On Mon, 16 Feb 2015 04:37:55 -0300, Hugo Osvaldo Barrera <[email protected]> said: | Hi,
| I've been tasked with setting up a FreeBSD-based email server. | I've come across an issue, giving an error stating "fatal access denied" when | attempting to initiate TLS connections (either smtps or with starttls). | The certificates work fine on a test OpenBSD host, so they're not the issue. | I'm amused that both dovecot *and* opensmtpd show almost identical issue, and | suspect that something openssl related might be broken. | debug: smtp: new client on listener: 0x8024eb000 | smtp-in: New session 6f9022aa19efcad6 from host athena.barrera.io [190.210.108.249] | debug: lka: looking up pki "mail.asteq.com.ar" | debug: session_start_ssl: switching to SSL | debug: pony: rsae_priv_enc | debug: SSL library error: io_dispatch_accept_ssl:SSL_accept: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied | smtp-in: Disconnecting session 6f9022aa19efcad6: IO error: error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied | debug: smtp: 0x802501000: deleting session: IO error Since this fails at SSL/TLS negotiation, I would try connecting via each protocol to figure out where it's failing: --8<---------------cut here---------------start------------->8--- for i in ssl3 tls1 tls1_1 tls1_2; do echo -------------------- echo $i echo -------------------- echo QUIT |openssl s_client -quiet -CAfile \ /usr/local/share/certs/ca-root-nss.crt -$i -connect $hostname:25 \ -starttls smtp done --8<---------------cut here---------------end--------------->8--- If it only happens with SSLv3, then I guess it's due to SSLv3 support being disabled in codebase. HTH -- Ashish SHUKLA “SQL, Lisp, and Haskell are the only programming languages that I've seen where one spends more time thinking than typing.” (Phillip Greenspun) Sent from my Emacs
signature.asc
Description: PGP signature
