SSL: fatal access denied with opensmtp AND dovecot

Hugo Osvaldo Barrera hugo at barrera.io
Mon Feb 16 04:01:57 UTC 2015 

On 2015-02-15 19:59, markham breitbach wrote:
> Do you have the CA certificates installed?  The easiest way is to
> install the port _security/ca_root_nss_
> <http://www.freshports.org/security/ca_root_nss>. Then it should be
> in /usr/local/share/certs.  If you are using self signed certs you will
> need to make sure SSL can find your own CA root certs.  There is also an
> option to tell Dovecot to use the certificates, but not validate the
> identity, so it will still encrypt, but is subject to possible MITM attack.
> 
> -M
> 

I already have ca_root_nss installed:

    $ pkg info | grep nss
    ca_root_nss-3.17.4_1           Root certificate bundle from the Mozilla Project
    openssl-1.0.1_18               SSL and crypto library

Additionally, I'm only using a server certificate. I'm using one signed by
StartSSL, my self-signed signature was to discard anything funny with the
certificates being the issue (though I also discarted that by trying them
elsewhere). I'm *not* using TLS to validate client-side certificates (which
would more obviously require proper CA certificates installed on my side).

Thanks,

> On 2015-02-15 6:41 PM, Hugo Osvaldo Barrera wrote:
> > Hi,
> >
> > I've been tasked with setting up a FreeBSD-based email server, with opensmtpd
> > and dovecot.
> >
> > I've come across an issue with both, giving an error stating "fatal access
> > denied" when attempting to initiate TLS connectiong.
> >
> > The certificates work fine on a test OpenBSD host, so they're not the issue.
> > I'm amused that both dovecot *and* opensmtpd show almost identical issue, and
> > suspect that something openssl related might be broken.
> >
> > Dovecot
> > -------
> >
> > ==> /var/log/debug.log <==
> > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
> > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
> > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: Wrote new auth token secret to /var/run/dovecot/auth-token-secret.dat
> > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: passwd-file /usr/local/etc/dovecot/users: Read 5 users in 0 secs
> > Feb 16 01:33:55 hydrogen dovecot: auth: Debug: auth client connected (pid=94662)
> > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [190.210.108.249]
> > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [190.210.108.249]
> > Feb 16 01:33:55 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Debug: SSL alert: close notify [190.210.108.249]
> >
> > ==> /var/log/maillog <==
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=561: fatal access denied [190.210.108.249]
> > Feb 16 01:33:56 hydrogen dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=190.210.108.249, lip=104.236.123.233, TLS, session=<C19llCoPSQC+0mz5>
> >
> > Opensmtpd
> > ---------
> >
> > debug: smtp: new client on listener: 0x8024eb000
> > smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.210.108.249]
> > debug: lka: looking up pki "mail.asteq.com.ar"
> > debug: session_start_ssl: switching to SSL
> > debug: pony: rsae_priv_enc
> > debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> > smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied
> > debug: smtp: 0x802501000: deleting session: IO error
> >
> >
> > Some details:
> >
> > * Certificate file modes can't be an issue because both services start as root.
> >   smtpd actually demands that the files are at most mode 700 and owned by 0:0.
> > * I've checked the certificates and keys and they look fine. I tried another
> >   self-generated pair too.
> > * FreeBSD 10.1-RELEASE-p5.
> > * dovecot2-2.2.15_3 from packages
> > * Tried both opensmtpd-5.4.4,1 and opensmtpd-devel-201502012312.
> > * Certificates were generated with "openssl genrsa -out ssl.key 4096".
> > * The original certificates (I later tried self-signed) were signed by
> >   StartSSL.
> > * Debugging is set to the maximum on both daemons. Dovecot only actually spat
> >   the error after I increased logging verbosity quite a bit.
> >
> > Any hints? Has anyone come across similar issues? Searching online for this
> > issue got me now-where.
> >
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

-- 
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150216/bab0901a/attachment.sig>

More information about the freebsd-questions mailing list