strange error

3 posts / 0 new
Last post
#1 Thu, 03/22/2018 - 14:05
dimitrist

strange error

yesterday i had a strange error for the 3rd time in the past 6 months or so. it looks like this : https://www.virtualmin.com/node/10374 but what happens is that main.cf in postfix loses 90 lines (from 60-150) of configuration from main.cf (!?) for example (main.cf.bkp is yesterday's corrupt main.cf) :

wc -l main.cf

239 main.cf

wc -l main.cf.bkp

149 main.cf.bkp

diff main.cf.bkp main.cf

51c51

< smtp_tls_security_level = dane

smtp_tls_security_level = may 58c58

< smtpd_tls_security_level = may

smtpd_tls_security_level = may 60a61,151 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_ciphers=high smtpd_tls_mandatory_ciphers = high smtpd_tls_exclude_ciphers=aNULL,aDH,MD5 smtpd_tls_mandatory_exclude_ciphers=aNULL,aDH,MD5 smtpd_tls_security_level = may

TLS policy map

smtp_tls_CApath = /etc/ssl/certs smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha1 smtpd_tls_CApath = /etc/ssl/certs smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_exclude_ciphers = aNULL,aDH,MD5 smtp_tls_mandatory_exclude_ciphers = aNULL,aDH,MD5

Log TLS handling

smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1

Enable elliptic curve cryptography, "ultra" needs more cpu time smtpd_tls_eecdh_grade = strong

myhostname = $server alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases

myorigin = /etc/mailname

mydestination = $server, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all virtual_alias_maps = hash:/etc/postfix/virtual sender_bcc_maps = hash:/etc/postfix/bcc home_mailbox = Maildir/ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes

Requirements for the HELO statement

smtpd_helo_restrictions = permit_mynetworks, warn_if_reject,

check_helo_access pcre:/etc/postfix/helo_checks.pcre,

check_helo_access hash:/etc/postfix/access, reject_invalid_hostname, permit

Requirements for the sender details

smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unauth_pipelining, reject_unlisted_sender, reject_unknown_sender_domain, permit

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:12345

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/access,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

reject_unknown_reverse_client_hostname, reject_unknown_helo_hostname,

reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,

reject_rbl_client bl.mailspike.net, reject_rbl_client backscatter.spameatingmonkey.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.dronebl.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client rbl.void.gr, reject_rbl_client list.dsbl.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_client dsn.rfc-ignorant.org, reject_rhsbl_sender blackhole.securitysage.com, check_policy_service unix:/var/spool/postfix/postgrey/socket,

check_policy_service inet:127.0.0.1:12345, permit

any relative log entries found : miniserv.error : restarting miniserv [21/Mar/2018:13:06:34 +0200] Restarting Pre-loaded virtual-server/virtual-server-lib-funcs.pl in virtual_server Pre-loaded virtual-server/feature-unix.pl in virtual_server Pre-loaded virtual-server/feature-dir.pl in virtual_server Pre-loaded virtual-server/feature-dns.pl in virtual_server Pre-loaded virtual-server/feature-mail.pl in virtual_server Pre-loaded virtual-server/feature-web.pl in virtual_server Pre-loaded virtual-server/feature-webalizer.pl in virtual_server Pre-loaded virtual-server/feature-ssl.pl in virtual_server Pre-loaded virtual-server/feature-logrotate.pl in virtual_server Pre-loaded virtual-server/feature-mysql.pl in virtual_server Pre-loaded virtual-server/feature-postgres.pl in virtual_server Pre-loaded virtual-server/feature-ftp.pl in virtual_server Pre-loaded virtual-server/feature-spam.pl in virtual_server Pre-loaded virtual-server/feature-virus.pl in virtual_server Pre-loaded virtual-server/feature-webmin.pl in virtual_server Pre-loaded virtual-server/feature-virt.pl in virtual_server Pre-loaded virtual-server/feature-virt6.pl in virtual_server [21/Mar/2018:13:06:37 +0200] miniserv.pl started [21/Mar/2018:13:06:37 +0200] Using MD5 module Digest::MD5 [21/Mar/2018:13:06:37 +0200] Using SHA512 module Crypt::SHA [21/Mar/2018:13:06:37 +0200] PAM authentication enabled deleting and Use of uninitialized value $minsize in numeric lt (<) at /usr/share/webmin/acl/acl-lib.pl line 1764. Use of uninitialized value in split at /usr/share/webmin/acl/acl-lib.pl line 1767. Error: No virtual domains file (virtual_alias_maps) was found in your Postfix configuration! Error: No virtual domains file (virtual_alias_maps) was found in your Postfix configuration! [21/Mar/2018:14:31:32 +0200] Reloading configuration Use of uninitialized value $minsize in numeric lt (<) at /usr/share/webmin/acl/acl-lib.pl line 1764. Use of uninitialized value in split at /usr/share/webmin/acl/acl-lib.pl line 1767.

after that time (13:06), main.cf was missing its configuration and you can see the diff of the files above. untill 14:31. at that point we restored an original main.cf from backup and reloaded postfix.

mail.err : Mar 21 13:06:41 server dovecot: master: Fatal: Dovecot is already running with PID 1490 (read from /var/run/dovecot/master.pid) Mar 21 13:07:28 server postfix/local[13682]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit Mar 21 13:08:29 server postfix/local[13997]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit Mar 21 13:09:30 server postfix/local[14522]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit .... Mar 21 14:24:45 server postfix/local[6297]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit Mar 21 14:25:46 server postfix/local[8188]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit Mar 21 14:26:47 server postfix/local[8453]: fatal: main.cf configuration error: mailbox_size_limit is smaller than message_size_limit

mail.log entry : Mar 21 13:06:50 server postfix/smtp[13189]: 582872A1A9AC: to=<user@domain>, relay=none, delay=0.18, delays=0.16/0/0.01/0, dsn=5.4.6, status=bounced (mail for domain loops back to myself)

using fully upgraded debian 9, latest webmin and virtualmin gpl. amd64 arch. any ideas on what could cause this?

thanks, (and sorry for the long post)

Fri, 07/20/2018 - 06:49
dimitrist

hit another time by this, yesterday, but i think this time i got a clue. just before the error, mail server certificate got renewed by lets encrypt. then postfix reload, and everything in postifx broken. (corrupt main.cf file exactly like previous example above). so i guess some virtualmin script that takes care of renewing ssl in postfix/apache/etc is responsible for main.cf corruption. can someone point me to any "suspicious" virtualmin scripts that handles that?

Fri, 07/20/2018 - 06:55
dimitrist

or should i just move ssl options in the end of main.cf file and see what happens next time? maybe "the virtualmin script" thinks those options should be last in the file?

Topic locked