SSL: fatal access denied with opensmtp AND dovecot

Mon Feb 16 03:09:48 UTC 2015

Do you have the CA certificates installed?  The easiest way is to
install the port _security/ca_root_nss_
<http://www.freshports.org/security/ca_root_nss>. Then it should be
in /usr/local/share/certs.  If you are using self signed certs you will
need to make sure SSL can find your own CA root certs.  There is also an
option to tell Dovecot to use the certificates, but not validate the
identity, so it will still encrypt, but is subject to possible MITM attack.

-M

On 2015-02-15 6:41 PM, Hugo Osvaldo Barrera wrote:
> Hi,
>
> I've been tasked with setting up a FreeBSD-based email server, with opensmtpd
> and dovecot.
>
> I've come across an issue with both, giving an error stating "fatal access
> denied" when attempting to initiate TLS connectiong.
>
> The certificates work fine on a test OpenBSD host, so they're not the issue.
> I'm amused that both dovecot *and* opensmtpd show almost identical issue, and
> suspect that something openssl related might be broken.
>
> Dovecot
> -------
>
> ==> /var/log/debug.log <==
> Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token secret to /var/run/dovecot/auth-token-secret.dat
> Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/etc/dovecot/users: Read 5 users in 0 secs
> Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (pid=94662)
> Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [190.210.108.249]
> Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [190.210.108.249]
> Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close notify [190.210.108.249]
>
> ==> /var/log/maillog <==
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=561: fatal access denied [190.210.108.249]
> Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=190.210.108.249, lip=104.236.123.233, TLS, session=<C19llCoPSQC+0mz5>
>
> Opensmtpd
> ---------
>
> debug: smtp: new client on listener: 0x8024eb000
> smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.210.108.249]
> debug: lka: looking up pki "mail.asteq.com.ar"
> debug: session_start_ssl: switching to SSL
> debug: pony: rsae_priv_enc
> debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> debug: smtp: 0x802501000: deleting session: IO error
>
>
> Some details:
>
> * Certificate file modes can't be an issue because both services start as root.
>   smtpd actually demands that the files are at most mode 700 and owned by 0:0.
> * I've checked the certificates and keys and they look fine. I tried another
>   self-generated pair too.
> * FreeBSD 10.1-RELEASE-p5.
> * dovecot2-2.2.15_3 from packages
> * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312.
> * Certificates were generated with "openssl genrsa -out ssl.key 4096".
> * The original certificates (I later tried self-signed) were signed by
>   StartSSL.
> * Debugging is set to the maximum on both daemons. Dovecot only actually spat
>   the error after I increased logging verbosity quite a bit.
>
> Any hints? Has anyone come across similar issues? Searching online for this
> issue got me now-where.
>