Hi,
Last night, Exim stoped working for few seconds (no response) and I see
a strange things in my logs :
/var/log/exim4/mainlog :
2016-05-31 05:55:44 TLS error on connection from
researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
(gnutls_handshake): Could not negotiate a supported cipher suite.
2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
[1XX.212.XXX.3] Warning: erreur : tls-failed
/var/log/syslog :
May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
in libc-2.19.so[6664ddba2000+1a2000]
May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677923] grsec: From
141.212.122.3: Segmentation fault occurred at (nil) in
/usr/sbin/exim4[exim4:23055] uid/euid:104/104 gid/egid:109/109, parent
/usr/sbin/exim4[exim4:23754] uid/euid:104/104 gid/egid:109/109
May 31 05:55:44 anemone-mailin-01 kernel: [4547900.678012] grsec: From
141.212.122.3: bruteforce prevention initiated for the next 30 minutes
or until service restarted, stalling each fork 30 seconds. Please
investigate the crash report for /usr/sbin/exim4[exim4:23055]
uid/euid:104/104 gid/egid:109/109, parent /usr/sbin/exim4[exim4:23754]
uid/euid:104/104 gid/egid:109/109
So if I understand well, A special craft ssl request can cause DOS on
Exim on Grsecurity kernel ?
This is the first time I see this logs.
What can I do to stop this ?
Thanks a lot.
Samuel.
Exim on Xen VM on Debian Jessie with grsecurity custom kernel
exim -d --version
Exim version 4.84_2 #1 built 13-Mar-2016 17:47:17
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2014
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.9.2]
Library version: GnuTLS: Compile: 3.3.8
Runtime: 3.3.8
Library version: Cyrus SASL: Compile: 2.1.26
Runtime: 2.1.26 [Cyrus SASL]
Library version: PCRE: Compile: 8.35
Runtime: 8.35 2014-04-04
Library version: MySQL: Compile: 5.5.47 [(Debian)]
Runtime: 5.5.49
Library version: SQLite: Compile: 3.8.7.1
Runtime: 3.8.7.1
WHITELIST_D_MACROS: "OUTGOING"
TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs"
Exim version 4.84_2 uid=0 gid=0 pid=23974 D=fbb95cfd
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=23974
auxiliary group list: <none>
seeking password data for user "uucp": cache not available
getpwnam() succeeded uid=10 gid=10
changed uid/gid: calling tls_validate_require_cipher
uid=104 gid=109 pid=23975
auxiliary group list: <none>
tls_validate_require_cipher child 23975 ended: status=0x0
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 00000ffc 00632001
Starting Perl interpreter
cwd=/ 3 args: exim -d --version
trusted user
admin user
changed uid/gid: privilege not needed
uid=104 gid=109 pid=23974
auxiliary group list: 109 114
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=8
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root@???
Configuration file is /var/lib/exim4/config.autogenerated
