Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
On Fri, Apr 11, 2014 at 03:07:02PM +0200, Eric Faurot wrote: [...] This is a fallout due to the merging of multiple processes. It's been fixed in cvs two days agos. [...] Wonderful. Everything is back to normal now, thanks. -- Gregor Best
OpenSMTPD exits with value 1 when clients attempd to authenticate
Hi people, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: pki server certificate /etc/mail/certs/server.crt pki server key /etc/mail/certs/server.key listen on egress port submission tls-require pki server auth tag AUTH accept tagged AUTH from local for any relay When running smtpd with that configuration and attempting to send an email, this is the output I get from smtpd -dv: [... Usual smtpd startup for OpenSMTPD 5.4.3 ...] debug: smtp: new client on listener: 0x768b632a000 smtp-in: New session 5d471824a3b1c9d2 from host eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up pki server debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka - pony: pipe closed warn: parent - pony: pipe closed warn: mfa - pony: pipe closed warn: queue - pony: pipe closed warn: control - pony: pipe closed warn: scheduler - control: pipe closed [... After this, smtpd has exited with status 1 ...] The client (mail/msmtp from ports) prints the following: msmtp: cannot read from TLS connection: a protocol violating EOF occured The debug output from msmtp is the following: loaded system configuration file /etc/msmtprc loaded user configuration file /home/gbe/.msmtprc using account unobtanium from /home/gbe/.msmtprc host = unobtanium.de port = 587 timeout = off protocol = smtp domain= localhost auth = choose user = gbe password = * passwordeval = (not set) ntlmdomain= (not set) tls = on tls_starttls = on tls_trust_file= (not set) tls_crl_file = (not set) tls_fingerprint = EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D tls_key_file = (not set) tls_cert_file = (not set) tls_certcheck = on tls_force_sslv3 = off tls_min_dh_prime_bits = (not set) tls_priorities= (not set) auto_from = off maildomain= (not set) from = g...@unobtanium.de dsn_notify= (not set) dsn_return= (not set) keepbcc = off logfile = /home/gbe/log/msmtp/log syslog= (not set) aliases = (not set) reading recipients from the command line -- 220 neon.unobtanium.de ESMTP OpenSMTPD -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-STARTTLS -- 250 HELP -- STARTTLS -- 220 2.0.0: Ready to start TLS TLS certificate information: Owner: Common Name: gbe.ring0.de Issuer: Common Name: CAcert Class 3 Root Organization: CAcert Inc. Organizational unit: http://www.CAcert.org Validity: Activation time: Sun Jul 7 18:28:15 2013 Expiration time: Tue Jul 7 18:28:15 2015 Fingerprints: SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-AUTH PLAIN LOGIN -- 250 HELP -- AUTH PLAIN AGdiZQA0bjRyY2hZXw== Yes, the certificate is weird (common name does not match the host name), but that should not cause the smtp daemon to exit. The setup worked before my last update, but I can't pinpoint the previous version of OpenSMTPD because the maillog rotated away before I noticed the issue. What am I doing wrong here? And how can I debug this further? -- Gregor Best
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
On Fri, Apr 11, 2014 at 12:44:47PM +0200, Gregor Best wrote: Hi people, Hi, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: [...] smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg [...] Hi, This is a fallout due to the merging of multiple processes. It's been fixed in cvs two days agos. Rebuild smtpd from src and you'll be fine. Eric.
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
Gregor Best wrote: Hi people, I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a recent update, using authentication for sending mail cause smtpd to exit with exit value 1. A (stripped down) configuration that exhibits the issue is the following: pki server certificate /etc/mail/certs/server.crt pki server key /etc/mail/certs/server.key listen on egress port submission tls-require pki server auth tag AUTH accept tagged AUTH from local for any relay When running smtpd with that configuration and attempting to send an email, this is the output I get from smtpd -dv: [... Usual smtpd startup for OpenSMTPD 5.4.3 ...] debug: smtp: new client on listener: 0x768b632a000 smtp-in: New session 5d471824a3b1c9d2 from host eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up pki server debug: session_start_ssl: switching to SSL smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka - pony: pipe closed warn: parent - pony: pipe closed warn: mfa - pony: pipe closed warn: queue - pony: pipe closed warn: control - pony: pipe closed warn: scheduler - control: pipe closed [... After this, smtpd has exited with status 1 ...] The client (mail/msmtp from ports) prints the following: msmtp: cannot read from TLS connection: a protocol violating EOF occured The debug output from msmtp is the following: loaded system configuration file /etc/msmtprc loaded user configuration file /home/gbe/.msmtprc using account unobtanium from /home/gbe/.msmtprc host = unobtanium.de port = 587 timeout = off protocol = smtp domain= localhost auth = choose user = gbe password = * passwordeval = (not set) ntlmdomain= (not set) tls = on tls_starttls = on tls_trust_file= (not set) tls_crl_file = (not set) tls_fingerprint = EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D tls_key_file = (not set) tls_cert_file = (not set) tls_certcheck = on tls_force_sslv3 = off tls_min_dh_prime_bits = (not set) tls_priorities= (not set) auto_from = off maildomain= (not set) from = g...@unobtanium.de dsn_notify= (not set) dsn_return= (not set) keepbcc = off logfile = /home/gbe/log/msmtp/log syslog= (not set) aliases = (not set) reading recipients from the command line -- 220 neon.unobtanium.de ESMTP OpenSMTPD -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-STARTTLS -- 250 HELP -- STARTTLS -- 220 2.0.0: Ready to start TLS TLS certificate information: Owner: Common Name: gbe.ring0.de Issuer: Common Name: CAcert Class 3 Root Organization: CAcert Inc. Organizational unit: http://www.CAcert.org Validity: Activation time: Sun Jul 7 18:28:15 2013 Expiration time: Tue Jul 7 18:28:15 2015 Fingerprints: SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A -- EHLO localhost -- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you -- 250-8BITMIME -- 250-ENHANCEDSTATUSCODES -- 250-SIZE 36700160 -- 250-DSN -- 250-AUTH PLAIN LOGIN -- 250 HELP -- AUTH PLAIN AGdiZQA0bjRyY2hZXw== Yes, the certificate is weird (common name does not match the host name), but that should not cause the smtp daemon to exit. The setup worked before my last update, but I can't pinpoint the previous version of OpenSMTPD because the maillog rotated away before I noticed the issue. What am I doing wrong here? And how can I debug this further? Is this commit the culprit: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24
Re: OpenSMTPD exits with value 1 when clients attempd to authenticate
Hi Remco, On Fri, Apr 11, 2014 at 01:18:54PM +0200, Remco wrote: [...] Is this commit the culprit: http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24 [...] I think that is quite unlikely. I still have the old version of /etc/ssl/cert.pem because I didn't see the point of removing certificate authorities I use myself. Also, I don't think a missing certificate authority for the server's own certificate would cause the smtp daemon do exit, especially since it doesn't print out any message regarding certificate validity. -- Gregor Best