BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."

PGNet Dev pgnet.dev at gmail.com
Tue Aug 25 03:17:30 EEST 2020


	dovecot --version (a3d0e1171)
	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

, atm on Fedora32.

I configure


to set preferences for apps' usage, e.g. Postfix etc; Typically, here

	cat /etc/pki/tls/openssl.cnf

		openssl_conf = default_conf

		ssl_conf = ssl_sect

		system_default = system_default_sect

		MinProtocol = TLSv1.2
		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
		Options = PrioritizeChaCha,ServerPreference

However, any/all sends from local client via Dovecot submission -- from an instance on the same server --  FAILS with that^^ openssl.cnf,

	==> /var/log/dovecot/dovecot.log <==
		2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: smtp-client: conn int.mx.example.net:465 ( [1]: connect(int.mx.example.net:465) failed: Failed to initialize SSL: Couldn't initialize SSL context: Can't load SSL certificate: error:14187180:SSL routines:ssl_do_config:bad value: section=system_default, cmd=Options, arg=ServerPreference,PrioritizeChaCha
		2020-08-24 17:04:42 submission(testuser at example.com)<D4c5c6itUg2sHgsH>: Error: Failed to establish relay connection: Failed to connect to remote server


-		Options = PrioritizeChaCha,ServerPreference
+		Options = PrioritizeChaCha

cures the error

	==> /var/log/dovecot/dovecot.log <==
		2020-08-24 17:08:04 submission(testuser at example.com)<Uow+f6itZg2sHgsH>: Info: Successfully relayed message: from=<testuser at example.com>, size=433, id=Mh4pJWRWRF9jHQAAVDn7pA, nrcpt=1, reply=`250 2.0.0 Ok: queued as 4Bb8TJ4VQbz7v6t'

checking ssl docs


BOTH are valid 'Options',

	ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.

	PrioritizeChaCha: prioritizes ChaCha ciphers when the client has a ChaCha20 cipher at the top of its preference list. This usually indicates a mobile client is in use. Equivalent to SSL_OP_PRIORITIZE_CHACHA. Only used by servers.

The mere presence of that option in a system-wide openssl.cnf shouldn't cause a Dovecot submission failure.

More information about the dovecot mailing list