# Postfix and SSH broken



## xy16644 (Apr 21, 2012)

I just ran a full update on all the ports on my FreeBSD 8.2 server and I now have two problems:

1) When I receive an email from someone or I send myself a test email the subject line is blank and it says it is from "SpamAssasin user". The contents of the email are blank.

This is all I can see in the message header:


```
Return-Path: <xxxxx@googlemail.com>
X-Original-To: xxxx@xxxx.com
Delivered-To: xxxx@xxxx.com
Received: by mail.xxxx.com (Postfix, from userid 58)
	id 03562217168; Sat, 21 Apr 2012 22:26:22 +0100 (BST)
Message-Id: <20120421212622.03562217168@mail.xxxx.com>
Date: Sat, 21 Apr 2012 22:26:22 +0100 (BST)
From: xxxx@googlemail.com (SpamAssassin user)
X-Clamav-Status: No
```

In the maillog logfile:


```
Apr 21 22:28:51 alpha postfix/smtpd[80688]: 5BCBC216F4F: client=mail-ob0-f170.google.com[209.85.214.170]
Apr 21 22:28:51 alpha postfix/cleanup[80692]: 5BCBC216F4F: message-id=
 <CANf_VzpDkh5qwaJK3k5vTvxoDGEvEOUqjLs8vHSR9xqQjzjXdA@mail.gmail.com>
Apr 21 22:28:51 alpha postfix/qmgr[42825]: 5BCBC216F4F: from=<xxxx@googlemail.com>, size=1763, nrcpt=1 (queue active)
Apr 21 22:28:51 alpha postfix/pipe[80693]: 5BCBC216F4F: to=<admin@xxxxx.com>, relay=spamd, delay=0.47, delays=0.45/0.01/0/0.02,
 dsn=2.0.0, status=sent (delivered via spamd service)
Apr 21 22:28:51 alpha postfix/qmgr[42825]: 5BCBC216F4F: removed
Apr 21 22:28:51 alpha postfix/pickup[42826]: AAF39217168: uid=58 from=<xxxx@googlemail.com>
Apr 21 22:28:51 alpha postfix/cleanup[80692]: AAF39217168: message-id=<20120421212851.AAF39217168@mail.xxxx.com>
Apr 21 22:28:51 alpha postfix/qmgr[42825]: AAF39217168: from=<xxxx@googlemail.com>, size=270, nrcpt=1 (queue active)
Apr 21 22:28:51 alpha postfix/local[80698]: AAF39217168: to=<xxxx@xxxx.com>, orig_to=<xxxx@xxxx.com>, relay=local, delay=0.04,
 delays=0.01/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail)
Apr 21 22:28:51 alpha postfix/qmgr[42825]: AAF39217168: removed
```

2) There must have been a major change in OpenSSH because when I run the following script to check the share libraries:


```
#!/bin/sh
localbase="/usr/local"
libdirs="/bin /sbin /libexec /lib /usr/bin /usr/sbin /usr/lib /usr/libexec \
  ${localbase}/bin ${localbase}/sbin ${localbase}/lib ${localbase}/libexec"

  echo "===> Checking for unresolvable libraries"

  for d in ${libdirs}; do
    echo "Checking ${d}..."
    for f in $(find ${d} -type f); do
      check=$(ldd "${f}" 2>&1 | grep -v "not a dynamic" | grep "found")
      if [ $? -eq 0 ]; then
        echo "Found a problem in ${f}"
        echo "${check}"
      fi
    done
  done
```

I now get the following results:


```
Found a problem in /usr/local/bin/ssh-add
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/ssh-keygen
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/ssh-keyscan
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/spamc
        libssl.so.7 => not found (0x0)
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/ssh-agent
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/sftp
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/ssh
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/bin/scp
        libcrypto.so.7 => not found (0x0)
Checking /usr/local/sbin...
Found a problem in /usr/local/sbin/sshd
        libcrypto.so.7 => not found (0x0)
Checking /usr/local/lib...
Found a problem in /usr/local/lib/libsslspamc.so.0
        libssl.so.7 => not found (0x0)
        libcrypto.so.7 => not found (0x0)
Checking /usr/local/libexec...
Found a problem in /usr/local/libexec/ssh-keysign
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/libexec/sftp-server
        libcrypto.so.7 => not found (0x0)
Found a problem in /usr/local/libexec/ssh-pkcs11-helper
        libcrypto.so.7 => not found (0x0)
```

Also, if I run */usr/local/sbin/sshd*, I get:

```
/libexec/ld-elf.so.1: Shared object "libcrypto.so.7" not found, required by "sshd"
```

Can someone please help me with my email and SSH issue :e I have tried going through the logs and restarted the services since they were updated but to no avail. I am now stumped.

Thanks for any help.


----------



## xy16644 (Apr 21, 2012)

When I try to restart SSH I get:

```
OpenSSL version mismatch. Built against 1000007f, you have 1000101f
/etc/rc.d/sshd: WARNING: failed to start sshd
```


----------



## wblock@ (Apr 21, 2012)

See entry 20120419 in /usr/ports/UPDATING.


----------



## xy16644 (Apr 21, 2012)

wblock@ said:
			
		

> See entry 20120419 in /usr/ports/UPDATING.



Mine only goes up to 20120418!


----------



## xy16644 (Apr 21, 2012)

Receiving email seems to be working now but I'm not sure what fixed it.

Do I just need to run:

```
portmaster -r openssl
```

and that will fix my SSH issue?


----------



## wblock@ (Apr 22, 2012)

That entry was added after OpenSSL was updated.  Update the ports tree now and it will be there.  But yes, portmaster -r openssl is what is advised there.


----------



## xy16644 (Apr 22, 2012)

If I uninstall OpenSSL and then reinstall the port will this also fix the problem I am experiencing?

I am busy running:

```
portmaster -r openssl
```
but it*'*s now given me a stop error saying that the make failed and that it is aborting the update. This occurs on the texinfo and krb5 port.


----------



## wblock@ (Apr 22, 2012)

xy16644 said:
			
		

> If I uninstall OpenSSL and then reinstall the port will this also fix the problem I am experiencing?



No, or probably not, depending on how you do it.  The problem is that after upgrading openssl, the applications that depend on it have to be rebuilt to use the new version.



> I am busy running:
> 
> ```
> portmaster -r openssl
> ...



I have neither of those, but again, make sure you have the latest ports tree.


----------



## xy16644 (Apr 22, 2012)

I do have the latest ports tree now but I still get those stop errors when running [cmd=]portmaster -r openssl[/cmd]

I'm not really sure what to do next.


----------



## wblock@ (Apr 22, 2012)

Capture the error output, including the lines where the error happened, not just the end, and post it.  If you are using some custom settings in /etc/make.conf like a newer version of gcc or custom CFLAGS, post those too.


----------



## xy16644 (Apr 22, 2012)

Normally I would but since I can't SSH into the server I can't copy and paste the error from Puttys screen into a post ;-)

Is there another way? The server doesn't run a GUI but I can physically get to it and logon at the console with a keyboard.


----------



## wblock@ (Apr 22, 2012)

Use script(1) to capture output.  Then use scp(1) to copy it to another machine.


----------



## xy16644 (May 4, 2012)

Thanks Wblock.

I have attached the output from using the script command you mentioned. I still can't get my SSH service to start again. I hope the log file helps *be*cause I am stumped!


----------



## wblock@ (May 4, 2012)

The build of kbr5 failed because it could not download a dependency, print/texinfo.


```
# cd /usr/ports/print/texinfo
# make distclean
# make fetch
```

Do that last step until it manages to download the file, then use the portmaster line shown in that capture file to continue.

If it was an emergency, you could try rebuilding security/openssh-portable by itself.


----------



## xy16644 (May 4, 2012)

Thank you! I will give this a try tomorrow. When I run the portmaster line in the capture file, do I run this *entire *command:

```
portmaster <flags> security/krb5 print/texinfo print/latex-cjk print/teTeX print/xdvik www/links1 

sysutils/munin-common security/p5-Net-SSLeay sysutils/munin-node shells/bash net/ntp mail/opendkim 

security/openssh-portable security/p5-Crypt-OpenSSL-Bignum security/p5-Crypt-OpenSSL-RSA security/p5-Crypt-

OpenSSL-Random security/p5-IO-Socket-SSL mail/p5-Mail-DKIM mail/p5-Mail-SpamAssassin www/p5-libwww net/p5-

Net-HTTP devel/pecl-intl ftp/php5-curl textproc/php5-dom graphics/php5-gd devel/php5-gettext security/php5-

hash converters/php5-iconv devel/php5-json converters/php5-mbstring security/php5-mcrypt databases/php5-mysqli 

security/php5-openssl databases/php5-pdo databases/php5-pdo_mysql databases/php5-pdo_sqlite textproc/php5-

pspell textproc/php5-simplexml databases/php5-sqlite devel/php5-tokenizer archivers/php5-zip ports-

mgmt/portupgrade databases/ruby-bdb lang/ruby18 mail/postfix mail/roundcube mail/squirrelmail sysutils/webmin 

www/wordpress chinese/docproj
```


----------



## wblock@ (May 4, 2012)

Yes, but take out the <flags>, or replace it with any portmaster flags you were using.


----------



## xy16644 (May 5, 2012)

Thanks wblock, SSH is now working!

I had to completely uninstall texinfo:

```
cd /usr/ports/print/texinfo
make [B]deinstall[/B]
```

and then I ran:
[cmd=]portmaster -r openssl[/cmd]

After doing this I was able to start SSH again. The only thing is when I did start the service it said:

```
error: Could not load host key: /usr/local/etc/ssh/ssh_host_ecdsa_key
```

Is this worth worrying about?

Also when I ran:
[cmd=]pkg_version -vIL=[/cmd]

I get this:

```
bn-freebsd-doc-20111014             <   needs updating (index has 20120308)
munin-main-1.2.6_1                  !   Comparison failed
pkg_version: corrupted record (pkgdep line without argument), ignoring
pkg_version: corrupted record (pkgdep line without argument), ignoring
pkg_version: corrupted record (pkgdep line without argument), ignoring
pkg_version: corrupted record (pkgdep line without argument), ignoring
```

Is there a way to sort out these errors?

Many thanks for your help. It*'*s nice to be able to SSH to my server again :e


----------



## wblock@ (May 5, 2012)

The missing key may or may not be a problem, depending on how the system is used.  Look up whatever caused you to install openssh-portable in the first place.

`# portmaster --check-depends`
will try to fix those corrupted records.  Or to just find which they are:
`% find /var/db/pkg -name "+CONTENTS" -exec egrep -B1 -H 'pkgdep $' {} \; | less`

Rebuilding them is probably the easiest way to fix them.


----------



## xy16644 (May 5, 2012)

wblock@ said:
			
		

> The missing key may or may not be a problem, depending on how the system is used.  Look up whatever caused you to install openssh-portable in the first place.
> 
> `# portmaster --check-depends`
> will try to fix those corrupted records.  Or to just find which they are:
> ...



I currently use an OpenPGP smart card to access my system via SSH. No password logons are allowed at all remotely. I can login with a password at the console though. SSH seems fine so far and I have had no issues logging in with the smart card.

I ran:
[cmd=]portmaster --check-depends[/cmd]

and I had several of these:

```
===>>> Checking zh-docproj-0.1.20060303_5
        ===>>> Updating zh-docproj-0.1.20060303_5/+REQUIRED_BY
        ===>>> Updating @pkgdep for x11-toolkits/libXaw
        ===>>> print/ghostscript8 is listed as a dependency
        ===>>> but there is no installed version

        ===>>> Delete this dependency data? y/n [n]

        ===>>> print/cmpsfont is listed as a dependency
        ===>>> but there is no installed version

        ===>>> Delete this dependency data? y/n [n]

        ===>>> print/amspsfnt is listed as a dependency
        ===>>> but there is no installed version

        ===>>> Delete this dependency data? y/n [n]
```

I said "no" to all these prompts as I wasn't sure what the consequences would be?

Running:
[cmd=]find /var/db/pkg -name "+CONTENTS" -exec egrep -B1 -H 'pkgdep $' {} \; | less[/cmd]

returned:

```
/var/db/pkg/peps-2.0_4/+CONTENTS-@comment DEPORIGIN:devel/gettext
/var/db/pkg/peps-2.0_4/+CONTENTS:@pkgdep
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/gsfonts
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
--
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/cups-client
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS-@comment DEPORIGIN:print/cmpsfont
/var/db/pkg/zh-docproj-0.1.20060303_5/+CONTENTS:@pkgdep
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/gsfonts
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
--
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/teTeX-texmf
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS-@comment DEPORIGIN:print/cmpsfont
/var/db/pkg/docproj-jadetex-1.17_4/+CONTENTS:@pkgdep
```


----------



## xy16644 (May 5, 2012)

I think it*'*s all working now as when I run [cmd=]portmanager -u[/cmd] it says that all the ports are up to date with no errors. I did also uninstall the bn-freebsd-doc and docproj-jadetex port manually. After that I ran [cmd=]portmaster --check-depends[/cmd] 
and that seems to have done the trick! Many thanks for all your help.


----------



## wblock@ (May 5, 2012)

xy16644 said:
			
		

> ```
> find /var/db/pkg -name "+CONTENTS" -exec egrep -B1 -H 'pkgdep $' {} \; | less
> ```
> 
> ...



The filename of the port with the problem is shown first.  The comment line above the missing pkgdep line shows what dependency is missing, possibly due to errors during rebuild.

Rebuilding graphics/peps should fix the first one, either just fixing the pkgdep line or installing print/gsfonts if it is really missing.

Likewise with misc/freebsd-doc-zh_cn (or _tw) and textproc/docproj-jadetext.  Those could be deinstalled if you don't use those local copies of the FreeBSD documentation.


----------

