From nobody Thu Apr 06 16:00:47 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PsmSW6QWdz44WnQ for ; Thu, 6 Apr 2023 16:00:59 +0000 (UTC) (envelope-from alex@alexburke.ca) Received: from out-23.mta0.migadu.com (out-23.mta0.migadu.com [91.218.175.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4PsmSW4NBPz3MW3 for ; Thu, 6 Apr 2023 16:00:59 +0000 (UTC) (envelope-from alex@alexburke.ca) Authentication-Results: mx1.freebsd.org; none Date: Thu, 6 Apr 2023 18:00:47 +0200 (GMT+02:00) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alexburke.ca; s=key1; t=1680796852; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=0G31Qy9+yx+WAVPksBReEdCVogq+0RQx150bzPWVq8A=; b=ipjDpfiXYcqQCyPg/kqCKCd98Ti9/D6iBqEbzrbk371kkc/ES1jTaKBkyDMAclsYwoy4+m zMVJ02nmJO/WgJQKkd2iHygJgWAqOJ1TynYke4qdq9mgpM4fkfmZEJu4hlJM3LaCoxcrmV 2vemn3utVo62sDzAIjBrN5yQCI7x+B0= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Alexander Burke To: William Dudley Cc: questions@freebsd.org Message-ID: In-Reply-To: References: <20230406070831.a6f09f389baed2a6ff4dbbbb@sohara.org> Subject: Re: updated to 13.1 (i386). Apache won't run if php80 enabled List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_45_122276321.1680796849377" X-Correlation-ID: X-Migadu-Flow: FLOW_OUT X-Rspamd-Queue-Id: 4PsmSW4NBPz3MW3 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:202172, ipnet:91.218.175.0/24, country:CH] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N ------=_Part_45_122276321.1680796849377 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Bill, > I'm using the port of sendmail so STARTTLS will work. I recommend in the strongest possible terms that you not use STARTTLS in an= y way, and that you use TLS-enforced SMTPS (port 465) and IMAPS (port 993) = exclusively with clients. [1,2] When your sendmail can't reach other MTAs on 465 to deliver mail to them, i= t can and should drop back to using port 25 with no TLS, but clients (MUAs)= accessing it should use only 465 and 993. Cheers, Alex [1] https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks [2] https://nostarttls.secvuln.info/ ---------------------------------------- Apr 6, 2023 16:15:33 William Dudley : >=20 > my reply below. >=20 > On Thu, Apr 6, 2023 at 2:20=E2=80=AFAM Odhiambo Washington wrote: >>=20 >>=20 >> On Thu, Apr 6, 2023 at 9:09=E2=80=AFAM Steve O'Hara-Smith wrote: >>> On Wed, 5 Apr 2023 11:09:37 -0400 >>> William Dudley wrote: >>>=20 >>>> I have another machine running 13.1, but it's amd64.=C2=A0 It happily = runs >>>> Apache with php80, so I downgraded the i386 machine to php80 >>>> so the two machines would be "the same". >>>> >>>> Except this didn't fix the problem.=C2=A0 Apache won't run with either= php80 >>>> OR php81 enabled, using this stanza in httpd.conf: >>>=20 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 Two possibilities spring to mind >>>=20 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 - the two machines are not "the same", chec= k all relevant package >>> versions right down the dependency tree. >>>=20 >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 - The code depends on a feature not in one = CPU or something of that >>> order. Given that PHP and Apache work independently the glue is the pri= me >>> suspect, I'd try building mod-php from ports. >>=20 >> He wants to keep things simple, so he prefers pkg install... no ports. >=20 > I'm not averse to trying the port to see what happens.=C2=A0 I'm using th= e port of sendmail > so STARTTLS will work. >=20 > Bill Dudley > =C2=A0 >>=20 >> --=20 >> Best regards, >> Odhiambo WASHINGTON, >> Nairobi,KE >> +254 7 3200 0004/+254 7 2274 3223 >> "Oh, the cruft.",=C2=A0egrep -v '^$|^.*#'=C2=A0=C2=AF\_(=E3=83=84)_/=C2= =AF=C2=A0:-) >> [How to ask smart questions:=C2=A0http://www.catb.org/~esr/faqs/smart-qu= estions.html] ------=_Part_45_122276321.1680796849377 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Bill,

I'm using th= e port of sendmail so STARTTLS will work.

I recommend in the strongest possible terms that you not use STARTTLS= in any way, and that you use TLS-enforced SMTPS (port 465) and IMAPS (port= 993) exclusively with clients. [1,2]

When your sendmail can't reach other= MTAs on 465 to deliver mail to them, it can and should drop back to using = port 25 with no TLS, but clients (MUAs) accessing it should use only 465 an= d 993.

Cheers,
Alex

[1] https://www.eff.org/deeplinks/2014/11/starttls-downgr= ade-attacks

[2] https://nostarttls.secvuln.info/

Apr 6, 2023 16:15:33 William Dudley <wfdudley@gmail.com>:


my reply below.

On Thu, Apr 6, 2023 at 2:20=E2=80=AFAM Odhiambo Washington <odhiambo@gmail.com> wrote:


On Thu, Apr 6, 2023 at 9:09=E2=80=AFAM Steve O'Hara-Smith <steve@sohara.org>= wrote:
On Wed, 5 Apr 2023 11:09:37 -0400
William Dudley <wfdudley@gmail.com>= wrote:

> I have another machine running 13.1, but it's amd64.&= nbsp; It happily runs
> Apache with php80, so I downgraded the i386 = machine to php80
> so the two machines would be "the same".
>=
> Except this didn't fix the problem.  Apache won't run with = either php80
> OR php81 enabled, using this stanza in httpd.conf:
        Two possibilities spring to mind
        - the two machines are not "the same", check = all relevant package
versions right down the dependency tree.

=         - The code depends on a feature not in one CPU = or something of that
order. Given that PHP and Apache work independentl= y the glue is the prime
suspect, I'd try building mod-php from ports.

He wants to keep things simple, so he prefers pkg install... = no ports.

I'm not averse to trying the port to see what happens.  I'm usi= ng the port of sendmail
so STARTTLS will work.

Bill Dudley
 

--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3= 200 0004/+254 7 2274 3223
"Oh, the cruf= t.", egrep -v '^$|^.*#' =C2=AF\_(= =E3=83=84)_/=C2=AF :-)
------=_Part_45_122276321.1680796849377--