BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
I've
dovecot --version
2.3.10.1 (a3d0e1171)
openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020, atm on Fedora32.
I configure
/etc/pki/tls/openssl.cnfto set preferences for apps' usage, e.g. Postfix etc; Typically, here
cat /etc/pki/tls/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Options = PrioritizeChaCha,ServerPreferenceHowever, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf,
==> /var/log/dovecot/dovecot.log <==
...
2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha
2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server
...editing,
Options = PrioritizeChaCha,ServerPreference
Options = PrioritizeChaCha
cures the error
==> /var/log/dovecot/dovecot.log <==
...
2020-08-24 17:08:04 submission(testuser@example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser@example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t'
...checking ssl docs
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.htmlBOTH are valid 'Options',
...
ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers.
...The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.
bump
On 8/24/20 5:17 PM, PGNet Dev wrote:
I've
dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020
, atm on Fedora32.
I configure
/etc/pki/tls/openssl.cnf
to set preferences for apps' usage, e.g. Postfix etc; Typically, here
cat /etc/pki/tls/openssl.cnf
openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Options = PrioritizeChaCha,ServerPreferenceHowever, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf,
==> /var/log/dovecot/dovecot.log <== ... 2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha 2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server ...
editing,
Options = PrioritizeChaCha,ServerPreference
Options = PrioritizeChaChacures the error
==> /var/log/dovecot/dovecot.log <== ... 2020-08-24 17:08:04 submission(testuser@example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser@example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t' ...
checking ssl docs
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
BOTH are valid 'Options',
... ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers. ...
The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.
On 22/09/2020 20:05 PGNet Dev <pgnet.dev@gmail.com> wrote:
bump
On 8/24/20 5:17 PM, PGNet Dev wrote:
I've
dovecot --version 2.3.10.1 (a3d0e1171) openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020
, atm on Fedora32.
I configure
/etc/pki/tls/openssl.cnf
to set preferences for apps' usage, e.g. Postfix etc; Typically, here
cat /etc/pki/tls/openssl.cnf
openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Options = PrioritizeChaCha,ServerPreferenceHowever, any/all sends from local client via Dovecot submission -- from an instance on the same server -- FAILS with that^^ openssl.cnf,
==> /var/log/dovecot/dovecot.log <== ... 2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 (10.0.4.65:465) [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha 2020-08-24 17:04:42 submission(testuser@example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server ...
editing,
Options = PrioritizeChaCha,ServerPreference
Options = PrioritizeChaChacures the error
==> /var/log/dovecot/dovecot.log <== ... 2020-08-24 17:08:04 submission(testuser@example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser@example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t' ...
checking ssl docs
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
BOTH are valid 'Options',
... ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers. ...
The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
Aki
On 9/22/20 10:51 AM, Aki Tuomi wrote:
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended.
It's ONLY Dovecot that's reproducibly firing the error, as reported above.
It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.
On 22/09/2020 21:00 PGNet Dev <pgnet.dev@gmail.com> wrote:
On 9/22/20 10:51 AM, Aki Tuomi wrote:
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended.
It's ONLY Dovecot that's reproducibly firing the error, as reported above.
It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.
Ok.. I can give it a quick try to see if I can reproduce this issue.
Aki
On 22/09/2020 21:00 PGNet Dev <pgnet.dev@gmail.com> wrote:
On 9/22/20 10:51 AM, Aki Tuomi wrote:
Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended.
It's ONLY Dovecot that's reproducibly firing the error, as reported above.
It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.
Hi!
I tried to reproduce this with the config you provided. I made sure openssl uses the configuration, but alas, it works just fine for me.
Aki
On 9/23/20 2:14 AM, Aki Tuomi wrote:
I tried to reproduce this with the config you provided. I made sure openssl uses the configuration, but alas, it works just fine for me.
ugh.
well, good to know.
with my my full-blown configs, it's definitely reproducible here.
I'll see if I can reduce this to a simple demonstrator ...
On 9/23/20 7:27 AM, PGNet Dev wrote:
I'll see if I can reduce this to a simple demonstrator ...
well, i can confirm that a CLEAN, minimal install works OK with the /etc/pki/tls/openssl.cnf spec'd above
but my full/production instance FAILs. :-/ still, only on/with Dovecot submission.
on a clean Fedora 32 "Server Edition" net-iso install
dnf install \
dovecot \
msmtp
mkdir -p /home/Maildir
/usr/libexec/dovecot/mkcert.sh
tree /etc/pki/dovecot/
/etc/pki/dovecot/
├── certs
│ └── dovecot.pem
├── dovecot-openssl.cnf
└── private
└── dovecot.pem
cat /etc/dovecot/local.conf
auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_proctitle = yes
verbose_ssl = yes
mail_location = maildir:/home/Maildir/Maildir
protocols = submission
protocol submission {
ssl_verify_client_cert = no
auth_ssl_require_client_cert = no
mail_plugins = $mail_plugins
}
service submission-login {
inet_listener submission {
address = 127.0.0.1
port = 60465
ssl = yes
}
}
service submission {
}
submission_relay_host = smtp.fastmail.com
submission_relay_port = 587
submission_relay_ssl = starttls
submission_relay_ssl_verify = no
submission_relay_trusted = yes
submission_relay_user = 'myexternaluser@fastmail.com'
submission_relay_password = 'myexternalpassword'
!include conf.d/auth-passwdfile.conf.ext
echo "testuser:$( doveadm pw -s CRYPT -p 'testpass' ):1000:1000:/run/dovecot::/usr/sbin/nologin::" > /etc/dovecot/users
cat /etc/dovecot/users
testuser:{CRYPT}$2y$05$JsJ2T6LuaHUeTj8.sKzVMeIma1jccDic2z0izcXRCJsijyReWh/9q:1000:1000::::
doveadm pw -t $( cat /etc/dovecot/users | cut -d":" -f2) -p testpass
{CRYPT}$2y$05$eWPR2jIGnGJuGV/47AO0LekLIxetotJAxfc84.DvjEyrOHwaBcFxS (verified)
cat /etc/pki/tls/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Options = ServerPreference,PrioritizeChaChatesting submission
cat /etc/msmtprc
defaults
logfile /var/log/msmtp.log
from myexternaluser@fastmail.com
account external
host smtp.fastmail.com
tls on
tls_starttls on
port 587
auth on
user myexternaluser@fastmail.com
password myexternalpassword
account internal
host 127.0.0.1
tls on
tls_key_file /etc/pki/dovecot/private/dovecot.pem
tls_cert_file /etc/pki/dovecot/certs/dovecot.pem
tls_certcheck off
tls_starttls off
port 60465
auth on
user testuser
password testpass
account default : external
cat ~/test.eml
To: testrecipient@example.com
From: myexternaluser@fastmail.com
Subject: testsubject
testbody
EOFworks when submitting EXTERNALLY
cat ~/test.eml | msmtp -a external testrecipient@example.com
VERIFIED: RECEIVED OK**AND** INTERNALLY, via dovecot submission
cat ~/test.eml | msmtp -a internal testrecipient@example.com
VERIFIED: RECEIVED OKin both cases with
Options = ServerPreference,PrioritizeChaChaOn my full/production system, similarly testing
Options = ServerPreferencesubmit via dovecot submission works,
cat ~/test.eml | msmtp -a internal testrecipient@example.com
VERIFIED: RECEIVED OKbut with
- Options = ServerPreference
- Options = ServerPreference,PrioritizeChaCha
FAILs
cat ~/test.eml | msmtp -a internal testrecipient@example.com
msmtp: envelope from address myexternaluser@fastmail.com not accepted by the server
msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
msmtp: could not send mail (account internal from /etc/msmtprc)as it clearly works on the 'minimal' dovecot deploy, above, I certainly can't disagree that it's something local to my production config.
now to figure out what :-/
fwiw, i've asked with some further detail (errors from postfix relay host) in openssl list,
https://mta.openssl.org/pipermail/openssl-users/2020-September/012993.htmlwe'll see if anything comes of it ...
participants (2)
-
Aki Tuomi
-
PGNet Dev