Date: Sun, 15 Feb 2015 22:41:38 -0300 From: Hugo Osvaldo Barrera <hugo@barrera.io> To: freebsd-questions@freebsd.org Subject: SSL: fatal access denied with opensmtp AND dovecot Message-ID: <20150216014138.GA3046@athena.barrera.io>
next in thread | raw e-mail | index | archive | help
--J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I've been tasked with setting up a FreeBSD-based email server, with opensmt= pd and dovecot. I've come across an issue with both, giving an error stating "fatal access denied" when attempting to initiate TLS connectiong. The certificates work fine on a test OpenBSD host, so they're not the issue. I'm amused that both dovecot *and* opensmtpd show almost identical issue, a= nd suspect that something openssl related might be broken. Dovecot ------- =3D=3D> /var/log/debug.log <=3D=3D Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve se= cp384r1 will be used for ECDH and ECDHE key exchanges Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve se= cp384r1 will be used for ECDH and ECDHE key exchanges Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from directo= ry: /usr/local/lib/dovecot/auth Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token secret = to /var/run/dovecot/auth-token-secret.dat Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/etc/d= ovecot/users: Read 5 users in 0 secs Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (pid= =3D94662) Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x10, ret= =3D1: before/accept initialization [190.210.108.249] Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: before/accept initialization [190.210.108.249] Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv2/v3 read client hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read client hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write server hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write key exchange A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write server done A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 flush data [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv3 read client certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv3 read client certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read client key exchange A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read finished A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write session ticket A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write change cipher spec A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write finished A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 flush data [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x20, ret= =3D1: SSL negotiation finished successfully [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D1: SSL negotiation finished successfully [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close notif= y [190.210.108.249] =3D=3D> /var/log/maillog <=3D=3D Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where=3D0= x4004, ret=3D561: fatal access denied [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth attempt= s in 1 secs): user=3D<>, rip=3D190.210.108.249, lip=3D104.236.123.233, TLS,= session=3D<C19llCoPSQC+0mz5> Opensmtpd --------- debug: smtp: new client on listener: 0x8024eb000 smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.210.= 108.249] debug: lka: looking up pki "mail.asteq.com.ar" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:14094419= :SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:14094419:S= SL routines:SSL3_READ_BYTES:tlsv1 alert access denied debug: smtp: 0x802501000: deleting session: IO error Some details: * Certificate file modes can't be an issue because both services start as r= oot. smtpd actually demands that the files are at most mode 700 and owned by 0= :0. * I've checked the certificates and keys and they look fine. I tried another self-generated pair too. * FreeBSD 10.1-RELEASE-p5. * dovecot2-2.2.15_3 from packages * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312. * Certificates were generated with "openssl genrsa -out ssl.key 4096". * The original certificates (I later tried self-signed) were signed by StartSSL. * Debugging is set to the maximum on both daemons. Dovecot only actually sp= at the error after I increased logging verbosity quite a bit. Any hints? Has anyone come across similar issues? Searching online for this issue got me now-where. --=20 Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJU4UrSAAoJEG+f/xIrmMDNOeYP/2BbW7bIHfLoE+92Np/ex2ST WSBk2ETP/xXDU65VxTXTo+RMp/qhPKkVq7Sjz9vuYJRh+qFph5i3hIscdksqN5Ta AxaW8iB6Jz3HVeXV9yAASTjItr+X1/NDuCU1FzlJOzy3Drgssk49MxH9eIknriML pR0UVrTyksbkoJJcb0ML5X0gB7gJM+vssfS/YDUpkgIPwsLov0jh7sUEskfXvH70 8XfCByK1vQJfj8ydbG5oL7vjYfOgjY4u86D9aA+D5vlifK/oi6lApIUpt03vKsfq 4q+DOdq3z6PThRpHrfCr/oUtUA+ShUOoP2FdCR9OEOFBkqv1HoGPJD51EzCF5lfM F92AW5EG+mp/crVNHzFQBdrN0R1D99QMkjVsWN680gx08oGs3d2utKYDwEHUk9nH NlWFytqc2/Y3GDmdAcTzrkbJPKDN3MTxIH+5JiNIedgwUQEy4v1XGl+KIzyXxGvc s/Sx0JhjhlwFKtBdZBYwo5yxs0OOk2oQmhb6W70X14081LH6uieGv2oumuzUKhuo 3Ezb9bJY7AkXXpqLf33HQYmiRzKo23+HctpHh6dSeIoTWY98m5SYF24RaQzw3LFL WwcplpnifoMwVhEkJcRQb+FtBuAJgf2bQjRwGjBktpp0B0FNv7nU+4fWC973ugtE t1hArl8kT7vccoa9mnV2 =mZNN -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150216014138.GA3046>