[Bug 8382] Issues with SSL port binding in spamd

Mon, 06 Apr 2026 19:39:13 -0700 

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8382

Dan Mahoney <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]

--- Comment #1 from Dan Mahoney <[email protected]> ---
Wanted to paste the debugs from a previous mail exchange:

Basically, if you specify any of the --ssl-options, it forces all ports to be
SSLified, and in some cases will disable the original port.  Have some -D
output, and do feel free to replicate on your system (but you will need to put
certs in the place spamd expects to find them, since specifying a cert on the
command line also causes the breakage):

Look for the --> arrows pointing at the listening ports that are created.

root@post:~dmahoney # spamd -D --port 11783 --ssl-port 11784
Apr  4 16:07:52.844 [15635] dbg: logger: adding facilities: all
Apr  4 16:07:52.844 [15635] dbg: logger: logging level is DBG
Apr  4 16:07:52.850 [15635] dbg: logger: calling setlogsock(unix)
Apr  4 16:07:52.850 [15635] dbg: logger: opening syslog with unix socket
Apr  4 16:07:52.850 [15635] dbg: logger: successfully connected to syslog/unix
Apr  4 16:07:52.850 [15635] dbg: logger: successfully added syslog method
Apr  4 16:07:52.850 [15635] dbg: spamd: will perform setuids? 1
Apr  4 16:07:52.851 [15635] dbg: spamd: socket module of choice: IO::Socket::IP
0.43, Socket 2.038, have PF_INET, have PF_INET6, using Socket::getaddrinfo,
AI_ADDRCONFIG is supported
Apr  4 16:07:52.851 [15635] dbg: spamd: ssl socket specification: "localhost",
IP address: localhost, port: 11784
Apr  4 16:07:52.851 [15635] dbg: spamd: attempting to listen on IP addresses:
::1, 127.0.0.1, port 11784
-->Apr  4 16:07:52.878 [15635] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: ::1, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_cert_file: /usr/local/etc/mail/spamassassin/certs/server-c
ert.pem, SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x3d37e31580a8), SSL_server: 1, SSL_verify_mode: 2,
Type: 1, V6Only: 1
Apr  4 16:07:52.880 [15635] dbg: spamd: created IO::Socket::SSL socket on
[::1]:11784
-->Apr  4 16:07:52.880 [15635] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: 127.0.0.1, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_cert_file: /usr/local/etc/mail/spamassassin/certs/se
rver-cert.pem, SSL_key_file:
/usr/local/etc/mail/spamassassin/certs/server-key.pem, SSL_on_peer_shutdown:
CODE(0x3d37e31580a8), SSL_server: 1, SSL_verify_mode: 2, Type: 1, V6Only: 1
Apr  4 16:07:52.882 [15635] dbg: spamd: created IO::Socket::SSL socket on
[127.0.0.1]:11784
Apr  4 16:07:52.882 [15635] dbg: spamd: server listen sockets fd bit field:
00000110

(Whoops, where did 11783 go?)

The kinda-sorta workaround there is to specify your "listen" specs with -i
instead of using the --ssl-* options.  You get two IO:Socket:SSL and two
IO:Socket:IP, as expected (one each for v4/v6)

root@post:~dmahoney # spamd -D -i 'ssl:*:11784' -i '*:11783'
Apr  4 16:11:33.724 [15678] dbg: logger: adding facilities: all
Apr  4 16:11:33.724 [15678] dbg: logger: logging level is DBG
Apr  4 16:11:33.729 [15678] dbg: logger: calling setlogsock(unix)
Apr  4 16:11:33.729 [15678] dbg: logger: opening syslog with unix socket
Apr  4 16:11:33.729 [15678] dbg: logger: successfully connected to syslog/unix
Apr  4 16:11:33.730 [15678] dbg: logger: successfully added syslog method
Apr  4 16:11:33.730 [15678] dbg: spamd: will perform setuids? 1
Apr  4 16:11:33.730 [15678] dbg: spamd: socket module of choice: IO::Socket::IP
0.43, Socket 2.038, have PF_INET, have PF_INET6, using Socket::getaddrinfo,
AI_ADDRCONFIG is supported
Apr  4 16:11:33.730 [15678] dbg: spamd: ssl socket specification:
"ssl:*:11784", IP address: *, port: 11784
Apr  4 16:11:33.730 [15678] dbg: spamd: attempting to listen on IP addresses:
::, 0.0.0.0, port 11784
-->Apr  4 16:11:33.757 [15678] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: ::, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_cert_file: /usr/local/etc/mail/spamassassin/certs/server-cert.pem,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x16b96af580a8), SSL_server: 1, SSL_verify_mode: 2,
Type: 1, V6Only: 1
Apr  4 16:11:33.759 [15678] dbg: spamd: created IO::Socket::SSL socket on
[::]:11784
-->Apr  4 16:11:33.760 [15678] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: 0.0.0.0, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_cert_file: /usr/local/etc/mail/spamassassin/certs/server-cert.pem,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x16b96af580a8), SSL_server: 1, SSL_verify_mode: 2,
Type: 1, V6Only: 1
Apr  4 16:11:33.761 [15678] dbg: spamd: created IO::Socket::SSL socket on
[0.0.0.0]:11784
Apr  4 16:11:33.761 [15678] dbg: spamd:  socket specification: "*:11783", IP
address: *, port: 11783
Apr  4 16:11:33.761 [15678] dbg: spamd: attempting to listen on IP addresses:
::, 0.0.0.0, port 11783
-->Apr  4 16:11:33.762 [15678] dbg: spamd: creating IO::Socket::IP socket:
Listen: 128, LocalAddr: ::, LocalPort: 11783, Proto: tcp, ReuseAddr: 1, Type:
1, V6Only: 1
Apr  4 16:11:33.762 [15678] dbg: spamd: created IO::Socket::IP socket on
[::]:11783
-->Apr  4 16:11:33.762 [15678] dbg: spamd: creating IO::Socket::IP socket:
Listen: 128, LocalAddr: 0.0.0.0, LocalPort: 11783, Proto: tcp, ReuseAddr: 1,
Type: 1, V6Only: 1
Apr  4 16:11:33.762 [15678] dbg: spamd: created IO::Socket::IP socket on
[0.0.0.0]:11783
Apr  4 16:11:33.762 [15678] dbg: spamd: server listen sockets fd bit field:
0000011011000000

But alas, I hope you really don't want to actually specify any other
command-line args, such as pointing at a CA file because those will force the
old behavior: you get listeners on both ports, but they're *ALL* sslified.

root@post:~dmahoney # spamd -D -i 'ssl:*:11784' -i '*:11783' --ssl-ca-file
/var/puppet/ssl/certs/ca.pem
Apr  4 16:14:43.245 [15722] dbg: logger: adding facilities: all
Apr  4 16:14:43.245 [15722] dbg: logger: logging level is DBG
Apr  4 16:14:43.250 [15722] dbg: logger: calling setlogsock(unix)
Apr  4 16:14:43.250 [15722] dbg: logger: opening syslog with unix socket
Apr  4 16:14:43.251 [15722] dbg: logger: successfully connected to syslog/unix
Apr  4 16:14:43.251 [15722] dbg: logger: successfully added syslog method
Apr  4 16:14:43.251 [15722] dbg: spamd: will perform setuids? 1
Apr  4 16:14:43.251 [15722] dbg: spamd: socket module of choice: IO::Socket::IP
0.43, Socket 2.038, have PF_INET, have PF_INET6, using Socket::getaddrinfo,
AI_ADDRCONFIG is supported
Apr  4 16:14:43.251 [15722] dbg: spamd: ssl socket specification:
"ssl:*:11784", IP address: *, port: 11784
Apr  4 16:14:43.251 [15722] dbg: spamd: attempting to listen on IP addresses:
::, 0.0.0.0, port 11784
-->Apr  4 16:14:43.278 [15722] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: ::, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_ca_file: /var/puppet/ssl/certs/ca.pem, SSL_cert_file:
/usr/local/etc/mail/spamassassin/certs/server-cert.pem, SSL_check_crl: 0,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x1e8d471550d8), SSL_server: 1, SSL_verify_mode: 3,
SSL_verifycn_publicsuffix: , SSL_verifycn_scheme: none, Type: 1, V6Only: 1
Apr  4 16:14:43.292 [15722] dbg: spamd: created IO::Socket::SSL socket on
[::]:11784
-->Apr  4 16:14:43.292 [15722] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: 0.0.0.0, LocalPort: 11784, Proto: tcp, ReuseAddr: 1,
SSL_ca_file: /var/puppet/ssl/certs/ca.pem, SSL_cert_file:
/usr/local/etc/mail/spamassassin/certs/server-cert.pem, SSL_check_crl: 0,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x1e8d471550d8), SSL_server: 1, SSL_verify_mode: 3,
SSL_verifycn_publicsuffix: , SSL_verifycn_scheme: none, Type: 1, V6Only: 1
Apr  4 16:14:43.294 [15722] dbg: spamd: created IO::Socket::SSL socket on
[0.0.0.0]:11784
Apr  4 16:14:43.294 [15722] dbg: spamd: ssl socket specification: "*:11783", IP
address: *, port: 11783
Apr  4 16:14:43.294 [15722] dbg: spamd: attempting to listen on IP addresses:
::, 0.0.0.0, port 11783
-->Apr  4 16:14:43.294 [15722] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: ::, LocalPort: 11783, Proto: tcp, ReuseAddr: 1,
SSL_ca_file: /var/puppet/ssl/certs/ca.pem, SSL_cert_file:
/usr/local/etc/mail/spamassassin/certs/server-cert.pem, SSL_check_crl: 0,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x1e8d471550d8), SSL_server: 1, SSL_verify_mode: 3,
SSL_verifycn_publicsuffix: , SSL_verifycn_scheme: none, Type: 1, V6Only: 1
Apr  4 16:14:43.296 [15722] dbg: spamd: created IO::Socket::SSL socket on
[::]:11783
-->Apr  4 16:14:43.296 [15722] dbg: spamd: creating IO::Socket::SSL socket:
Listen: 128, LocalAddr: 0.0.0.0, LocalPort: 11783, Proto: tcp, ReuseAddr: 1,
SSL_ca_file: /var/puppet/ssl/certs/ca.pem, SSL_cert_file:
/usr/local/etc/mail/spamassassin/certs/server-cert.pem, SSL_check_crl: 0,
SSL_key_file: /usr/local/etc/mail/spamassassin/certs/server-key.pem,
SSL_on_peer_shutdown: CODE(0x1e8d471550d8), SSL_server: 1, SSL_verify_mode: 3,
SSL_verifycn_publicsuffix: , SSL_verifycn_scheme: none, Type: 1, V6Only: 1
Apr  4 16:14:43.298 [15722] dbg: spamd: created IO::Socket::SSL socket on
[0.0.0.0]:11783
Apr  4 16:14:43.298 [15722] dbg: spamd: server listen sockets fd bit field:
0000011011000000

(Note that this broke even weirder, because specifying a patch to a cert-file
or a key file would do this already, but I discovered that there was an
(undocumented in either -h or the manpage) place where I could put an ssl
cert/key to be loaded, visible above in my system (FreeBSD ports) as
/usr/local/etc/mail/spamassassin/certs/server-cert.pem and server-key.pem)

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to