Fix for Postfix crash in 9.0.0p13 FIPS mode

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
rjeth0
Posts: 3
Joined: Sun Sep 01, 2019 8:44 pm

Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by rjeth0 »

Just thought I'd report a problem we had, and found a solution for. We updated from 9.0.0p12 to 9.0.0p13 on a CentOS 8 FIPS-mode system, and followed the instructions at https://wiki.zimbra.com/wiki/Zimbra_Rel ... PS_Support

In particular, the instructions have you do

Code: Select all

$ zmlocalconfig -e ldap_starttls_supported=0
$ postconf -e "lmtp_tls_fingerprint_digest = sha256"
After the update, outbound e-mail was getting queued (with a transport failure) and not delivered. Looking at zimbra.log, the Postfix smtp process was crashing with signal 11 (SIGSEGV) whenever it tried to deliver an outgoing message.

It turns out you also have to do:

Code: Select all

$ postconf -e "smtp_tls_fingerprint_digest = sha256"
on installing 9.0.0p13 if you're on a FIPS system. (Note "smtp" in addition to "lmtp".) Then it worked fine. Looks like the release notes need updating...
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by L. Mark Stone »

This is important; have you opened a Support Case with Zimbra to get the Release Notes updated?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
rjeth0
Posts: 3
Joined: Sun Sep 01, 2019 8:44 pm

Re: Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by rjeth0 »

Yes, I did just now.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by L. Mark Stone »

Terrific, thank you. I also apprised Support unofficially, pointing them to this thread, but a real Support Case is what's needed to get the issue looked at formally.

Thanks again,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
sb0373
Posts: 19
Joined: Tue Sep 15, 2015 9:59 am

Re: Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by sb0373 »

@rjeth0, you saved me on this one. I just hit it updating the system to fips.

Can you please tell me how you managed to identify the root cause? I only found the

Code: Select all

smtp[71426]: segfault at 0 ip           (null) sp 00007ffe6f939918 error 14 in smtp[400000+88000]
and couldn't really do too much with that information.
User avatar
jholder
Ambassador
Ambassador
Posts: 4824
Joined: Fri Sep 12, 2014 10:00 pm

Re: Fix for Postfix crash in 9.0.0p13 FIPS mode

Post by jholder »

sb0373 wrote:@rjeth0, you saved me on this one. I just hit it updating the system to fips.

Can you please tell me how you managed to identify the root cause? I only found the

Code: Select all

smtp[71426]: segfault at 0 ip           (null) sp 00007ffe6f939918 error 14 in smtp[400000+88000]
and couldn't really do too much with that information.
This was a headache, and we're sorry about that.

The underlying cause has to do with libraries we shipped with Zimbra. When certain programs used 1 version of the library, it would crash things.
This has since been resolved, make sure you update Zimbra and apt.
Post Reply