On Mon, Apr 07, 2008 at 05:44:51PM -0000, Launchpad Bug Tracker wrote: > When trying to get SSL and postfix and ldap going I stumbled accross the > following: > postfix-ldap is linked against gnu TLS and this breaks SSL and LDAP. > postfix itself /is/ linked against openSSL.
> postmap works, but postfix will complain about 'bad search filter' > See: > http://archives.neohapsis.com/archives/postfix/2007-01/1351.html > for the discussion. This thread points to /usr/share/doc/postfix/TLS_README.gz, which claims: NOTE: Do not use Gnu TLS. It will spontaneously terminate a Postfix daemon process with exit status code 2, instead of allowing Postfix to 1) report the error to the maillog file, and to 2) provide plaintext service where this is appropriate. But that is the extent of the explanation. This doesn't explain why postfix (but no other ldap-using apps) manages to trigger this issue with GnuTLS. I find three locations in the libgcrypt11 source where exit(2) is invoked. Two of them are related to a failure to allocate secure memory. The third is when an internal logging function is called with GCRY_LOG_FATAL. For the most part, this seems to be called in the case of memory corruption errors, or when keys that have just been generated fail to pass a self-test, or upon failing to initialize a mutex, etc; while it's always unfriendly for a library to ever call exit() directly, these are at least cases where the library is in such an inconsistent state that it's probably dangerous to continue, and if postfix is triggering any of these it's almost certainly a bug in postfix that needs to be fixed. The other case where I see log_fatal() being called that may be problematic is when libgcrypt can't get any entropy. This could point to a real problem of interactions between libgcrypt and libcrypto (GnuTLS/OpenSSL). It would be helpful to capture the stderr output from this process before it dies, since libgcrypt appears to log all fatal errors to stderr; that will help narrow this down to a GnuTLS vs. Postfix bug. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- postfix-ldap is linked against gnuTLS https://bugs.launchpad.net/bugs/81242 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
