Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] update broke my mailserver/opendkim (local socket)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 12:05 am    Post subject: [solved] update broke my mailserver/opendkim (local socket) Reply with quote

I use postfix/dovecot combo setup with the help of gentoo wiki, and it worked quite well - including spamassasin / clamav / opendkim.

After a recent update I cannot send mails anymore.

I still can login via roundcube and see my mailbox and can read or move mails.

Symptom: When trying to send an email following error occures as soon as I hit send button:

Error smtp error (451): sending adress "user@domain.com" could not be set (4.7.1 Service unavailable - try again later).

dmesg showing:

Code:
[81399.702137] unchecked MSR access error: WRMSR to 0x48 (tried to write 0x0000000000000004) at rIP: 0xffffffffa14218f3 (speculation_ctrl_update+0xe3/0x220)
[81399.702140] Call Trace:
[81399.702152]  speculation_ctrl_update_current+0x16/0x20
[81399.702158]  ssb_prctl_set.part.2+0x15/0x20
[81399.702164]  arch_seccomp_spec_mitigate+0x1d/0x40
[81399.702176]  do_seccomp+0x665/0x6b0
[81399.702192]  ? security_task_prctl+0x4d/0x80
[81399.702201]  SyS_prctl+0x2b2/0x450
[81399.702213]  ? __do_page_fault+0x1ff/0x430
[81399.702216]  do_syscall_64+0x5b/0xe0
[81399.702230]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[81399.702240] RIP: 0033:0x7f7add9086ba
[81399.702243] RSP: 002b:00007ffe431a7a68 EFLAGS: 00000246 ORIG_RAX: 000000000000009d
[81399.702259] RAX: ffffffffffffffda RBX: 00007ffe431a7a70 RCX: 00007f7add9086ba
[81399.702260] RDX: 0000562ee89c23f0 RSI: 0000000000000002 RDI: 0000000000000016
[81399.702262] RBP: 0000562eea4e6290 R08: 0000000000000000 R09: 00007ffe431a6bf0
[81399.702264] R10: 00007f7add9086ba R11: 0000000000000246 R12: 0000562eea4e70e0
[81399.702266] R13: 0000000000000000 R14: 0000000000000014 R15: 00007ffe431a7b10
[82665.598321] auth[21782]: segfault at 30f96200 ip 00007ff52fd08f9a sp 00007ffe464577a8 error 4 in libc-2.28.so[7ff52fc70000+1c3000]
[82677.046129] auth[21784]: segfault at ffffffff910e9200 ip 00007f868fe5bf9a sp 00007ffed1bb2d98 error 5 in libc-2.28.so[7f868fdc3000+1c3000]
[82685.091569] auth[21789]: segfault at ffffffffdb837200 ip 00007feada5a9f9a sp 00007fff6464b0e8 error 5 in libc-2.28.so[7feada511000+1c3000]
[82693.105566] auth[21792]: segfault at ffffffffc8bc8200 ip 00007f25c793af9a sp 00007ffe523dd348 error 5 in libc-2.28.so[7f25c78a2000+1c3000]
[82744.331336] kworker/dying (21667) used greatest stack depth: 12600 bytes left
[82858.072330] auth[21919]: segfault at ffffffffa2843200 ip 00007f1ba15b5f9a sp 00007ffcc6cc1ee8 error 5 in libc-2.28.so[7f1ba151d000+1c3000]
[82860.078997] auth[21926]: segfault at 3e16f200 ip 00007f803cee1f9a sp 00007ffef2562fc8 error 4 in libc-2.28.so[7f803ce49000+1c3000]
[82901.832575] auth[22028]: segfault at 118da200 ip 00007f761064cf9a sp 00007fff63708a38 error 4 in libc-2.28.so[7f76105b4000+1c3000]
[82903.839054] auth[22033]: segfault at ffffffffdf264200 ip 00007f09ddfd6f9a sp 00007ffdc8d146d8 error 5 in libc-2.28.so[7f09ddf3e000+1c3000]
[82933.213594] auth[22037]: segfault at 69f53200 ip 00007f8e68cc5f9a sp 00007ffd73715178 error 4 in libc-2.28.so[7f8e68c2d000+1c3000]
[82941.221981] auth[22056]: segfault at ffffffffcea63200 ip 00007f26cd7d5f9a sp 00007ffdf7936a78 error 5 in libc-2.28.so[7f26cd73d000+1c3000]
[82982.687656] auth[22134]: segfault at ffffffff91470200 ip 00007f16901e2f9a sp 00007ffe93282e98 error 5 in libc-2.28.so[7f169014a000+1c3000]
[83010.642303] auth[22151]: segfault at 3e45f200 ip 00007f953d1d1f9a sp 00007ffca15855c8 error 4 in libc-2.28.so[7f953d139000+1c3000]
[83066.441426] auth[22232]: segfault at ffffffff9a3f4200 ip 00007f1e99166f9a sp 00007ffd5721f338 error 5 in libc-2.28.so[7f1e990ce000+1c3000]
[83071.735551] auth[22234]: segfault at 6c5bc200 ip 00007fda6b32ef9a sp 00007ffd8f019cc8 error 4 in libc-2.28.so[7fda6b296000+1c3000]
[83075.747199] auth[22237]: segfault at ffffffff86dcf200 ip 00007fbf85b41f9a sp 00007ffee364f838 error 5 in libc-2.28.so[7fbf85aa9000+1c3000]
[83136.982125] auth[22246]: segfault at 42a35200 ip 00007f67417a7f9a sp 00007ffe581a6638 error 4 in libc-2.28.so[7f674170f000+1c3000]
[83198.106749] auth[22254]: segfault at 17fda200 ip 00007f5116d4cf9a sp 00007ffd1a27b478 error 4 in libc-2.28.so[7f5116cb4000+1c3000]
[83259.201523] auth[22260]: segfault at 28ae200 ip 00007f0401620f9a sp 00007ffe5bb16328 error 4 in libc-2.28.so[7f0401588000+1c3000]
[83320.277907] auth[22266]: segfault at ffffffff9adb8200 ip 00007f6a99b2af9a sp 00007ffcabe5b028 error 5 in libc-2.28.so[7f6a99a92000+1c3000]
[83381.371972] auth[22271]: segfault at fffffffff4fef200 ip 00007fb2f3d61f9a sp 00007ffdec9d7618 error 5 in libc-2.28.so[7fb2f3cc9000+1c3000]
[83442.470317] auth[22295]: segfault at 3842200 ip 00007f8f025b4f9a sp 00007ffe8a1b85b8 error 4 in libc-2.28.so[7f8f0251c000+1c3000]
[83503.565737] auth[22304]: segfault at ffffffffff004200 ip 00007f1efdd76f9a sp 00007ffdf0bd3d68 error 5 in libc-2.28.so[7f1efdcde000+1c3000]
[83563.589732] auth[22312]: segfault at 757ab200 ip 00007fe77451df9a sp 00007ffdc54d9648 error 4 in libc-2.28.so[7fe774485000+1c3000]
[83804.701669] auth[22357]: segfault at ffffffffe351d200 ip 00007f37e228ff9a sp 00007fff2146d058 error 5 in libc-2.28.so[7f37e21f7000+1c3000]
[83865.811025] auth[22363]: segfault at ffffffff98094200 ip 00007f6f96e06f9a sp 00007ffdc031a4c8 error 5 in libc-2.28.so[7f6f96d6e000+1c3000]
[83925.835593] auth[22369]: segfault at ffffffffd02de200 ip 00007f37cf050f9a sp 00007ffed26e5208 error 5 in libc-2.28.so[7f37cefb8000+1c3000]
[83985.847552] auth[22378]: segfault at fffffffff419a200 ip 00007f09f2f0cf9a sp 00007ffdbfec3708 error 5 in libc-2.28.so[7f09f2e74000+1c3000]
[84105.684175] auth[22408]: segfault at ffffffffabb5a200 ip 00007fc1aa8ccf9a sp 00007ffd5eed6a28 error 5 in libc-2.28.so[7fc1aa834000+1c3000]
[84165.701867] auth[22412]: segfault at ddfb200 ip 00007f760cb6df9a sp 00007ffc2bc1e768 error 4 in libc-2.28.so[7f760cad5000+1c3000]
[84225.737625] auth[22423]: segfault at 51c11200 ip 00007f1050983f9a sp 00007fffba189b98 error 4 in libc-2.28.so[7f10508eb000+1c3000]
[84285.767492] auth[22436]: segfault at ffffffffc9bc1200 ip 00007f02c8933f9a sp 00007ffe2335be08 error 5 in libc-2.28.so[7f02c889b000+1c3000]
[84345.798499] auth[22455]: segfault at 126d8200 ip 00007f961144af9a sp 00007ffea8ba7f48 error 4 in libc-2.28.so[7f96113b2000+1c3000]
[84401.787352] auth[22534]: segfault at ffffffff8724d200 ip 00007fbf85fbff9a sp 00007ffd73e3f508 error 5 in libc-2.28.so[7fbf85f27000+1c3000]
[84417.141870] auth[22544]: segfault at 11814200 ip 00007fef10586f9a sp 00007fff7dca3d78 error 4 in libc-2.28.so[7fef104ee000+1c3000]
[84478.497502] auth[22551]: segfault at 53e51200 ip 00007f5e52bc3f9a sp 00007ffe97daa1d8 error 4 in libc-2.28.so[7f5e52b2b000+1c3000]
[84496.056300] auth[22554]: segfault at 7f93d200 ip 00007fb97e6aff9a sp 00007ffcaea6a7a8 error 4 in libc-2.28.so[7fb97e617000+1c3000]
[84512.078328] auth[22559]: segfault at 5691c200 ip 00007f725568ef9a sp 00007fffd5aa7be8 error 4 in libc-2.28.so[7f72555f6000+1c3000]
[84544.085405] auth[22570]: segfault at 72875200 ip 00007fd4715e7f9a sp 00007fff5c6d3938 error 4 in libc-2.28.so[7fd47154f000+1c3000]
[84604.107142] auth[22612]: segfault at 4c7d0200 ip 00007f7f4b542f9a sp 00007ffd8f903fb8 error 4 in libc-2.28.so[7f7f4b4aa000+1c3000]
[84664.119304] auth[22687]: segfault at ffffffffffcfa200 ip 00007f2bfea6cf9a sp 00007ffe24900088 error 5 in libc-2.28.so[7f2bfe9d4000+1c3000]
[84724.127159] auth[22702]: segfault at 26498200 ip 00007eff2520af9a sp 00007ffd8b03b8f8 error 4 in libc-2.28.so[7eff25172000+1c3000]
[84784.162356] auth[22710]: segfault at ffffffffdbce0200 ip 00007f57daa52f9a sp 00007ffe3f9ba758 error 5 in libc-2.28.so[7f57da9ba000+1c3000]
[84844.192354] auth[22726]: segfault at ffffffff99d39200 ip 00007f9a98aabf9a sp 00007ffcc8f77a18 error 5 in libc-2.28.so[7f9a98a13000+1c3000]
[84904.206445] auth[22741]: segfault at ffffffffc1b87200 ip 00007f56c08f9f9a sp 00007ffd881eba98 error 5 in libc-2.28.so[7f56c0861000+1c3000]
[84965.213025] auth[22761]: segfault at ffffffffc0ccd200 ip 00007f18bfa3ff9a sp 00007fffb258b0b8 error 5 in libc-2.28.so[7f18bf9a7000+1c3000]
[85025.220668] auth[23166]: segfault at ffffffffa9930200 ip 00007fd0a86a2f9a sp 00007fff7d2666d8 error 5 in libc-2.28.so[7fd0a860a000+1c3000]
[85085.255462] auth[29988]: segfault at 6462f200 ip 00007f1e633a1f9a sp 00007ffc6580dc08 error 4 in libc-2.28.so[7f1e63309000+1c3000]
[85145.296637] auth[30632]: segfault at 1487200 ip 00007ffb001f9f9a sp 00007ffddebdc6f8 error 4 in libc-2.28.so[7ffb00161000+1c3000]
[85205.336703] auth[30643]: segfault at 34cd0200 ip 00007fc733a42f9a sp 00007ffcbd404f98 error 4 in libc-2.28.so[7fc7339aa000+1c3000]
[85337.399321] auth[30672]: segfault at 4addb200 ip 00007fc649b4df9a sp 00007ffccfb06aa8 error 4 in libc-2.28.so[7fc649ab5000+1c3000]
[85547.279025] auth[30737]: segfault at c1db200 ip 00007f6a0af4df9a sp 00007ffcd078a458 error 4 in libc-2.28.so[7f6a0aeb5000+1c3000]
[85602.620595] auth[30961]: segfault at fffffffff7c4e200 ip 00007f52f69c0f9a sp 00007ffe3608c948 error 5 in libc-2.28.so[7f52f6928000+1c3000]
[85617.070669] auth[30963]: segfault at 4c58f200 ip 00007f3f4b301f9a sp 00007ffd9916ed48 error 4 in libc-2.28.so[7f3f4b269000+1c3000]
[85632.106107] auth[30970]: segfault at ffffffffd80a2200 ip 00007f05d6e14f9a sp 00007ffe71fef028 error 5 in libc-2.28.so[7f05d6d7c000+1c3000]
[85663.722725] auth[30979]: segfault at ffffffff927eb200 ip 00007f319155df9a sp 00007ffe90e6eb28 error 5 in libc-2.28.so[7f31914c5000+1c3000]
[85724.833331] auth[30990]: segfault at 29f52200 ip 00007f8528cc4f9a sp 00007fff74390568 error 4 in libc-2.28.so[7f8528c2c000+1c3000]
[85785.943548] auth[30999]: segfault at 7da3b200 ip 00007fc97c7adf9a sp 00007ffebaf57068 error 4 in libc-2.28.so[7fc97c715000+1c3000]
[85846.649798] auth[31025]: segfault at ffffffffb5696200 ip 00007fdbb4408f9a sp 00007ffd8c250d88 error 5 in libc-2.28.so[7fdbb4370000+1c3000]
[85938.522756] auth[31033]: segfault at ffffffffc2cee200 ip 00007fdac1a60f9a sp 00007ffcc24eaa88 error 5 in libc-2.28.so[7fdac19c8000+1c3000]
[86274.772285] auth[31109]: segfault at ffffffff99db4200 ip 00007fa998b26f9a sp 00007ffce468c158 error 5 in libc-2.28.so[7fa998a8e000+1c3000]
[86334.805723] auth[31128]: segfault at ffffffffef130200 ip 00007fe3edea2f9a sp 00007ffe1de11af8 error 5 in libc-2.28.so[7fe3ede0a000+1c3000]
[86394.839576] auth[31142]: segfault at 40647200 ip 00007f4e3f3b9f9a sp 00007ffe16808ea8 error 4 in libc-2.28.so[7f4e3f321000+1c3000]
[86539.663695] auth[31182]: segfault at 9a44200 ip 00007f20087b6f9a sp 00007ffe075036f8 error 4 in libc-2.28.so[7f200871e000+1c3000]
[86622.653295] auth[31194]: segfault at ffffffffe8dcf200 ip 00007f94e7b41f9a sp 00007ffcfdbc5928 error 5 in libc-2.28.so[7f94e7aa9000+1c3000]
[86742.155296] auth[31213]: segfault at ffffffff8f96f200 ip 00007f7b8e6e1f9a sp 00007ffd147e3788 error 5 in libc-2.28.so[7f7b8e649000+1c3000]
[86935.910407] auth[31245]: segfault at ffffffffc7d3a200 ip 00007f88c6aacf9a sp 00007fffc22c3198 error 5 in libc-2.28.so[7f88c6a14000+1c3000]
[86995.944691] auth[31494]: segfault at ffffffff88904200 ip 00007f1a87676f9a sp 00007ffd18967408 error 5 in libc-2.28.so[7f1a875de000+1c3000]
[87056.010787] auth[698]: segfault at 72666200 ip 00007f2d713d8f9a sp 00007fff62b2eaf8 error 4 in libc-2.28.so[7f2d71340000+1c3000]
[87140.830963] auth[7533]: segfault at fffffffff78fa200 ip 00007ff8f666cf9a sp 00007ffc3409cb98 error 5 in libc-2.28.so[7ff8f65d4000+1c3000]
[87258.842257] auth[7767]: segfault at 7ae92200 ip 00007f2b79c04f9a sp 00007ffd014188d8 error 4 in libc-2.28.so[7f2b79b6c000+1c3000]
[87318.875808] auth[26371]: segfault at ffffffffbbe5e200 ip 00007f61babd0f9a sp 00007ffd334146e8 error 5 in libc-2.28.so[7f61bab38000+1c3000]


tail /var/log/messages
Code:
Apr  4 01:56:48 hostname postfix/smtpd[23852]: NOQUEUE: milter-reject: CONNECT from helo.competec.ch[91.213.100.36]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
Apr  4 01:56:48 hostname postfix/smtpd[23852]: NOQUEUE: milter-reject: EHLO from helo.competec.ch[91.213.100.36]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<helo.competec.ch>
Apr  4 01:56:48 hostname postfix/smtpd[23852]: NOQUEUE: milter-reject: MAIL from helo.competec.ch[91.213.100.36]: 451 4.7.1 Service unavailable - try again later; from=<verkauf@brack.ch> proto=ESMTP helo=<helo.competec.ch>
Apr  4 01:56:48 hostname postfix/smtpd[23852]: disconnect from helo.competec.ch[91.213.100.36] ehlo=1 starttls=0/1 mail=0/1 rcpt=0/1 quit=1 commands=2/5
Apr  4 01:57:24 hostname postfix/pickup[13367]: warning: 4A35820288A: message has been queued for 1 days
Apr  4 01:57:24 hostname postfix/pickup[13367]: 4A35820288A: uid=0 from=<root>
Apr  4 01:57:24 hostname postfix/cleanup[13375]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Apr  4 01:57:24 hostname postfix/cleanup[13375]: 4A35820288A: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@hostname>
Apr  4 01:57:24 hostname postfix/pickup[13367]: 4A97D20288A: uid=0 from=<root>
Apr  4 01:57:24 hostname postfix/cleanup[13375]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Apr  4 01:57:24 hostname postfix/cleanup[13375]: 4A97D20288A: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@hostname>
Apr  4 01:57:24 hostname postfix/pickup[13367]: 4ADF020288A: uid=0 from=<root>
Apr  4 01:57:24 hostname postfix/cleanup[13375]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Apr  4 01:57:24 hostname postfix/cleanup[13375]: 4ADF020288A: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@hostname>


As mailadmin noob I need help to re-establish email handling. I would be happy if anyone can help me solve this.


Last edited by Elleni on Fri Apr 05, 2019 8:14 pm; edited 4 times in total
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Thu Apr 04, 2019 11:38 am    Post subject: Reply with quote

with the information you've posted i can see three issues there:
Code:
Apr  4 01:57:24 hostname postfix/cleanup[13375]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
Apr  4 01:57:24 hostname postfix/cleanup[13375]: 4ADF020288A: milter-reject: CONNECT from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<root@hostname>

please check if opendkim is actually running as postfix is unable to connect to it thru the socket /var/run/opendkim/opendkim.sock and in the case that it's up and running, post /etc/opendkim/opendkim.conf and /etc/postfix/main.cf
Code:
[87318.875808] auth[26371]: segfault at ffffffffbbe5e200 ip 00007f61babd0f9a sp 00007ffd334146e8 error 5 in libc-2.28.so[7f61bab38000+1c3000]

/usr/libexec/dovecot/auth is segfaulting, try to recompile dovecot and if it doesn't solve the segfaults, please post the output of "emerge --info"
Code:
[81399.702137] unchecked MSR access error: WRMSR to 0x48 (tried to write 0x0000000000000004) at rIP: 0xffffffffa14218f3 (speculation_ctrl_update+0xe3/0x220)

upgrade your kernel
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 9:06 pm    Post subject: Reply with quote

Thanks for your post.

opendkim crashing. /var/log/messages showing:

Code:
opendkim[27548]: OpenDKIM Filter: Unable to bind to port local:/var/run/opendkim/opendkim.sock: Permission denied
opendkim[27548]: OpenDKIM Filter: Unable to create listening socket on conn local:/var/run/opendkim/opendkim.sock
opendkim[27548]: smfi_opensocket() failed
/etc/init.d/opendkim[28118]: status: crashed


I am compiling new kernel and dovecot and will report back.

opendkim.conf:
Code:
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Domain                  /etc/opendkim/domains
Selector                mail
KeyFile                 /etc/opendkim/mail.private
Socket                  local:/var/run/opendkim/opendkim.sock
UMask                   002
ReportAddress           postmaster@domain.com
SendReports             yes
PidFile /var/run/opendkim/opendkim.pid
UserID milter
# Statistics /var/lib/opendkim/stats.dat
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 9:39 pm    Post subject: Reply with quote

As my vps provider states that virtuozzo 6 which apparently is being used @host does only support kernels until 4.14.X I masked kernels =>4.15; however - I come from re-trying to compile 5.0.6 kernel by removing the statement from package.mask and the same behaviour as seen here is still occuring with kernel 5.0.6.

https://forums.gentoo.org/viewtopic-t-1076592-highlight-elleni.html

I then rebooted 4.14.108 which was last known good kernel before the recent update of the system and opendkim did not crash but started successfully. Also the segfaults were gone.

So I thought let's reproduce the error by booting 4.14.109 but now even there opendkim service is successfully started and no segfault is seen in dmesg, which I dont really understand.

I am now compiling latest 4.14.110 to see if this one works too.

Thanks for your helpful post skunk, which I really appreciate :)


Last edited by Elleni on Thu Apr 04, 2019 10:59 pm; edited 1 time in total
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Thu Apr 04, 2019 9:52 pm    Post subject: Reply with quote

opendkim didn't start because you probably upgraded from a very old openrc which needed a reboot in order to mount /run as tmpfs and symlinking /var/run to it...
the kernel issue was completely unrelated with opendkim.
not sure about the segfaults though, probably they were solved by the reboot too...
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 10:02 pm    Post subject: Reply with quote

Edit - sent this not seeing your latest post. So I'll post back in case the segfault and/or opendkim crash comes back again to analyze further. Hm, I upgrade the server quite often including kernel upgrades and so a reboot is issued every now and then, so openrc should not be that old, but nevermind; I am happy that mailserver is up n running again :D

Does the above mean that this segfault could happen again because of:
Code:
[81399.702137] unchecked MSR access error: WRMSR to 0x48 (tried to write 0x0000000000000004) at rIP: 0xffffffffa14218f3 (speculation_ctrl_update+0xe3/0x220)


?

And if so - how could I avoid this, as going to a kernel above 4.14.X is not an option?

Another question related to my vps upgrade routine.

I used the following setup (dirty hack but it worked) in order to get an encrypted filesystem with keyfile to decrypt / in initramfs in order to not have to type password twice:
http://blog.guya.de/linux-gentoo-encrypted-boot-partition/

And my upgrade procedure was:

emerge gentoo-sources -v && cd /usr/src/linux && make menuconfig && make && make install && genkernel --luks initramfs && grub2-mkconfig -o /boot/grub/grub.cfg

followed by an emerge world -uDNav --with-bdeps=y && emerge --depclean && revdep-rebuild && etc-update && emerge @preserved-rebuild after having synced portage tree.

I then could not boot successfully anymore and found out that genkernel does not produce a suitable initramfs anymore.

So for now, I just copy and rename the initramfs file:

Code:
cp /boot/initramfs-genkernel-x86_64-4.14.103-gentoo /boot/initramfs-genkernel-x86_64-4.14.110-gentoo


Until recently (around kernel-4.14.103) it worked fine and created an initramfs including the needed keyfile to decrypt / but it does not anymore. I checked if everything is still in place according to mentioned link, and it is, so why genkernel does not produce a suitable initramfs anymore?

Edit to add: I only had checked the filestructure but by re-checking I see that INITRAMFS_OVERLAY=/key is not set anymore so this question is answered too :)


Last edited by Elleni on Thu Apr 04, 2019 10:56 pm; edited 1 time in total
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 10:52 pm    Post subject: Reply with quote

I think I understand now why opendkim crashed or at least why postfix could not connect to it anymore. As I had downgraded opendkim for troubleshooting, I now upgraded world again and thus compared opendkim.conf coming from fresh install with backuped file.

I overwrote opendkim.conf while upgrading to new version apparently.

Fortunatelly I had a backuped .conf file. Comparing them I found the differences like userid is milter where in new default file userid is opendkim. Also the selector was not set to mail, keyfile on another path, socket, unmask and pidfile and statistics lines were missing completely.

So I guess, this is solved.

Still unsure on the segfault though. I will monitor this and come back if auth will segfault again.

And is there a way to correct this with 4.14.X kernel? Or can I just ignore it?
Code:
[81399.702137] unchecked MSR access error: WRMSR to 0x48 (tried to write 0x0000000000000004) at rIP: 0xffffffffa14218f3 (speculation_ctrl_update+0xe3/0x220)
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Thu Apr 04, 2019 11:07 pm    Post subject: Reply with quote

if you can't appreciate any side effect, imho you might just ignore that kernel message, my suggestion to upgrade the kernel was just a random guess since googling the message pointed to several related patches...
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Thu Apr 04, 2019 11:14 pm    Post subject: Reply with quote

I see - thank you.

In the meantime I reproduced the error by compiling opendkim 2.10.3-r8 while keeping my old opendkim.conf

I am downgrading again in order to re-establish functioning emailserver.

opendkim-2.10.3-r3 with following config is functional:

Code:
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Domain                  /etc/opendkim/domains
Selector                mail
KeyFile                 /etc/opendkim/mail.private
Socket                  local:/var/run/opendkim/opendkim.sock
UMask                   002
ReportAddress           postmaster@mydomain.ltd
SendReports             yes
PidFile /var/run/opendkim/opendkim.pid
UserID milter
Statistics /var/lib/opendkim/stats.dat


And this would be the default opendkim.conf of 2.10.3-r8
Code:
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
Domain                  example.com
Selector                default
KeyFile                 /var/lib/opendkim/example.com.private
ReportAddress           postmaster@example.com
SendReports             yes
# For use with unbound
#TrustAnchorFile /etc/dnssec/root-anchors.txt
UserID opendkim
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Fri Apr 05, 2019 12:13 am    Post subject: Reply with quote

I went through the trial/error approach, to find out which setting is preventing -r8 verson to create the socket, but none helped.

Tried:

Selector mail
Selector default
UserID milter
UserID opendkim (thus changing ownership to opendkim as without this opendkim would not start stating that user opendkim not owning the keyfile
Added those lines to create socket:
Socket local:/var/run/opendkim/opendkim.sock
UMask 002

Tried with/without PidFile line
Tried with/without Statistics line

Always the following in /var/log/messages:
Code:
postfix/smtpd[9817]: connect from localhost[127.0.0.1]
postfix/smtpd[9817]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory
postfix/smtpd[9817]: NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
postfix/smtpd[9817]: NOQUEUE: milter-reject: EHLO from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo=<mail.mydomain.com>


Should I file a bug, as I cannot configure -r8 version to create this socket or what am I missing?
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Fri Apr 05, 2019 8:19 am    Post subject: Reply with quote

mail-filter/opendkim-2.10.3-r8 ebuild moved the socket configuration from opendkim's configuration file to the init script configuration, therefore there's a new /etc/conf.d/opendkim file that needs to be configured.
by default it's configured to listen on a network socket:
Code:
OPENDKIM_SOCKET="inet:8891@localhost"

either comment out this line and uncomment the line with:
Code:
OPENDKIM_SOCKET="local:/run/opendkim/opendkim.sock"

or configure postfix to connect to dkim thru the network socket:
Code:
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 475
Location: Somewhere in Denmark

PostPosted: Fri Apr 05, 2019 2:37 pm    Post subject: Reply with quote

-r8 also changes the owner/does not use owner from /etc/opendkim/opendkim.conf on the created socket.

I, too decided to downgrade back to -r3 to establish a running server, might give -r8 a shot again this weekend.
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Fri Apr 05, 2019 7:42 pm    Post subject: Reply with quote

Thanks for your comments guys, I have done the following which seems to work, but I am not sure if its configured securely as the postemerge message mentions something about creating a new group and adding mta and opendkim as only members to it - but I did not understand how to modify access rights to the newly created group.

changed selector from default to mail as it was set in -r3
copied mail.private to mail2.private and on the ladder chowned to opendkim:opendkim (first key was owned by milter:milter)
left UserID as opendkim (milter on the ancient version)
Added UMask 0117 as seen here:
https://gitweb.gentoo.org/repo/gentoo.git/tree/mail-filter/opendkim/opendkim-2.10.3-r9.ebuild

changed conf.d config file as mentioned by skunk to listen to a local socket.

As I got permission denied for the socket on /var/log/messages I added postfix to opendkim group by editing /etc/group like this
opendkim:x:112:postfix

Now it works but is this ok?

And what about pid file setting, that now is not set? Is this needed for anything or can I skip that?


Last edited by Elleni on Fri Apr 05, 2019 8:40 pm; edited 1 time in total
Back to top
View user's profile Send private message
skunk
l33t
l33t


Joined: 28 May 2003
Posts: 646
Location: granada, spain

PostPosted: Fri Apr 05, 2019 8:31 pm    Post subject: Reply with quote

Elleni wrote:
Now it works but is this ok?

if you ask me, it's good enough...

Quote:
And what about pid file setting, that now is not set? Is this needed for anything or can I skip that?

it's hardcoded into the init script as:
Code:
pidfile="/run/${RC_SVCNAME}.pid
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 883

PostPosted: Fri Apr 05, 2019 8:42 pm    Post subject: Reply with quote

Great, so once again - thanks for helping me bring up my little mailserver again - even with new opendkim configuration. -> solved
Back to top
View user's profile Send private message
padde
n00b
n00b


Joined: 19 Jan 2005
Posts: 52
Location: Germany

PostPosted: Wed Apr 10, 2019 5:36 pm    Post subject: Reply with quote

I ran into the same issue today. A news item or something would have made the migration more smoothly. :)

Luckily I found this post quickly.
Back to top
View user's profile Send private message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 237

PostPosted: Sun May 05, 2019 12:32 pm    Post subject: Reply with quote

Just wanted to add that in my case, I needed to perform the following in order to solve the issue:
uncomment OPENDKIM_SOCKET="local:/run/opendkim/opendkim.sock"
and comment #OPENDKIM_SOCKET="inet:8891@localhost"
in /etc/conf.d/opendkim

then (in terminal): #mkdir /var/run/opendkim
#chown milter:milter /var/run/opendkim

then, I noticed that although i've chown milter:milter /var/run/opendkim, upon restarting opendkim the output of:
# ls -l /var/run/ | grep opendkim
was:
drwxrwxr-x 2 opendkim dkimsocket 60 May 5 15:16 opendkim

therefore I added milter to dkimsocket group (note, milter is my UserID in /etc/opendkim/opendkim.conf)

If dkimsocket group is missing, use this guide: https://wiki.gentoo.org/wiki/OpenDKIM
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum