Date: Mon, 16 Feb 2015 01:02:04 -0300 From: Hugo Osvaldo Barrera <hugo@barrera.io> To: freebsd-questions@freebsd.org Subject: Re: SSL: fatal access denied with opensmtp AND dovecot Message-ID: <20150216040204.GA11978@athena.barrera.io> In-Reply-To: <54E15D00.8060303@corp.ssimicro.com> References: <20150216014138.GA3046@athena.barrera.io> <54E15D00.8060303@corp.ssimicro.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2015-02-15 19:59, markham breitbach wrote: > Do you have the CA certificates installed? The easiest way is to > install the port _security/ca_root_nss_ > <http://www.freshports.org/security/ca_root_nss>. Then it should be > in /usr/local/share/certs. If you are using self signed certs you will > need to make sure SSL can find your own CA root certs. There is also an > option to tell Dovecot to use the certificates, but not validate the > identity, so it will still encrypt, but is subject to possible MITM attac= k. >=20 > -M >=20 I already have ca_root_nss installed: $ pkg info | grep nss ca_root_nss-3.17.4_1 Root certificate bundle from the Mozilla= Project openssl-1.0.1_18 SSL and crypto library Additionally, I'm only using a server certificate. I'm using one signed by StartSSL, my self-signed signature was to discard anything funny with the certificates being the issue (though I also discarted that by trying them elsewhere). I'm *not* using TLS to validate client-side certificates (which would more obviously require proper CA certificates installed on my side). Thanks, > On 2015-02-15 6:41 PM, Hugo Osvaldo Barrera wrote: > > Hi, > > > > I've been tasked with setting up a FreeBSD-based email server, with ope= nsmtpd > > and dovecot. > > > > I've come across an issue with both, giving an error stating "fatal acc= ess > > denied" when attempting to initiate TLS connectiong. > > > > The certificates work fine on a test OpenBSD host, so they're not the i= ssue. > > I'm amused that both dovecot *and* opensmtpd show almost identical issu= e, and > > suspect that something openssl related might be broken. > > > > Dovecot > > ------- > > > > =3D=3D> /var/log/debug.log <=3D=3D > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curv= e secp384r1 will be used for ECDH and ECDHE key exchanges > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from dir= ectory: /usr/local/lib/dovecot/auth > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token sec= ret to /var/run/dovecot/auth-token-secret.dat > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/e= tc/dovecot/users: Read 5 users in 0 secs > > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (p= id=3D94662) > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x10,= ret=3D1: before/accept initialization [190.210.108.249] > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: before/accept initialization [190.210.108.249] > > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv2/v3 read client hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server hello A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write key exchange A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write server done A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D-1: SSLv3 read client certificate A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read client key exchange A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 read finished A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write session ticket A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write change cipher spec A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 write finished A [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 1, ret=3D1: SSLv3 flush data [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x20,= ret=3D1: SSL negotiation finished successfully [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=3D0x200= 2, ret=3D1: SSL negotiation finished successfully [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close n= otify [190.210.108.249] > > > > =3D=3D> /var/log/maillog <=3D=3D > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where= =3D0x4004, ret=3D561: fatal access denied [190.210.108.249] > > Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth att= empts in 1 secs): user=3D<>, rip=3D190.210.108.249, lip=3D104.236.123.233, = TLS, session=3D<C19llCoPSQC+0mz5> > > > > Opensmtpd > > --------- > > > > debug: smtp: new client on listener: 0x8024eb000 > > smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.= 210.108.249] > > debug: lka: looking up pki "mail.asteq.com.ar" > > debug: session_start_ssl: switching to SSL > > debug: pony: rsae_priv_enc > > debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:1409= 4419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > > smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:140944= 19:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied > > debug: smtp: 0x802501000: deleting session: IO error > > > > > > Some details: > > > > * Certificate file modes can't be an issue because both services start = as root. > > smtpd actually demands that the files are at most mode 700 and owned = by 0:0. > > * I've checked the certificates and keys and they look fine. I tried an= other > > self-generated pair too. > > * FreeBSD 10.1-RELEASE-p5. > > * dovecot2-2.2.15_3 from packages > > * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312. > > * Certificates were generated with "openssl genrsa -out ssl.key 4096". > > * The original certificates (I later tried self-signed) were signed by > > StartSSL. > > * Debugging is set to the maximum on both daemons. Dovecot only actuall= y spat > > the error after I increased logging verbosity quite a bit. > > > > Any hints? Has anyone come across similar issues? Searching online for = this > > issue got me now-where. > > >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" --=20 Hugo Osvaldo Barrera A: Because we read from top to bottom, left to right. Q: Why should I start my reply below the quoted text? --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJU4Wu8AAoJEG+f/xIrmMDN9h4P+wQG9c5RX9lJn++wemX8nYwb 9lWoKSfCRO9lBC+QAEY5KPW7+x0pYZOGG6bbpUD5on3UaV3S75/B6osrC5qNkPMi DVGZ4f9f56YI8xHKo5vSmtqbjTBtzk7fkZ5HK0AZFS7W3GFNnuaTHPy3KoI4wafm odz/vXZ4B4p1Pk9Kp/G4BeIiq8wv4axJa0CRQp8d5JelrBHbWoaftTe9faSUfWYZ JFbcAPL6U51k5JcU/kTnWgOKamjOPDAVUdv46pEl5wcKM0fIM+tNHokTUz58xeEd 30KChYRbxceXaXThpozQjqG2LiJwpjFC75N2WyYggmjdN0Sh5xV2wwi/TqTwHnwb reRMlDV853yvhubi/9Jxzgc7HGodq1w2bx+mzwufREpn/3vt0eXb1yQixaaocYEN IFz2RojuafAic4aqvhH94QSiZ778MISFUDR038SX4EBqc1SPCrlX5In4yJ/ipHKn Aw1/QTCY25ORDXhjslrpu+PJS4kgC7ImUuxSOrrjG9It9cqJ20pOeqvfNodjn9uE 7HeEFAFT68xfhqcFCaqhq6i1MBMYR/8LpkD3oRCNYLNd6MytPmOweoG/yv/GWwYf 0Jk5RzrE8aN2xAMrMywCzROPJdBnyN4lJdvNfC/CgW2qhjAm2u+jlckTC2VN+R2q m0ccPyBaHsjealyf/cy/ =n6RR -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150216040204.GA11978>