delay=00:00:02,
> > xdelay=00:00:02,
> > mailer=esmtp, pri=30962, relay=mta5.am0.yahoodns.net. [66.196.118.35],
> > dsn=2.0.0, stat=Sent (ok dirdel)
> >
> > That one went through successfully....
> >
> > This is new; I didn't have any trouble on 9.2-STABLE at all.  Ideas?
>
> This is usually due to a firewall not allowing some packets out...
> Make sure that your firewall is properly configured, and disable it
> for testing to see if the errors go away...
>
> --
>   John-Mark Gurney                              Voice: +1 415 225 5579
>
>      "All that I will do, has been done, All that I have, has not."
>

More information about the freebsd-stable mailing list