Gregor Best wrote:
Hi people,
I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After
a recent update, using authentication for sending mail cause smtpd to exit
with exit value 1. A (stripped down) configuration that exhibits the issue
is the following:
pki server certificate /etc/mail/certs/server.crt
pki server key /etc/mail/certs/server.key
listen on egress port submission tls-require pki server auth tag AUTH
accept tagged AUTH from local for any relay
When running smtpd with that configuration and attempting to send an
email, this is the output I get from smtpd -dv:
[... Usual smtpd startup for OpenSMTPD 5.4.3 ...]
debug: smtp: new client on listener: 0x768b632a000
smtp-in: New session 5d471824a3b1c9d2 from host
eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up
pki server debug: session_start_ssl: switching to SSL
smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3,
cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg:
unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka - pony: pipe closed
warn: parent - pony: pipe closed
warn: mfa - pony: pipe closed
warn: queue - pony: pipe closed
warn: control - pony: pipe closed
warn: scheduler - control: pipe closed
[... After this, smtpd has exited with status 1 ...]
The client (mail/msmtp from ports) prints the following:
msmtp: cannot read from TLS connection: a protocol violating EOF occured
The debug output from msmtp is the following:
loaded system configuration file /etc/msmtprc
loaded user configuration file /home/gbe/.msmtprc
using account unobtanium from /home/gbe/.msmtprc
host = unobtanium.de
port = 587
timeout = off
protocol = smtp
domain= localhost
auth = choose
user = gbe
password = *
passwordeval = (not set)
ntlmdomain= (not set)
tls = on
tls_starttls = on
tls_trust_file= (not set)
tls_crl_file = (not set)
tls_fingerprint =
EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_force_sslv3 = off
tls_min_dh_prime_bits = (not set)
tls_priorities= (not set)
auto_from = off
maildomain= (not set)
from = g...@unobtanium.de
dsn_notify= (not set)
dsn_return= (not set)
keepbcc = off
logfile = /home/gbe/log/msmtp/log
syslog= (not set)
aliases = (not set)
reading recipients from the command line
-- 220 neon.unobtanium.de ESMTP OpenSMTPD
-- EHLO localhost
-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to
meet you -- 250-8BITMIME
-- 250-ENHANCEDSTATUSCODES
-- 250-SIZE 36700160
-- 250-DSN
-- 250-STARTTLS
-- 250 HELP
-- STARTTLS
-- 220 2.0.0: Ready to start TLS
TLS certificate information:
Owner:
Common Name: gbe.ring0.de
Issuer:
Common Name: CAcert Class 3 Root
Organization: CAcert Inc.
Organizational unit: http://www.CAcert.org
Validity:
Activation time: Sun Jul 7 18:28:15 2013
Expiration time: Tue Jul 7 18:28:15 2015
Fingerprints:
SHA1:
EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
MD5: 69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A
-- EHLO localhost
-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to
meet you -- 250-8BITMIME
-- 250-ENHANCEDSTATUSCODES
-- 250-SIZE 36700160
-- 250-DSN
-- 250-AUTH PLAIN LOGIN
-- 250 HELP
-- AUTH PLAIN AGdiZQA0bjRyY2hZXw==
Yes, the certificate is weird (common name does not match the host name),
but that should not cause the smtp daemon to exit. The setup worked before
my last update, but I can't pinpoint the previous version of OpenSMTPD
because the maillog rotated away before I noticed the issue.
What am I doing wrong here? And how can I debug this further?
Is this commit the culprit:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24