Hi people,
I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a
recent update, using authentication for sending mail cause smtpd to exit with
exit value 1. A (stripped down) configuration that exhibits the issue is the
following:
pki "server" certificate "/etc/mail/certs/server.crt"
pki "server" key "/etc/mail/certs/server.key"
listen on egress port submission tls-require pki "server" auth tag AUTH
accept tagged AUTH from local for any relay
When running smtpd with that configuration and attempting to send an email,
this is the output I get from smtpd -dv:
[... Usual smtpd startup for OpenSMTPD 5.4.3 ...]
debug: smtp: new client on listener: 0x768b632a000
smtp-in: New session 5d471824a3b1c9d2 from host
eduroam-75-222.uni-paderborn.de [131.234.75.222]
debug: lka: looking up pki "server"
debug: session_start_ssl: switching to SSL
smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg
warn: lka -> pony: pipe closed
warn: parent -> pony: pipe closed
warn: mfa -> pony: pipe closed
warn: queue -> pony: pipe closed
warn: control -> pony: pipe closed
warn: scheduler -> control: pipe closed
[... After this, smtpd has exited with status 1 ...]
The client (mail/msmtp from ports) prints the following:
msmtp: cannot read from TLS connection: a protocol violating EOF occured
The debug output from msmtp is the following:
loaded system configuration file /etc/msmtprc
loaded user configuration file /home/gbe/.msmtprc
using account unobtanium from /home/gbe/.msmtprc
host = unobtanium.de
port = 587
timeout = off
protocol = smtp
domain = localhost
auth = choose
user = gbe
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = on
tls_trust_file = (not set)
tls_crl_file = (not set)
tls_fingerprint =
EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_force_sslv3 = off
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = g...@unobtanium.de
dsn_notify = (not set)
dsn_return = (not set)
keepbcc = off
logfile = /home/gbe/log/msmtp/log
syslog = (not set)
aliases = (not set)
reading recipients from the command line
<-- 220 neon.unobtanium.de ESMTP OpenSMTPD
--> EHLO localhost
<-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet
you
<-- 250-8BITMIME
<-- 250-ENHANCEDSTATUSCODES
<-- 250-SIZE 36700160
<-- 250-DSN
<-- 250-STARTTLS
<-- 250 HELP
--> STARTTLS
<-- 220 2.0.0: Ready to start TLS
TLS certificate information:
Owner:
Common Name: gbe.ring0.de
Issuer:
Common Name: CAcert Class 3 Root
Organization: CAcert Inc.
Organizational unit: http://www.CAcert.org
Validity:
Activation time: Sun Jul 7 18:28:15 2013
Expiration time: Tue Jul 7 18:28:15 2015
Fingerprints:
SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A
--> EHLO localhost
<-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet
you
<-- 250-8BITMIME
<-- 250-ENHANCEDSTATUSCODES
<-- 250-SIZE 36700160
<-- 250-DSN
<-- 250-AUTH PLAIN LOGIN
<-- 250 HELP
--> AUTH PLAIN AGdiZQA0bjRyY2hZXw==
Yes, the certificate is weird (common name does not match the host name), but
that should not cause the smtp daemon to exit. The setup worked before my last
update, but I can't pinpoint the previous version of OpenSMTPD because the
maillog rotated away before I noticed the issue.
What am I doing wrong here? And how can I debug this further?
--
Gregor Best
