From owner-freebsd-questions@FreeBSD.ORG Mon Feb 16 03:09:48 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 747C068D for ; Mon, 16 Feb 2015 03:09:48 +0000 (UTC) Received: from mail.ssimicro.com (mail.ssimicro.com [64.247.129.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.ssimicro.com", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C7815DE2 for ; Mon, 16 Feb 2015 03:09:47 +0000 (UTC) Received: from markhams-MacBook-Pro.local (rageous.ssimicro.com [64.247.134.72]) (authenticated bits=0) by mail.ssimicro.com (8.14.7/8.14.7) with ESMTP id t1G2xBdT018014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 15 Feb 2015 19:59:13 -0700 (MST) Message-ID: <54E15D00.8060303@corp.ssimicro.com> Date: Sun, 15 Feb 2015 19:59:12 -0700 From: markham breitbach User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Hugo Osvaldo Barrera , freebsd-questions@freebsd.org Subject: Re: SSL: fatal access denied with opensmtp AND dovecot References: <20150216014138.GA3046@athena.barrera.io> In-Reply-To: <20150216014138.GA3046@athena.barrera.io> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2015 03:09:48 -0000 Do you have the CA certificates installed? The easiest way is to install the port _security/ca_root_nss_ . Then it should be in /usr/local/share/certs. If you are using self signed certs you will need to make sure SSL can find your own CA root certs. There is also an option to tell Dovecot to use the certificates, but not validate the identity, so it will still encrypt, but is subject to possible MITM attac= k. -M On 2015-02-15 6:41 PM, Hugo Osvaldo Barrera wrote: > Hi, > > I've been tasked with setting up a FreeBSD-based email server, with ope= nsmtpd > and dovecot. > > I've come across an issue with both, giving an error stating "fatal acc= ess > denied" when attempting to initiate TLS connectiong. > > The certificates work fine on a test OpenBSD host, so they're not the i= ssue. > I'm amused that both dovecot *and* opensmtpd show almost identical issu= e, and > suspect that something openssl related might be broken. > > Dovecot > ------- > > =3D=3D> /var/log/debug.log <=3D=3D > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from dir= ectory: /usr/local/lib/dovecot/auth > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token sec= ret to /var/run/dovecot/auth-token-secret.dat > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/e= tc/dovecot/users: Read 5 users in 0 secs > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (p= id=3D94662) > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x10,= ret=3D1: before/accept initialization [190.210.108.249] > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: before/accept initialization [190.210.108.249] > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv2/v3 read client hello A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client hello A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server hello A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write certificate A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write key exchange A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server done A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client key exchange A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read finished A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write session ticket A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write change cipher spec A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write finished A [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x20,= ret=3D1: SSL negotiation finished successfully [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D1: SSL negotiation finished successfully [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close n= otify [190.210.108.249] > > =3D=3D> /var/log/maillog <=3D=3D > Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where= =3D0x4004, ret=3D561: fatal access denied [190.210.108.249] > Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth att= empts in 1 secs): user=3D<>, rip=3D190.210.108.249, lip=3D104.236.123.233= , TLS, session=3D > > Opensmtpd > --------- > > debug: smtp: new client on listener: 0x8024eb000 > smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.= 210.108.249] > debug: lka: looking up pki "mail.asteq.com.ar" > debug: session_start_ssl: switching to SSL > debug: pony: rsae_priv_enc > debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:1409= 4419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:140944= 19:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > debug: smtp: 0x802501000: deleting session: IO error > > > Some details: > > * Certificate file modes can't be an issue because both services start = as root. > smtpd actually demands that the files are at most mode 700 and owned = by 0:0. > * I've checked the certificates and keys and they look fine. I tried an= other > self-generated pair too. > * FreeBSD 10.1-RELEASE-p5. > * dovecot2-2.2.15_3 from packages > * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312. > * Certificates were generated with "openssl genrsa -out ssl.key 4096". > * The original certificates (I later tried self-signed) were signed by > StartSSL. > * Debugging is set to the maximum on both daemons. Dovecot only actuall= y spat > the error after I increased logging verbosity quite a bit. > > Any hints? Has anyone come across similar issues? Searching online for = this > issue got me now-where. >