From owner-freebsd-questions@FreeBSD.ORG Mon Feb 16 01:41:27 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 494473D7 for ; Mon, 16 Feb 2015 01:41:27 +0000 (UTC) Received: from elysion.barrera.io (unknown [IPv6:2607:f2f8:a520::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1AF70360 for ; Mon, 16 Feb 2015 01:41:26 +0000 (UTC) Received: from elysion.barrera.io (localhost [127.0.0.1]); by elysion.barrera.io (OpenSMTPD) with ESMTP id 0fad7e26; for ; Mon, 16 Feb 2015 01:41:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=barrera.io; h=date:from:to :subject:message-id:mime-version:content-type; s=elysion; bh=qoW PmLr+dy+4nrDMIcsOWcPvEVM=; b=h/qtwLQ0F34dsT1SUqaC65T/+ZOslhvW/h8 ub7oeTHPeHg5slvKTTj/qad11xL6CrAV0XqRPhtR4vxrxXh/MI06CeXpO25RoCQ3 MgxrmRLww8PpobdgYI/ldfFIPsMOjy4ZFQbV65Y41nhTLiGDVUTAYc5K6HzBo49K Kr/4pYlOCmjv3jHc++badnoXdw/Yg6mR45BdYabyTwj3aXJkcBbm7L9teNRa4ZRs JrQ9GGYxo1wTViAeOE6d4F7zfDegKPZBmX0QwQufuLQMUq/EAo+M9sq/uT03ZZ1J RoaicGRZwq+BOP/4JmYmhT4A97aWhWoSzwKS6ogu97snnn6tlTA== DomainKey-Signature: a=rsa-sha1; c=nofws; d=barrera.io; h=date:from:to :subject:message-id:mime-version:content-type; q=dns; s=elysion; b= UKpFeRPqcPzDADF+ar8YldMJHTIzp5QPqm4J9tJRmYexWZh5U2V78yWOQMtVAAtU 6L24w/RaA/Gr99moaENufKjiGq1rUV8lfCCqyg2Kyy6G81sKkWW9C+oqDlAkhFLY hWge5fusnLGDugcRLJ6F1+Wd/fTw8mAqKomzTU5+E5H2OR3ic6brLxNJu48UdxAU qC4m5gjP3+wvHhKr3fOsehjpMeG886T9ZcG2XD5zOj89tv+4/u0vyzlqrTaCPveo lf/D7vwb+jqyGRKBOpPwO/sEUS2yJjNpkNyTKZSbTBRQXdST3jdYImhDIlikpSy1 +/1kboRTENjOnlO/vJJlbQ== Received: from athena.barrera.io (2800:40:7aa:1:bae8:56ff:fe18:7bf6 [IPv6:2800:40:7aa:1:bae8:56ff:fe18:7bf6]); by smtp.barrera.io (OpenSMTPD) with ESMTPSA id d23f5b30; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; for ; Mon, 16 Feb 2015 01:41:21 +0000 (GMT) Received: from athena.barrera.io (athena.barrera.io [IPv6:::1]); by athena.barrera.io (OpenSMTPD) with ESMTP id 5efef5c1; for ; Mon, 16 Feb 2015 01:41:38 +0000 (UTC) Date: Sun, 15 Feb 2015 22:41:38 -0300 From: Hugo Osvaldo Barrera To: freebsd-questions@freebsd.org Subject: SSL: fatal access denied with opensmtp AND dovecot Message-ID: <20150216014138.GA3046@athena.barrera.io> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2015 01:41:27 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I've been tasked with setting up a FreeBSD-based email server, with opensmt= pd and dovecot. I've come across an issue with both, giving an error stating "fatal access denied" when attempting to initiate TLS connectiong. The certificates work fine on a test OpenBSD host, so they're not the issue. I'm amused that both dovecot *and* opensmtpd show almost identical issue, a= nd suspect that something openssl related might be broken. Dovecot ------- =3D=3D> /var/log/debug.log <=3D=3D Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve se= cp384r1 will be used for ECDH and ECDHE key exchanges Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve se= cp384r1 will be used for ECDH and ECDHE key exchanges Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from directo= ry: /usr/local/lib/dovecot/auth Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token secret = to /var/run/dovecot/auth-token-secret.dat Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/etc/d= ovecot/users: Read 5 users in 0 secs Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (pid= =3D94662) Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x10, ret= =3D1: before/accept initialization [190.210.108.249] Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: before/accept initialization [190.210.108.249] Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv2/v3 read client hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read client hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write server hello A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write key exchange A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write server done A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 flush data [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv3 read client certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D-1: SSLv3 read client certificate A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read client key exchange A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 read finished A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write session ticket A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write change cipher spec A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 write finished A [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2001, r= et=3D1: SSLv3 flush data [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x20, ret= =3D1: SSL negotiation finished successfully [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x2002, r= et=3D1: SSL negotiation finished successfully [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close notif= y [190.210.108.249] =3D=3D> /var/log/maillog <=3D=3D Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where=3D0= x4004, ret=3D561: fatal access denied [190.210.108.249] Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth attempt= s in 1 secs): user=3D<>, rip=3D190.210.108.249, lip=3D104.236.123.233, TLS,= session=3D Opensmtpd --------- debug: smtp: new client on listener: 0x8024eb000 smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.210.= 108.249] debug: lka: looking up pki "mail.asteq.com.ar" debug: session_start_ssl: switching to SSL debug: pony: rsae_priv_enc debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:14094419= :SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:14094419:S= SL routines:SSL3_READ_BYTES:tlsv1 alert access denied debug: smtp: 0x802501000: deleting session: IO error Some details: * Certificate file modes can't be an issue because both services start as r= oot. smtpd actually demands that the files are at most mode 700 and owned by 0= :0. * I've checked the certificates and keys and they look fine. I tried another self-generated pair too. * FreeBSD 10.1-RELEASE-p5. * dovecot2-2.2.15_3 from packages * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312. * Certificates were generated with "openssl genrsa -out ssl.key 4096". * The original certificates (I later tried self-signed) were signed by StartSSL. * Debugging is set to the maximum on both daemons. Dovecot only actually sp= at the error after I increased logging verbosity quite a bit. Any hints? Has anyone come across similar issues? Searching online for this issue got me now-where. --=20 Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJU4UrSAAoJEG+f/xIrmMDNOeYP/2BbW7bIHfLoE+92Np/ex2ST WSBk2ETP/xXDU65VxTXTo+RMp/qhPKkVq7Sjz9vuYJRh+qFph5i3hIscdksqN5Ta AxaW8iB6Jz3HVeXV9yAASTjItr+X1/NDuCU1FzlJOzy3Drgssk49MxH9eIknriML pR0UVrTyksbkoJJcb0ML5X0gB7gJM+vssfS/YDUpkgIPwsLov0jh7sUEskfXvH70 8XfCByK1vQJfj8ydbG5oL7vjYfOgjY4u86D9aA+D5vlifK/oi6lApIUpt03vKsfq 4q+DOdq3z6PThRpHrfCr/oUtUA+ShUOoP2FdCR9OEOFBkqv1HoGPJD51EzCF5lfM F92AW5EG+mp/crVNHzFQBdrN0R1D99QMkjVsWN680gx08oGs3d2utKYDwEHUk9nH NlWFytqc2/Y3GDmdAcTzrkbJPKDN3MTxIH+5JiNIedgwUQEy4v1XGl+KIzyXxGvc s/Sx0JhjhlwFKtBdZBYwo5yxs0OOk2oQmhb6W70X14081LH6uieGv2oumuzUKhuo 3Ezb9bJY7AkXXpqLf33HQYmiRzKo23+HctpHh6dSeIoTWY98m5SYF24RaQzw3LFL WwcplpnifoMwVhEkJcRQb+FtBuAJgf2bQjRwGjBktpp0B0FNv7nU+4fWC973ugtE t1hArl8kT7vccoa9mnV2 =mZNN -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--