From owner-freebsd-questions@FreeBSD.ORG Mon Feb 16 04:01:57 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 12D9133B for ; Mon, 16 Feb 2015 04:01:57 +0000 (UTC) Received: from elysion.barrera.io (unknown [IPv6:2607:f2f8:a520::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D630432A for ; Mon, 16 Feb 2015 04:01:56 +0000 (UTC) Received: from elysion.barrera.io (localhost [127.0.0.1]); by elysion.barrera.io (OpenSMTPD) with ESMTP id f90e5bfb; for ; Mon, 16 Feb 2015 04:01:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=barrera.io; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=elysion; bh=stz+N1CRyiWftNcj8cgOnxHD3pw=; b=YpUt RO6C4BBEliI/5IyK1rhNRfBo61ST5FUm9LIy82oAxJ5fmvK6pN8c8/u8swEdZmsl IcPXt3jvYcApx2WBGtHbO+y8+x1dHmpCNjV53n4mAb+MyGYIdv4njgEszLz7gQFT gMT35csGi199keOgnrvhpMuZA53L+7f8Q3SpNamHlj5X+h/BCbIYqPcuzO4VX/NN qy5vPgBAxD1qicL7GWvNWhLD0lsPGGzxJinrJUv0dJbNQ9dR2JZJ3tuxYWUHJB3i +5UHYa9F94UoFoF65VInDpOiXqc2np3YQeBG4wPzvfMtqWUNBsVuQV7TazWdCGln SUdSUXsELcOe/pVUDg== DomainKey-Signature: a=rsa-sha1; c=nofws; d=barrera.io; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=elysion; b=f4eWjwIjWKJxgh+FHnoCfP3ZdPSd80 iL3loYJK2VrEEZUM2Zx7QInxBDJCshpL4QCAlvHr0StEhzFcHHWD9mdkpdH5jQjB 7ENCU7qjPj33wuDA6dVGL9d+32k8LaPrqNo6meu0GVS1WD1dDNQhJh2K0z28c0aP Z9IvjYI9D/JrE9IHWQ1owFU8d3Vbp/ssfIJpyEUVcI8JSzzrLMogxg53DUqxRIrE aB1QiatQMTyI3heQt0tZJV4K5T5A3EmsNMzdkw8lmr9CQzMmVqCgVmWs1FRwHOM8 eNn1+93OdEcDi6A32+FarwhgNV3nvfF8tDDDdQFFLPgXJ863r2fA3tcA== Received: from athena.barrera.io (2800:40:7aa:1:bae8:56ff:fe18:7bf6 [IPv6:2800:40:7aa:1:bae8:56ff:fe18:7bf6]); by smtp.barrera.io (OpenSMTPD) with ESMTPSA id 026021d1; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO; for ; Mon, 16 Feb 2015 04:01:51 +0000 (GMT) Received: from athena.barrera.io (athena.barrera.io [IPv6:::1]); by athena.barrera.io (OpenSMTPD) with ESMTP id 22e3c3e9; for ; Mon, 16 Feb 2015 04:02:04 +0000 (UTC) Date: Mon, 16 Feb 2015 01:02:04 -0300 From: Hugo Osvaldo Barrera To: freebsd-questions@freebsd.org Subject: Re: SSL: fatal access denied with opensmtp AND dovecot Message-ID: <20150216040204.GA11978@athena.barrera.io> References: <20150216014138.GA3046@athena.barrera.io> <54E15D00.8060303@corp.ssimicro.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g" Content-Disposition: inline In-Reply-To: <54E15D00.8060303@corp.ssimicro.com> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Feb 2015 04:01:57 -0000 --2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-02-15 19:59, markham breitbach wrote: > Do you have the CA certificates installed? The easiest way is to > install the port _security/ca_root_nss_ > . Then it should be > in /usr/local/share/certs. If you are using self signed certs you will > need to make sure SSL can find your own CA root certs. There is also an > option to tell Dovecot to use the certificates, but not validate the > identity, so it will still encrypt, but is subject to possible MITM attac= k. >=20 > -M >=20 I already have ca_root_nss installed: $ pkg info | grep nss ca_root_nss-3.17.4_1 Root certificate bundle from the Mozilla= Project openssl-1.0.1_18 SSL and crypto library Additionally, I'm only using a server certificate. I'm using one signed by StartSSL, my self-signed signature was to discard anything funny with the certificates being the issue (though I also discarted that by trying them elsewhere). I'm *not* using TLS to validate client-side certificates (which would more obviously require proper CA certificates installed on my side). Thanks, > On 2015-02-15 6:41 PM, Hugo Osvaldo Barrera wrote: > > Hi, > > > > I've been tasked with setting up a FreeBSD-based email server, with ope= nsmtpd > > and dovecot. > > > > I've come across an issue with both, giving an error stating "fatal acc= ess > > denied" when attempting to initiate TLS connectiong. > > > > The certificates work fine on a test OpenBSD host, so they're not the i= ssue. > > I'm amused that both dovecot *and* opensmtpd show almost identical issu= e, and > > suspect that something openssl related might be broken. > > > > Dovecot > > ------- > > > > =3D=3D> /var/log/debug.log <=3D=3D > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from dir= ectory: /usr/local/lib/dovecot/auth > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token sec= ret to /var/run/dovecot/auth-token-secret.dat > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/e= tc/dovecot/users: Read 5 users in 0 secs > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (p= id=3D94662) > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x10,= ret=3D1: before/accept initialization [190.210.108.249] > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: before/accept initialization [190.210.108.249] > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv2/v3 read client hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write key exchange A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server done A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client key exchange A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read finished A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write session ticket A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write change cipher spec A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write finished A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x20,= ret=3D1: SSL negotiation finished successfully [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D1: SSL negotiation finished successfully [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close n= otify [190.210.108.249] > > > > =3D=3D> /var/log/maillog <=3D=3D > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where= =3D0x4004, ret=3D561: fatal access denied [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth att= empts in 1 secs): user=3D<>, rip=3D190.210.108.249, lip=3D104.236.123.233, = TLS, session=3D > > > > Opensmtpd > > --------- > > > > debug: smtp: new client on listener: 0x8024eb000 > > smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.= 210.108.249] > > debug: lka: looking up pki "mail.asteq.com.ar" > > debug: session_start_ssl: switching to SSL > > debug: pony: rsae_priv_enc > > debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:1409= 4419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > > smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:140944= 19:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > > debug: smtp: 0x802501000: deleting session: IO error > > > > > > Some details: > > > > * Certificate file modes can't be an issue because both services start = as root. > > smtpd actually demands that the files are at most mode 700 and owned = by 0:0. > > * I've checked the certificates and keys and they look fine. I tried an= other > > self-generated pair too. > > * FreeBSD 10.1-RELEASE-p5. > > * dovecot2-2.2.15_3 from packages > > * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312. > > * Certificates were generated with "openssl genrsa -out ssl.key 4096". > > * The original certificates (I later tried self-signed) were signed by > > StartSSL. > > * Debugging is set to the maximum on both daemons. Dovecot only actuall= y spat > > the error after I increased logging verbosity quite a bit. > > > > Any hints? Has anyone come across similar issues? Searching online for = this > > issue got me now-where. > > >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJU4Wu8AAoJEG+f/xIrmMDN9h4P+wQG9c5RX9lJn++wemX8nYwb 9lWoKSfCRO9lBC+QAEY5KPW7+x0pYZOGG6bbpUD5on3UaV3S75/B6osrC5qNkPMi DVGZ4f9f56YI8xHKo5vSmtqbjTBtzk7fkZ5HK0AZFS7W3GFNnuaTHPy3KoI4wafm odz/vXZ4B4p1Pk9Kp/G4BeIiq8wv4axJa0CRQp8d5JelrBHbWoaftTe9faSUfWYZ JFbcAPL6U51k5JcU/kTnWgOKamjOPDAVUdv46pEl5wcKM0fIM+tNHokTUz58xeEd 30KChYRbxceXaXThpozQjqG2LiJwpjFC75N2WyYggmjdN0Sh5xV2wwi/TqTwHnwb reRMlDV853yvhubi/9Jxzgc7HGodq1w2bx+mzwufREpn/3vt0eXb1yQixaaocYEN IFz2RojuafAic4aqvhH94QSiZ778MISFUDR038SX4EBqc1SPCrlX5In4yJ/ipHKn Aw1/QTCY25ORDXhjslrpu+PJS4kgC7ImUuxSOrrjG9It9cqJ20pOeqvfNodjn9uE 7HeEFAFT68xfhqcFCaqhq6i1MBMYR/8LpkD3oRCNYLNd6MytPmOweoG/yv/GWwYf 0Jk5RzrE8aN2xAMrMywCzROPJdBnyN4lJdvNfC/CgW2qhjAm2u+jlckTC2VN+R2q m0ccPyBaHsjealyf/cy/ =n6RR -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g--