On 9/22/20 10:51 AM, Aki Tuomi wrote:

...

...

Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.

I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended.

It's ONLY Dovecot that's reproducibly firing the error, as reported above.

It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.

On 22/09/2020 21:00 PGNet Dev pgnet.dev@gmail.com wrote:

On 9/22/20 10:51 AM, Aki Tuomi wrote:

...

...

...

Well, dovecot does not actually do any parsing for system-wide openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.

I've NO issue with that config/setting with any _other_ app -- whether in general openssl-lib-linked usage, or specifically for a mail submitter (e.g., postfix). The ServerPreference setting is seen/respected/utilized as intended.

It's ONLY Dovecot that's reproducibly firing the error, as reported above.

It's also NOT a generalized openssl problem "with" Dovecot -- all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot are behaving normally.

Hi!

I tried to reproduce this with the config you provided. I made sure openssl uses the configuration, but alas, it works just fine for me.

Aki

On 9/23/20 7:27 AM, PGNet Dev wrote:

I'll see if I can reduce this to a simple demonstrator ...

well, i can confirm that a CLEAN, minimal install works OK with the /etc/pki/tls/openssl.cnf spec'd above

but my full/production instance FAILs. :-/ still, only on/with Dovecot submission.

on a clean Fedora 32 "Server Edition" net-iso install

dnf install \
dovecot \
msmtp

mkdir -p /home/Maildir

/usr/libexec/dovecot/mkcert.sh
tree /etc/pki/dovecot/
	/etc/pki/dovecot/
		├── certs
		│   └── dovecot.pem
		├── dovecot-openssl.cnf
		└── private
			└── dovecot.pem

cat /etc/dovecot/local.conf
	auth_verbose           = yes
	auth_debug             = yes
	mail_debug             = yes
	verbose_proctitle      = yes
	verbose_ssl            = yes

	mail_location = maildir:/home/Maildir/Maildir

	protocols = submission
	protocol submission {
		ssl_verify_client_cert       = no
		auth_ssl_require_client_cert = no
		mail_plugins = $mail_plugins
	}
	service submission-login {
		inet_listener submission {
			address = 127.0.0.1
			port = 60465
			ssl = yes
		}
	}
	service submission {
	}
	submission_relay_host       = smtp.fastmail.com
	submission_relay_port       = 587
	submission_relay_ssl        = starttls
	submission_relay_ssl_verify = no
	submission_relay_trusted    = yes
	submission_relay_user       = 'myexternaluser@fastmail.com'
	submission_relay_password   = 'myexternalpassword'

	!include conf.d/auth-passwdfile.conf.ext


echo "testuser:$( doveadm pw -s CRYPT -p 'testpass' ):1000:1000:/run/dovecot::/usr/sbin/nologin::" > /etc/dovecot/users
cat  /etc/dovecot/users
	testuser:{CRYPT}$2y$05$JsJ2T6LuaHUeTj8.sKzVMeIma1jccDic2z0izcXRCJsijyReWh/9q:1000:1000::::

doveadm pw -t $( cat /etc/dovecot/users | cut -d":" -f2) -p testpass
	{CRYPT}$2y$05$eWPR2jIGnGJuGV/47AO0LekLIxetotJAxfc84.DvjEyrOHwaBcFxS (verified)


cat /etc/pki/tls/openssl.cnf
	openssl_conf = default_conf

	[default_conf]
	ssl_conf = ssl_sect

	[ssl_sect]
	system_default = system_default_sect

	[system_default_sect]
	MinProtocol = TLSv1.2
	CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
	Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

	Options = ServerPreference,PrioritizeChaCha

testing submission

cat /etc/msmtprc
	defaults
	logfile        /var/log/msmtp.log
	from           myexternaluser@fastmail.com

	account        external
	host           smtp.fastmail.com
	tls            on
	tls_starttls   on
	port           587
	auth           on
	user           myexternaluser@fastmail.com
	password       myexternalpassword

	account        internal
	host           127.0.0.1
	tls            on
	tls_key_file   /etc/pki/dovecot/private/dovecot.pem
	tls_cert_file  /etc/pki/dovecot/certs/dovecot.pem
	tls_certcheck  off
	tls_starttls   off
	port           60465
	auth           on
	user           testuser
	password       testpass

	account default : external


cat ~/test.eml
	To: testrecipient@example.com
	From: myexternaluser@fastmail.com
	Subject: testsubject
	testbody
	EOF

works when submitting EXTERNALLY

cat ~/test.eml | msmtp -a external testrecipient@example.com
	VERIFIED: RECEIVED OK

**AND** INTERNALLY, via dovecot submission

cat ~/test.eml | msmtp -a internal testrecipient@example.com
	VERIFIED: RECEIVED OK

in both cases with

Options = ServerPreference,PrioritizeChaCha

On my full/production system, similarly testing

Options = ServerPreference

submit via dovecot submission works,

cat ~/test.eml | msmtp -a internal testrecipient@example.com
	VERIFIED: RECEIVED OK

but with

• Options = ServerPreference

• Options = ServerPreference,PrioritizeChaCha

FAILs

cat ~/test.eml | msmtp -a internal testrecipient@example.com

	msmtp: envelope from address myexternaluser@fastmail.com not accepted by the server
	msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
	msmtp: could not send mail (account internal from /etc/msmtprc)

as it clearly works on the 'minimal' dovecot deploy, above, I certainly can't disagree that it's something local to my production config.

now to figure out what :-/

fwiw, i've asked with some further detail (errors from postfix relay host) in openssl list,

https://mta.openssl.org/pipermail/openssl-users/2020-September/012993.html

we'll see if anything comes of it ...