BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."
PGNet Dev
pgnet.dev at gmail.com
Thu Sep 24 05:45:30 EEST 2020
On 9/23/20 7:27 AM, PGNet Dev wrote:
> I'll see if I can reduce this to a simple demonstrator ...
well, i can confirm that a CLEAN, minimal install works OK with the /etc/pki/tls/openssl.cnf spec'd above
but my full/production instance FAILs. :-/ still, only on/with Dovecot submission.
on a clean Fedora 32 "Server Edition" net-iso install
dnf install \
dovecot \
msmtp
mkdir -p /home/Maildir
/usr/libexec/dovecot/mkcert.sh
tree /etc/pki/dovecot/
/etc/pki/dovecot/
├── certs
│ └── dovecot.pem
├── dovecot-openssl.cnf
└── private
└── dovecot.pem
cat /etc/dovecot/local.conf
auth_verbose = yes
auth_debug = yes
mail_debug = yes
verbose_proctitle = yes
verbose_ssl = yes
mail_location = maildir:/home/Maildir/Maildir
protocols = submission
protocol submission {
ssl_verify_client_cert = no
auth_ssl_require_client_cert = no
mail_plugins = $mail_plugins
}
service submission-login {
inet_listener submission {
address = 127.0.0.1
port = 60465
ssl = yes
}
}
service submission {
}
submission_relay_host = smtp.fastmail.com
submission_relay_port = 587
submission_relay_ssl = starttls
submission_relay_ssl_verify = no
submission_relay_trusted = yes
submission_relay_user = 'myexternaluser at fastmail.com'
submission_relay_password = 'myexternalpassword'
!include conf.d/auth-passwdfile.conf.ext
echo "testuser:$( doveadm pw -s CRYPT -p 'testpass' ):1000:1000:/run/dovecot::/usr/sbin/nologin::" > /etc/dovecot/users
cat /etc/dovecot/users
testuser:{CRYPT}$2y$05$JsJ2T6LuaHUeTj8.sKzVMeIma1jccDic2z0izcXRCJsijyReWh/9q:1000:1000::::
doveadm pw -t $( cat /etc/dovecot/users | cut -d":" -f2) -p testpass
{CRYPT}$2y$05$eWPR2jIGnGJuGV/47AO0LekLIxetotJAxfc84.DvjEyrOHwaBcFxS (verified)
cat /etc/pki/tls/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Options = ServerPreference,PrioritizeChaCha
testing submission
cat /etc/msmtprc
defaults
logfile /var/log/msmtp.log
from myexternaluser at fastmail.com
account external
host smtp.fastmail.com
tls on
tls_starttls on
port 587
auth on
user myexternaluser at fastmail.com
password myexternalpassword
account internal
host 127.0.0.1
tls on
tls_key_file /etc/pki/dovecot/private/dovecot.pem
tls_cert_file /etc/pki/dovecot/certs/dovecot.pem
tls_certcheck off
tls_starttls off
port 60465
auth on
user testuser
password testpass
account default : external
cat ~/test.eml
To: testrecipient at example.com
From: myexternaluser at fastmail.com
Subject: testsubject
testbody
EOF
works when submitting EXTERNALLY
cat ~/test.eml | msmtp -a external testrecipient at example.com
VERIFIED: RECEIVED OK
**AND** INTERNALLY, via dovecot submission
cat ~/test.eml | msmtp -a internal testrecipient at example.com
VERIFIED: RECEIVED OK
in both cases with
Options = ServerPreference,PrioritizeChaCha
On my full/production system, similarly testing
Options = ServerPreference
submit via dovecot submission works,
cat ~/test.eml | msmtp -a internal testrecipient at example.com
VERIFIED: RECEIVED OK
but with
- Options = ServerPreference
+ Options = ServerPreference,PrioritizeChaCha
FAILs
cat ~/test.eml | msmtp -a internal testrecipient at example.com
msmtp: envelope from address myexternaluser at fastmail.com not accepted by the server
msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
msmtp: could not send mail (account internal from /etc/msmtprc)
as it clearly works on the 'minimal' dovecot deploy, above,
I certainly can't disagree that it's something local to my production config.
now to figure out what :-/
fwiw, i've asked with some further detail (errors from postfix relay host) in openssl list,
https://mta.openssl.org/pipermail/openssl-users/2020-September/012993.html
we'll see if anything comes of it ...
More information about the dovecot
mailing list