BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."

PGNet Dev pgnet.dev at gmail.com
Thu Sep 24 05:45:30 EEST 2020 

On 9/23/20 7:27 AM, PGNet Dev wrote:
> I'll see if I can reduce this to a simple demonstrator ...

well, i can confirm that a CLEAN, minimal install works OK with the /etc/pki/tls/openssl.cnf spec'd above

but my full/production instance FAILs. :-/  still, only on/with Dovecot submission.

on a clean Fedora 32 "Server Edition" net-iso install


	dnf install \
	dovecot \
	msmtp

	mkdir -p /home/Maildir

	/usr/libexec/dovecot/mkcert.sh
	tree /etc/pki/dovecot/
		/etc/pki/dovecot/
			├── certs
			│   └── dovecot.pem
			├── dovecot-openssl.cnf
			└── private
				└── dovecot.pem

	cat /etc/dovecot/local.conf
		auth_verbose           = yes
		auth_debug             = yes
		mail_debug             = yes
		verbose_proctitle      = yes
		verbose_ssl            = yes

		mail_location = maildir:/home/Maildir/Maildir

		protocols = submission
		protocol submission {
			ssl_verify_client_cert       = no
			auth_ssl_require_client_cert = no
			mail_plugins = $mail_plugins
		}
		service submission-login {
			inet_listener submission {
				address = 127.0.0.1
				port = 60465
				ssl = yes
			}
		}
		service submission {
		}
		submission_relay_host       = smtp.fastmail.com
		submission_relay_port       = 587
		submission_relay_ssl        = starttls
		submission_relay_ssl_verify = no
		submission_relay_trusted    = yes
		submission_relay_user       = 'myexternaluser at fastmail.com'
		submission_relay_password   = 'myexternalpassword'

		!include conf.d/auth-passwdfile.conf.ext


	echo "testuser:$( doveadm pw -s CRYPT -p 'testpass' ):1000:1000:/run/dovecot::/usr/sbin/nologin::" > /etc/dovecot/users
	cat  /etc/dovecot/users
		testuser:{CRYPT}$2y$05$JsJ2T6LuaHUeTj8.sKzVMeIma1jccDic2z0izcXRCJsijyReWh/9q:1000:1000::::

	doveadm pw -t $( cat /etc/dovecot/users | cut -d":" -f2) -p testpass
		{CRYPT}$2y$05$eWPR2jIGnGJuGV/47AO0LekLIxetotJAxfc84.DvjEyrOHwaBcFxS (verified)


	cat /etc/pki/tls/openssl.cnf
		openssl_conf = default_conf

		[default_conf]
		ssl_conf = ssl_sect

		[ssl_sect]
		system_default = system_default_sect

		[system_default_sect]
		MinProtocol = TLSv1.2
		CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
		Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

		Options = ServerPreference,PrioritizeChaCha


testing submission

	cat /etc/msmtprc
		defaults
		logfile        /var/log/msmtp.log
		from           myexternaluser at fastmail.com

		account        external
		host           smtp.fastmail.com
		tls            on
		tls_starttls   on
		port           587
		auth           on
		user           myexternaluser at fastmail.com
		password       myexternalpassword

		account        internal
		host           127.0.0.1
		tls            on
		tls_key_file   /etc/pki/dovecot/private/dovecot.pem
		tls_cert_file  /etc/pki/dovecot/certs/dovecot.pem
		tls_certcheck  off
		tls_starttls   off
		port           60465
		auth           on
		user           testuser
		password       testpass

		account default : external


	cat ~/test.eml
		To: testrecipient at example.com
		From: myexternaluser at fastmail.com
		Subject: testsubject
		testbody
		EOF

works when submitting EXTERNALLY

	cat ~/test.eml | msmtp -a external testrecipient at example.com
		VERIFIED: RECEIVED OK

**AND** INTERNALLY, via dovecot submission

	cat ~/test.eml | msmtp -a internal testrecipient at example.com
		VERIFIED: RECEIVED OK

in both cases with

	Options = ServerPreference,PrioritizeChaCha



On my full/production system, similarly testing

	Options = ServerPreference

submit via dovecot submission works,

	cat ~/test.eml | msmtp -a internal testrecipient at example.com
		VERIFIED: RECEIVED OK

but with

-	Options = ServerPreference
+	Options = ServerPreference,PrioritizeChaCha


FAILs

	cat ~/test.eml | msmtp -a internal testrecipient at example.com

		msmtp: envelope from address myexternaluser at fastmail.com not accepted by the server
		msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection
		msmtp: could not send mail (account internal from /etc/msmtprc)


as it clearly works on the 'minimal' dovecot deploy, above,
I certainly can't disagree that it's something local to my production config.

now to figure out what :-/

fwiw, i've asked with some further detail (errors from postfix relay host) in openssl list,

	https://mta.openssl.org/pipermail/openssl-users/2020-September/012993.html

we'll see if anything comes of it ...

More information about the dovecot mailing list