Bug 712943 - After upgrade from Fedora 14 to 15, sendmail segfaults.
Summary: After upgrade from Fedora 14 to 15, sendmail segfaults.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sendmail
Version: 15
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 729250
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-13 17:05 UTC by Gwyn Ciesla
Modified: 2011-09-29 06:38 UTC (History)
9 users (show)

Fixed In Version: cyrus-sasl-2.1.23-18.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-19 21:56:27 UTC
Type: ---


Attachments (Terms of Use)
Patch for db5 support (954 bytes, patch)
2011-07-25 13:49 UTC, Paul Howarth
no flags Details | Diff

Description Gwyn Ciesla 2011-06-13 17:05:19 UTC
Description of problem:
Mail delivery is working, as is most sending, but if I try to send with cyrus-sasl auth, my client says the connection is refused, and a segfault shows for each attempt:

[231613.694695] sendmail[5058]: segfault at 1c ip 00615b43 sp bfc6c6a0 error 4 in libdb-5.1.so[533000+18a000]
[231653.545135] sendmail[5086]: segfault at 1c ip 00615b43 sp bfc6c6a0 error 4 in libdb-5.1.so[533000+18a000]
[231755.643687] sendmail[5120]: segfault at 1c ip 00615b43 sp bfc6c6a0 error 4 in libdb-5.1.so[533000+18a000]
[231791.518525] sendmail[5180]: segfault at 1c ip 00f20b43 sp bfe418b0 error 4 in libdb-5.1.so[e3e000+18a000]
[231874.324730] sendmail[5237]: segfault at 1c ip 00f20b43 sp bfe418b0 error 4 in libdb-5.1.so[e3e000+18a000]
[233061.774386] sendmail[5751]: segfault at 1c ip 00248b43 sp bfa8ccf0 error 4 in libdb-5.1.so[166000+18a000]
[233383.756731] sendmail[6032]: segfault at 1c ip 004e5b43 sp bfe342d0 error 4 in libdb-5.1.so[403000+18a000]
[233433.263226] sendmail[6041]: segfault at 1c ip 004e5b43 sp bfe342d0 error 4 in libdb-5.1.so[403000+18a000]
[234150.190451] sendmail[6192]: segfault at 1c ip 004e5b43 sp bfe342d0 error 4 in libdb-5.1.so[403000+18a000]
[234169.565366] sendmail[6195]: segfault at 1c ip 004e5b43 sp bfe342d0 error 4 in libdb-5.1.so[403000+18a000]
[234885.665150] sendmail[6347]: segfault at 1c ip 004e5b43 sp bfe342d0 error 4 in libdb-5.1.so[403000+18a000]
[235008.577229] sendmail[6441]: segfault at 1c ip 00df1b43 sp bff4e210 error 4 in libdb-5.1.so[d0f000+18a000]
[235159.386229] sendmail[6534]: segfault at 1c ip 00df1b43 sp bff4e210 error 4 in libdb-5.1.so[d0f000+18a000]
[235178.202398] sendmail[6596]: segfault at 1c ip 00ba9b43 sp bfd5d8a0 error 4 in libdb-5.1.so[ac7000+18a000]
[235246.287472] sendmail[6727]: segfault at 1c ip 00399b43 sp bfbcb880 error 4 in libdb-5.1.so[2b7000+18a000]
[235279.593133] sendmail[6728]: segfault at 1c ip 00399b43 sp bfbcb880 error 4 in libdb-5.1.so[2b7000+18a000]
[235436.736968] sendmail[6811]: segfault at 1c ip 0054db43 sp bfc68d70 error 4 in libdb-5.1.so[46b000+18a000]
[235477.386954] sendmail[6871]: segfault at 1c ip 004efb43 sp bfa10100 error 4 in libdb-5.1.so[40d000+18a000]
[235731.998769] sendmail[6887]: segfault at 1c ip 004efb43 sp bfa10100 error 4 in libdb-5.1.so[40d000+18a000]
[236322.669429] sendmail[7191]: segfault at 1c ip 00d52b43 sp bfcaae20 error 4 in libdb-5.1.so[c70000+18a000]
[237261.128441] sendmail[7436]: segfault at 1c ip 00589b43 sp bfb900c0 error 4 in libdb-5.1.so[4a7000+18a000]
[237348.276893] sendmail[7503]: segfault at 1c ip 00e3fb43 sp bf991f80 error 4 in libdb-5.1.so[d5d000+18a000]
[237371.995631] sendmail[7505]: segfault at 1c ip 00e3fb43 sp bf991f80 error 4 in libdb-5.1.so[d5d000+18a000]
[237512.210943] sendmail[7635]: segfault at 1c ip 00249b43 sp bfeaf180 error 4 in libdb-5.1.so[167000+18a000]
[237925.662261] sendmail[7896]: segfault at 1c ip 0042ab43 sp bfc1c8f0 error 4 in libdb-5.1.so[348000+18a000]
[238037.834516] sendmail[7910]: segfault at 1c ip 0042ab43 sp bfc1c8f0 error 4 in libdb-5.1.so[348000+18a000]
[238189.446294] sendmail[8006]: segfault at 1c ip 00c97b43 sp bfb0d280 error 4 in libdb-5.1.so[bb5000+18a000]
[238224.892964] sendmail[8090]: segfault at 1c ip 00b90b43 sp bf9b5f90 error 4 in libdb-5.1.so[aae000+18a000]
[238394.424505] sendmail[8134]: segfault at 1c ip 00b90b43 sp bf9b5f90 error 4 in libdb-5.1.so[aae000+18a000]
[238403.338477] sendmail[8135]: segfault at 1c ip 00b90b43 sp bf9b5f90 error 4 in libdb-5.1.so[aae000+18a000]


Version-Release number of selected component (if applicable):

Tried updating sendmail and cyrus-sasl to more recent versions, still occurs after moving to 8.14.5-1 and 2.1.23-22.  

Starting over with fresh sendmail.mc doesn't help.


Additional info:

I am using LDAP auth, thought the LDAP server is on this system.  Was running greylist-milter and clamav, but removed those from config, still occurs.  Still running spamassassin 3.3.2-0.5.svn1071394.

See also this forum post, by another user:

http://forums.fedoraforum.org/showthread.php?p=1484476#post1484476

So it's not just me. :)

Comment 1 Gwyn Ciesla 2011-06-27 19:57:19 UTC
Anyone have a chance to look at this?  I've updated everything in stable updates for f15 and it still happens.  The only way I can send mail is to turn off smtp auth, which restricts sending to webmail and my local subnet, which is less than ideal.

Comment 2 Matt Olson 2011-07-05 21:07:05 UTC
FWIW, I can confirm this is a problem.  

kernel: [ 4172.223753] sendmail[10991]: segfault at 1c ip 00557b43 sp bfa804b0 error 4 in libdb-5.1.so[475000+18a000]

Name        : libdb
Arch        : i686
Version     : 5.1.25
Release     : 2.fc15

Comment 3 Matt Olson 2011-07-05 23:02:07 UTC
As a test, I rebuild and re-installed (my version of) libdb 5.1.25-2.fc15 on a current FC15 system; the idea being that maybe there was a fix in one of the build libraries.  No dice, same error.

Comment 4 Matt Olson 2011-07-06 15:40:21 UTC
Hey Jon, I figured out what the problem is, at least on my system.  

/etc/mail/sendmail.mc contains:

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

This is (presumably) a Berkley DB.  My guess is that this is to allow sendmail to define it's own user auth database.  The thing is, I haven't created that database on my system.  I think the sigfault is due to the fact that sendmail was configured to use a non-existent database.  

I just commented the line as such:

dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

ran make and restarted sendmail and now smtp auth works without the segfault error.

Comment 5 Gwyn Ciesla 2011-07-06 16:06:44 UTC
Interesting.  I don't have that DB either, but I also already had that line dnl'd.  Reran make, restarted sendmail, still have the segfault when attempting SMTP auth.

Comment 6 Matt Olson 2011-07-06 17:13:17 UTC
Look for any other Berkeley DB references in sendmail.mc that don't map to databases stored in /etc/mail.  

I would check the configuration files of the following db files:

dbs:
access.db
domaintable.db
mailertable.db
virtusertable.db

i.e.:
access
domaintable
mailertable
virtusertable

for any configuration errors.  

Also, I have:  

/etc/sasl2/Sendmail.conf:

pwcheck_method:saslauthd
mech_list: login plain

/etc/pam.d/smtp:

#%PAM-1.0
auth       include      system-auth
account    include      system-auth

Those are the other relevant settings I can think of.  

The important point, using my case as an example, is that in the end it is likely related to a configuration problem, albeit a difficult one to troubleshoot.  

There probably is some sort of problem with the libdb library.  One would at least expect an error instead of a segmentation fault.

Comment 7 Gwyn Ciesla 2011-07-07 12:16:41 UTC
I tried moving my db files aside and regenerating, no luck.  I checked the corresponding configs, all were fine.  Then I checked my /etc/sasl2/Sendmail.conf, and I had the pwcheck_method line, but not the mech_list line.  I added it, restarted saslauthd and sendmail and it worked!  Thank you!!!!

So it looks like a config handling change in cyrus-sasl, and then, yes, some variety of libdb issue.

Comment 8 Timothy Sink 2011-07-08 16:08:05 UTC
I have the same issue that I'm having trouble with. my configuration of cyrus-sasl and sendmail is a little different. I've tried regenerating all the /etc/sendmail/*.db files also my sendmail.cf.

sendmail.cf (Replaced [my domain name] with 'my'):

divert(0)dnl
VERSIONID(`$Id: sendmail.mc,v 8.1 2010/03/25 22:48:05 gshapiro Exp $')
OSTYPE(linux)dnl
DOMAIN(my.com)dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTRUSTED_USER', `cyrus')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`UUCP_MAILER_MAX', `200000000')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A,p,y')dnl
TRUST_AUTH_MECH(`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/mail.my-email-cert.pem')
define(`confSERVER_KEY',`/etc/pki/tls/private/mail.my-email-key.pem')
define(`confCLIENT_CERT',`/etc/pki/tls/certs/mail.my-email-cert.pem')dnl
define(`confCLIENT_KEY',`/etc/pki/tls/private/mail.my-email-key.pem')dnl
define(`confTLS_SRV_OPTIONS',`V')dnl
define(`confTO_IDENT', `0')dnl
define(`confLOCAL_MAILER', `cyrusv2')dnl
define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(cyrusv2)dnl
MAILER(procmail)dnl
LOCAL_CONFIG
CPprocmail
LOCAL_RULESETS
LOCAL_RULE_0
R$* < @ $=w > $*    	$#procmail $@ /etc/procmailrc $: $1<@$2.procmail.>$3
R$* < @ $=w. > $*   	$#procmail $@ /etc/procmailrc $: $1<@$2.procmail.>$3
R$* < @$* .procmail. > $*  	$1<@$2.>$3 	Already filtered, map to original address


/etc/sasl2/Sendmail.conf:

pwcheck_method: auxprop saslauthd
auxprop_plugin: sasldb
auto_transition: true
mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5


/etc/sysconfig/saslauthd:

SOCKETDIR=/var/run/saslauthd
START=yes
MECH=pam
FLAGS=

/etc/pam.d/smtp:

#%PAM-1.0
auth       include      password-auth
account    include      password-auth

Comment 9 Jose Zapater 2011-07-11 15:54:26 UTC
I just upgrade from fc14 to fc15 and have the same problem.

kernel: [16277.660063] sendmail[12880]: segfault at 30 ip 00007f329afe4fc8 sp 00007fff5c231660 error 4 in libdb-5.1.so[7f329af07000+179000]

I probe all above and nothing.

Comment 10 Jaroslav Škarvada 2011-07-22 16:57:45 UTC
Could you try the following test build?
http://koji.fedoraproject.org/koji/taskinfo?taskID=3215805

Comment 11 Paul Howarth 2011-07-22 17:43:16 UTC
Looks like a vanilla 8.14.5 build? I've already tried a rebuild of 8.14.5 from Rawhide and it didn't help. Next on my to-do list will be to see if libdb-5.2 is similarly affected.

Comment 12 Harm Elzinga 2011-07-24 19:27:21 UTC
We got the same problem.
I tried the test build, and still have this issue.

Our situation:
sendmail / cyrus-imapd with virtual domains.
cyrus authenticates with sasldb2 database (/etc/sasldb2 ) which works fine.
sendmail works fine except when trying to relay with TLS and plain passwords using the same /etc/sasldb2 authentication.

This problem occurred since upgrading to FC15.
Same configuration with sendmail 8.14.4 worked fine.

Comment 13 Harm Elzinga 2011-07-25 05:42:50 UTC
After downgrading to sendmail 8.14.4-20 we still got the same problem. So maybe it's a problem in the libdb-5.1 package?

Comment 14 Harm Elzinga 2011-07-25 09:58:57 UTC
Also tried the .i686 versions, which has the sane problem for us.

Comment 15 Harm Elzinga 2011-07-25 11:53:51 UTC
Not a fix, but maybe someone else is in need of a quick way to get sendmail TLS auth working. with sasldb2.

Found a work-around. Instead of using the sasldb2 directly from sendmail, change the /usr/lib/sasl2/Sendmail.conf (or /usr/lib64.... or on some systems /etc/...)

to

pwcheck_method: saslauthd
mech_list: LOGIN PLAIN

configure /etc/sysconfig/saslauthd as follows:
MECH=rimap
DAEMONOPTS=--user saslauth
FLAGS="-O localhost -r"

This requires the cyrus-imapd to run (we use this anyway)
start the saslauthd
restart sendmail

sendmail will authenticate to the saslauthd instead of the sasldb2
saslauthd authenticates to your local imapd (cyrus) which authenticates to the /etc/sasldb2

For me this worked, not the perfect way, but useable for a temporarily solution.

Comment 16 Paul Howarth 2011-07-25 12:10:32 UTC
I believe I have found the problem. In Fedora 15, cyrus-sasl is still linked against libdb-4.8.so, whereas sendmail is linked against libdb-5.1.so. So confusion ensues when both libraries are needed in the same process.

I have rebuilt cyrus-sasl with libdb-5.1, updated my system with the new cyrus-sasl* packages, restarted sendmail and the problem went away.

Anyone wanting to try this can find a scratch build here:

http://koji.fedoraproject.org/koji/taskinfo?taskID=3227292

Comment 17 Jaroslav Škarvada 2011-07-25 12:40:02 UTC
Paul thanks, it is working for me.

Comment 18 Jaroslav Škarvada 2011-07-25 13:23:54 UTC
Jan, could you rebuilt cyrus-sasl with libdb-5.1?

Comment 19 Paul Howarth 2011-07-25 13:49:56 UTC
Created attachment 515054 [details]
Patch for db5 support

(In reply to comment #18)
> Jan, could you rebuilt cyrus-sasl with libdb-5.1?

It'll need this patch (which I took from debian), and changing the buildreq db4-devel to libdb-devel.

Comment 20 Paul Howarth 2011-07-25 13:50:54 UTC
It'll also need updating in Rawhide, which has libdb-5.2.

Comment 21 Fedora Update System 2011-07-25 18:03:27 UTC
cyrus-sasl-2.1.23-17.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.23-17.fc15

Comment 22 Paul Howarth 2011-07-25 20:52:53 UTC
(In reply to comment #21)
> cyrus-sasl-2.1.23-17.fc15 has been submitted as an update for Fedora 15.
> https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.23-17.fc15

Unfortunately this build doesn't help as the db4-devel buildreq wasn't changed to libdb-devel and so it's still built against libdb-4.8.so.

Comment 23 Fedora Update System 2011-07-26 03:31:20 UTC
Package cyrus-sasl-2.1.23-17.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cyrus-sasl-2.1.23-17.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.23-17.fc15
then log in and leave karma (feedback).

Comment 24 Fedora Update System 2011-07-26 09:03:06 UTC
cyrus-sasl-2.1.23-18.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/cyrus-sasl-2.1.23-18.fc15

Comment 25 Fedora Update System 2011-08-19 21:56:20 UTC
cyrus-sasl-2.1.23-18.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Harm Elzinga 2011-08-20 07:13:20 UTC
I've tried the new package.

Have not tried the old bug because I ran up to a new problem immediately.
After updating cyrus-imapd and cyrus-sasld did not want to read my sasldb2 file anymore.
Probably because of the new linkage to a new version of libdb?

imaps[4495]: unable to open Berkeley db /etc/sasldb2: Invalid argument

This is a big issue for us, and had to rollback to the old version.
I could not find any easy solution to "convert" the sasldb2 file, and it almost impossible for us to recreate a version.

Comment 27 Jaroslav Škarvada 2011-08-20 11:30:57 UTC
(In reply to comment #26)
I am unable to reproduce. But in case of trouble the db dump/re-create could help, e.g. something like:

# db_dump -p /etc/sasldb2 > dump  # before update
# rm /etc/sasldb2
# db_load /etc/sasldb2 < dump # after update

Comment 28 Paul Howarth 2011-08-20 12:18:36 UTC
I thought of something like that but unfortunately libdb-utils (which contains the DB5 db_load) appears to be uninstallable as it conflicts with db4-utils and that package can't be removed as it's required by rpm itself.

Comment 29 Timothy Sink 2011-08-20 13:39:48 UTC
I had the same issue. The way i fixed it was

i submited 
https://bugzilla.redhat.com/show_bug.cgi?id=729767

cleaned up db4:

rpm -e --nodeps db4-utils

installed libdb

yum install libdb-utils 

then installed the testing version of cyrus-imapd with the libdb.5.1 build support.

Everything works fine now with mine.

Comment 30 Jaroslav Škarvada 2011-08-20 14:14:13 UTC
To be safe and not to mod your stable system, you can go through chroot, e.g. use mock:
# yum install mock
Add yourself to mock group
$ mock -r fedora-15-x86_64 --init
$ mock -r fedora-15-x86_64 --chroot 'rpm -e --nodeps db4-utils'
$ mock -r fedora-15-x86_64 --install libdb-utils
# db_dump -p /etc/sasldb2 > /tmp/dump
$ mock -r fedora-15-x86_64 --copyin /tmp/dump /tmp
$ mock -r fedora-15-x86_64 --chroot '/usr/bin/db_load /etc/sasldb2 < /tmp/dump'
$ mock -r fedora-15-x86_64 --copyout /etc/sasldb2 /tmp
$ mock -r fedora-15-x86_64 --clean
# mv /tmp/sasldb2 /etc/

Comment 31 Harm Elzinga 2011-09-29 06:33:36 UTC
Didn't have time to test it before.

First I tried the mock solution.

The result sasldb2 file is exactly the same size as the original, but that could be coincidence.
After updating to the latest cyrus-sasl packages, I still got the errors:

imaps[23111]: badlogin: some.host.com [1.2.3.4] PLAIN [SASL(-13): user not found: Password verification failed]

So I tried the solution from Tomothy Sink
db4-utils is used by cyrus-imapd and the yum rpm's, but tried it anyways...

Then I get like hundreds of these errors:

Sep 29 07:59:57 merel pop3[1386]: DBERROR db4: PANIC: fatal region error detected; run recovery
Sep 29 07:59:57 merel imap[1384]: DBERROR: critical database situation
Sep 29 07:59:57 merel imap[1395]: DBERROR db4: PANIC: fatal region error detected; run recovery
Sep 29 07:59:57 merel pop3[1386]: DBERROR: critical database situation
Sep 29 07:59:57 merel pop3s[1387]: DBERROR db4: PANIC: fatal region error detected; run recovery

Probably because the cyrus-imapd is still linked with the db4-utils library.

Then I noticed the summited bug from Timothy, and read that tread carefully and installed the updated cyrus-imapd from the testing repository. Bingo! It worked.

Thanks!


Note You need to log in before you can comment on or make changes to this bug.