On Mon, Mar 21, 2016 at 08:45:45PM +0100, Joerg Jung wrote:
> On Mon, Mar 21, 2016 at 12:05:59AM +0000, Valérian wrote:
> > Wilhelm Schuster <wilhelm@...> writes:
> >
> > >
> > > Hi,
> > >
> > > I'm trying to replace dkimproxy with dkim-signer from opensmtpd-extras
> > > (mainly to get rid of perl), however I'm having some trouble.
> > >
> > > My dkimproxy setup basically is the same as is described in
> > > smtpd.conf(5), that means all mail from local is sent to port 10027,
> > > signed by dkimproxy, relayed to port 10028, tagged as DKIM, and finally
> > > relayed by smtpd.
> > >
> > > My dkimproxy_out.conf:
> > >
> > > listen 127.0.0.1:10027
> > > relay 127.0.0.1:10028
> > > domain wilhelm.re
> > > signature dkim(c=relaxed)
> > > keyfile /etc/ssl/private/dkim1.key
> > > selector dkim1
> > >
> > > Switching to filter-dkim-signer, here's an excerpt from my smtpd.conf:
> > >
> > > filter sign dkim-signer "-dwilhelm.re" "-sdkim1"
> > > "-p/etc/ssl/private/dkim1.key"
> > > listen on ens3 port submission tls-require pki wilhelm.re hostname
> > > wilhelm.re auth mask-source filter sign
> > >
> > > The key I'm using is RSA 2048bit and is the same for both setups.
> > >
> > > Now, when I'm trying to send mail through opensmtpd using
> > > filter-dkim-signer, the filter exits with:
> > >
> > > fatal: dkim_signer: on_eom: RSA_sign
> > >
> > > Looking at the source, this message is generated by the following code,
> > > unfortunately, I'm unfamiliar with the OpenSSL API, and I'm not sure why
> > > exactly it fails.
> > >
> > > if (RSA_sign(NID_sha256, s->hdr_hash, sizeof(s->hdr_hash),
> > > rsa_sig, &rsa_sig_len, rsa) == 0)
> > > fatalx("dkim_signer: on_eom: RSA_sign");
> > >
> > > What could be the problem here?
> > >
> > > Cheers, Wilhelm Schuster.
> > >
> >
> > Hi,
> >
> > I just encountered the same error.
>
> Which OS/version you are running this on?
>
> > After investigating a bit, I could find that the actual OpenSSL error
> > was "PRNG not seeded". It's because the OpenSMTPD filters are run
> > individually in a chroot and if OpenSSL PRNG is not seeded before
> > chrooting, '/dev/urandom' does not exist in the chroot and fails with
> > this reason.
>
> Nice finding.
>
> > Here's a hack for OpenSMTPD-extras I wrote in order to force OpenSSL
> > PRNG seeding before the chroot. This fixed the problem on my side.
>
> I can not comment on the crypto specific things here, but with the
> filters chroot I see basically three options:
>
> 1. Disable chroot for the dkim filter, this is a big hammer and should
> only applied if no other possible option is available. But we did
> this already for others, e.g. filter dnsbl.
> 2. Make things work within the chroot, e.g. make /dev/urandom somehow
> available in chroot (for example with (re-)mount -bind or something).
> 3. Do required things before entering chroot.
>
> I can not see a useful way for Option 2 here. You have chosen Option 3
> in your diff below, so that is a fine choice and I would not consider it
> a hack. Also so the chosen position in code makes sense to me and is
> fine, right before entering the chroot.
After thinking about this and as mentioned in IRC, it is probably better
to move this initialization out of generic filter init into the dkim
filter main() right before first filter_api_* call. Not every filter
needs this crypto init, so better avoid the overhead.
> However, as said earlier: I have no idea about crypto specific things so
> I do not know if RAND_status() is the right thing to do here to
> initialize the PRNG seeding. The man page tells me that this is a
> deprecated function, which should not be used in new programs.
>
> @Gilles: What do you think, can you help here?
>
> Regards,
> Joerg
>
> > diff --git a/api/filter_api.c b/api/filter_api.c
> > index d1aa5a2..7e29a58 100644
> > --- a/api/filter_api.c
> > +++ b/api/filter_api.c
> > @@ -34,6 +34,7 @@
> > #include <string.h>
> > #include <unistd.h>
> > #include <grp.h>
> > +#include <openssl/rand.h>
> >
> > #include "smtpd-defines.h"
> > #include "smtpd-api.h"
> > @@ -934,6 +935,8 @@ filter_api_loop(void)
> > mproc_enable(&fi.p);
> >
> > if (fi.rootpath) {
> > + RAND_status();
> > +
> > if (chroot(fi.rootpath) == -1) {
> > log_warn("warn: filter-api:%s chroot", filter_name);
> > fatalx("filter-api: exiting");
> >
> > Anyone have an idea what a proper fix for this could be?
> >
> >
> > --
> > You received this mail because you are subscribed to [email protected]
> > To unsubscribe, send a mail to: [email protected]
> >
>
> --
> You received this mail because you are subscribed to [email protected]
> To unsubscribe, send a mail to: [email protected]
>
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
