NetWorker: Le notifiche e-mail smettono di funzionare su Red Hat 8 Server dopo l'aggiornamento alla versione 19.10

• Il server NetWorker è installato su Red Hat 8:

root@nwserver:~# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.9 (Ootpa)

• NetWorker 19.10 è stato installato sul sistema Red Hat 8.x. Può trattarsi di una nuova installazione o di un aggiornamento da una versione precedente di NetWorker.
• Le risorse della policy di protezione NetWorker sono state configurate utilizzando il comando Linux mail o mailx:

• Prima dell'aggiornamento di NetWorker, le notifiche e-mail venivano ricevute senza problemi.
• Vengono ricevuti anche messaggi e-mail inviati dalla riga di comando del server NetWorker:

root@nwserver:~# mailx -s "test email" backupadmin@domain.com < /dev/null
Null message body; hope that's ok

root@nwserver:~# tail -n 7 /var/log/maillog
Feb 14 16:13:49 nwserver sendmail[24024]: 41ELDnaE024024: from=root, size=229, class=0, nrcpts=1, msgid=<202402142113.41ELDnaE024024@nwserver.amer.lan>, relay=root@localhost
Feb 14 16:13:49 nwserver sendmail[24024]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 14 16:13:49 nwserver sendmail[24025]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1.3, verify=NOT, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Feb 14 16:13:49 nwserver sendmail[24025]: 41ELDn4l024025: from=<root@nwserver.amer.lan>, size=490, class=0, nrcpts=1, msgid=<202402142113.41ELDnaE024024@nwserver.amer.lan>, proto=ESMTPS, daemon=MTA, relay=localhost [127.0.0.1]
Feb 14 16:13:49 nwserver sendmail[24024]: 41ELDnaE024024: to=backupadmin@domain.com, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30229, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (41ELDn4l024025 Message accepted for delivery)
Feb 14 16:13:50 nwserver sendmail[24027]: STARTTLS=client, relay=mailhub.domain.com., version=TLSv1.2, verify=OK, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Feb 14 16:13:50 nwserver sendmail[24027]: 41ELDn4l024025: to=<backupadmin@domain.com>, ctladdr=<root@nwserver.amer.lan> (0/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120490, relay=mailhub.domain.com. [10.10.10.10], dsn=2.0.0, stat=Sent (ok:  Message 225328373 accepted)

• I registri del flusso di lavoro in /nsr/logs/policy/POLICY_NAME/ riportano il seguente errore:

root@nwserver:~# nsr_render_log /nsr/logs/policy/Server\ Protection/workflow_Server\ backup_064001.raw
133550 02/14/2024 11:01:35 AM  1 0 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Starting Protection Policy 'Server Protection' workflow 'Server backup'.
199800 02/14/2024 11:01:35 AM  1 5 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Consider starting action 'Server db backup', enabled 1, schedule action '1'
204318 02/14/2024 11:01:35 AM  1 1 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow SYSTEM notice Request to run the enabled action 'Server db backup' that has level configured as '1'.
201496 02/14/2024 11:01:35 AM  1 1 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow SYSTEM notice Starting the scheduled action 'Server db backup'.
123316 02/14/2024 11:01:35 AM  1 0 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Starting action 'Server Protection/Server backup/Server db backup' with command: 'nsrdbsave -l 1'.
123321 02/14/2024 11:01:35 AM  1 0 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Action 'Server Protection/Server backup/Server db backup's log will be in '/nsr/logs/policy/Server Protection/Server backup/Server db backup_064002.raw'.
123325 02/14/2024 11:02:25 AM  1 0 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Action 'Server Protection/Server backup/Server db backup' succeeded.
199800 02/14/2024 11:02:25 AM  1 5 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow NSR notice Consider starting action 'Expiration', enabled 1, schedule action 'exec'
204318 02/14/2024 11:02:25 AM  1 1 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow SYSTEM notice Request to run the enabled action 'Expiration' that has level configured as 'exec'.
201496 02/14/2024 11:02:25 AM  1 1 0 3269973824 446260 0 nwserver.amer.lan nsrworkflow SYSTEM notice Starting the scheduled action 'Expiration'.
5 02/14/2024 11:02:25 AM  1 1 0 0 unknown unknown LOG unrendered /bin/mailx: symbol lookup error: /bin/mailx: undefined symbol: SSLv3_client_method, version OPENSSL_1_1_0

Uno dei miglioramenti introdotti in NetWorker 19.10 riguardava SSL. NetWorker fornisce una propria libreria SSL che viene esportata nel networkerrc file:

root@nwserver:~# cat /opt/nsr/admin/networkerrc | grep "NSR_LIBS\|LD_LIBRARY_PATH"
        NSR_LIBS=/usr/lib/nsr
        NSR_LIBS=/usr/lib/nsr/lib64
        # It must be the first entry of LD_LIBRARY_PATH otherwise it fails to load libraries.
        NSR_LIBS=/usr/lib/nsr/lib64/cst:/usr/lib/nsr/lib64
LD_LIBRARY_PATH=${NSR_LIBS}:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

La versione di mail su Red Hat 8.x contiene una libreria SSL che include SSv3:

root@nwserver:~# ldd /bin/mail | grep ssl
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f116357b000)

root@lnx-client02:~# nm -D /lib64/libssl.so.1.1 | egrep -i "SSLv3_"
0000000000022780 T SSLv3_client_method
0000000000022760 T SSLv3_method
0000000000022770 T SSLv3_server_method
root@nwserver:~# 

NetWorker 19.10 ha rimosso SSLv3 dalla relativa libreria in quanto rappresenta una potenziale vulnerabilità della sicurezza ed è sfruttabile:

root@nwserver:~# nm -D /usr/lib/nsr/lib64/libssl.so.1.1 | egrep -i "SSLv"
root@nwserver:~# 

Il pacchetto mail utilizza una libssl libreria meno recente. Il problema riguarda il pacchetto mail; quindi al di fuori di NetWorker.

Opzione 1:

L'amministratore di Exchange o di posta elettronica può esaminare la configurazione dei server di posta e verificare se sono disponibili opzioni per disabilitare SSLv3 a favore di TLS 1.2.

Opzione 2:

Una correzione per questo problema deve essere rilasciata nel pacchetto mail/mailx Linux. La posta deve essere aggiornata per includere un libssl che non utilizza SSLv3. Al momento della stesura di questo articolo della KB, l'unico pacchetto mail elencato per Red Hat 8.x è mailx-12.5-29.el8.x86_64, rilasciato nel 2019. Tale problema interessa questo pacchetto mail. 

Confermare il pacchetto mail installato:

rpm -qa | grep mail

root@nwserver:~# rpm -qa | grep mail
sendmail-8.15.2-34.el8.x86_64
mailcap-2.1.48-3.el8.noarch
mailx-12.5-29.el8.x86_64
procmail-3.22-47.el8.x86_64

Ottenere i dettagli del pacchetto mail eseguendo: 

yum provides mail

root@nwserver:~# yum provides mail
Updating Subscription Management repositories.
Last metadata expiration check: 1:55:22 ago on Wed 21 Feb 2024 09:35:43 AM EST.
mailx-12.5-29.el8.x86_64 : Enhanced implementation of the mailx command
Repo        : @System
Matched from:
Filename    : /bin/mail

mailx-12.5-29.el8.x86_64 : Enhanced implementation of the mailx command
Repo        : rhel-8-for-x86_64-baseos-rpms
Matched from:
Filename    : /bin/mail

yum upgrade mailx

Soluzione alternativa:

linux86w)
        # cst path is required to locate dynamic libraries of cst (also loads internal bsafe crypto libraries).
        # It must be the first entry of LD_LIBRARY_PATH otherwise it fails to load libraries.
        # cst comes with own bsafe library. cst bsafe library version may or may not be the same
        # version of bsafe library used by other components in the product.
        NSR_LIBS=/usr/lib/nsr/lib64/cst:/usr/lib/nsr/lib64
        OS_LIBS=/lib64    
        ERLCOOKIE_HOME=/nsr/rabbitmq
:::::::
esac

LD_LIBRARY_PATH=${OS_LIBS}:${NSR_LIBS}:$LD_LIBRARY_PATH

2. Restart NetWorker:

systemctl restart networker

root@lnx-nwserv:~# ldd /usr/bin/mail
        linux-vdso.so.1 (0x00007fffb211a000)
        libssl.so.3 => /lib64/libssl.so.3 (0x00007fad91b73000)
        libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007fad91600000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fad91b1c000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007fad91afb000)
        libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007fad91acb000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fad91200000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fad91aaf000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fad91525000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fad91a96000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fad91a8f000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fad91a7e000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fad91a77000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fad91a61000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007fad9107b000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fad91d2e000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fad91a34000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fad91489000)

root@lnx-nwserv:~# nm -D /lib64/libssl.so.3 | egrep -i "SSLv3_" 
root@lnx-nwserv:~#