OpenSMTPD exits with value 1 when clients attempd to authenticate

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSMTPD exits with value 1 when clients attempd to authenticate

Gregor Best
Hi people,

I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a
recent update, using authentication for sending mail cause smtpd to exit with
exit value 1. A (stripped down) configuration that exhibits the issue is the
following:

  pki "server" certificate "/etc/mail/certs/server.crt"
  pki "server" key "/etc/mail/certs/server.key"

  listen on egress port submission tls-require pki "server" auth tag AUTH
  accept tagged AUTH from local for any relay

When running smtpd with that configuration and attempting to send an email,
this is the output I get from smtpd -dv:

  [... Usual smtpd startup for OpenSMTPD 5.4.3 ...]
  debug: smtp: new client on listener: 0x768b632a000
  smtp-in: New session 5d471824a3b1c9d2 from host eduroam-75-222.uni-paderborn.de [131.234.75.222]
  debug: lka: looking up pki "server"
  debug: session_start_ssl: switching to SSL
  smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256
  smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg
  warn: lka -> pony: pipe closed
  warn: parent -> pony: pipe closed
  warn: mfa -> pony: pipe closed
  warn: queue -> pony: pipe closed
  warn: control -> pony: pipe closed
  warn: scheduler -> control: pipe closed
  [... After this, smtpd has exited with status 1 ...]

The client (mail/msmtp from ports) prints the following:
  msmtp: cannot read from TLS connection: a protocol violating EOF occured

The debug output from msmtp is the following:

  loaded system configuration file /etc/msmtprc
  loaded user configuration file /home/gbe/.msmtprc
  using account unobtanium from /home/gbe/.msmtprc
  host                  = unobtanium.de
  port                  = 587
  timeout               = off
  protocol              = smtp
  domain                = localhost
  auth                  = choose
  user                  = gbe
  password              = *
  passwordeval          = (not set)
  ntlmdomain            = (not set)
  tls                   = on
  tls_starttls          = on
  tls_trust_file        = (not set)
  tls_crl_file          = (not set)
  tls_fingerprint       = EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
  tls_key_file          = (not set)
  tls_cert_file         = (not set)
  tls_certcheck         = on
  tls_force_sslv3       = off
  tls_min_dh_prime_bits = (not set)
  tls_priorities        = (not set)
  auto_from             = off
  maildomain            = (not set)
  from                  = [hidden email]
  dsn_notify            = (not set)
  dsn_return            = (not set)
  keepbcc               = off
  logfile               = /home/gbe/log/msmtp/log
  syslog                = (not set)
  aliases               = (not set)
  reading recipients from the command line
  <-- 220 neon.unobtanium.de ESMTP OpenSMTPD
  --> EHLO localhost
  <-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you
  <-- 250-8BITMIME
  <-- 250-ENHANCEDSTATUSCODES
  <-- 250-SIZE 36700160
  <-- 250-DSN
  <-- 250-STARTTLS
  <-- 250 HELP
  --> STARTTLS
  <-- 220 2.0.0: Ready to start TLS
  TLS certificate information:
      Owner:
          Common Name: gbe.ring0.de
      Issuer:
          Common Name: CAcert Class 3 Root
          Organization: CAcert Inc.
          Organizational unit: http://www.CAcert.org
      Validity:
          Activation time: Sun Jul  7 18:28:15 2013
          Expiration time: Tue Jul  7 18:28:15 2015
      Fingerprints:
          SHA1: EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
          MD5:  69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A
  --> EHLO localhost
  <-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to meet you
  <-- 250-8BITMIME
  <-- 250-ENHANCEDSTATUSCODES
  <-- 250-SIZE 36700160
  <-- 250-DSN
  <-- 250-AUTH PLAIN LOGIN
  <-- 250 HELP
  --> AUTH PLAIN AGdiZQA0bjRyY2hZXw==

Yes, the certificate is weird (common name does not match the host name), but
that should not cause the smtp daemon to exit. The setup worked before my last
update, but I can't pinpoint the previous version of OpenSMTPD because the
maillog rotated away before I noticed the issue.

What am I doing wrong here? And how can I debug this further?

--
        Gregor Best

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD exits with value 1 when clients attempd to authenticate

Remco-2
Gregor Best wrote:

> Hi people,
>
> I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After
> a recent update, using authentication for sending mail cause smtpd to exit
> with exit value 1. A (stripped down) configuration that exhibits the issue
> is the following:
>
>   pki "server" certificate "/etc/mail/certs/server.crt"
>   pki "server" key "/etc/mail/certs/server.key"
>
>   listen on egress port submission tls-require pki "server" auth tag AUTH
>   accept tagged AUTH from local for any relay
>
> When running smtpd with that configuration and attempting to send an
> email, this is the output I get from smtpd -dv:
>
>   [... Usual smtpd startup for OpenSMTPD 5.4.3 ...]
>   debug: smtp: new client on listener: 0x768b632a000
>   smtp-in: New session 5d471824a3b1c9d2 from host
>   eduroam-75-222.uni-paderborn.de [131.234.75.222] debug: lka: looking up
>   pki "server" debug: session_start_ssl: switching to SSL
>   smtp-in: Started TLS on session 5d471824a3b1c9d2: version=TLSv1/SSLv3,
>   cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256 smtpd: session_imsg:
>   unexpected IMSG_LKA_AUTHENTICATE imsg warn: lka -> pony: pipe closed
>   warn: parent -> pony: pipe closed
>   warn: mfa -> pony: pipe closed
>   warn: queue -> pony: pipe closed
>   warn: control -> pony: pipe closed
>   warn: scheduler -> control: pipe closed
>   [... After this, smtpd has exited with status 1 ...]
>
> The client (mail/msmtp from ports) prints the following:
>   msmtp: cannot read from TLS connection: a protocol violating EOF occured
>
> The debug output from msmtp is the following:
>
>   loaded system configuration file /etc/msmtprc
>   loaded user configuration file /home/gbe/.msmtprc
>   using account unobtanium from /home/gbe/.msmtprc
>   host                  = unobtanium.de
>   port                  = 587
>   timeout               = off
>   protocol              = smtp
>   domain                = localhost
>   auth                  = choose
>   user                  = gbe
>   password              = *
>   passwordeval          = (not set)
>   ntlmdomain            = (not set)
>   tls                   = on
>   tls_starttls          = on
>   tls_trust_file        = (not set)
>   tls_crl_file          = (not set)
>   tls_fingerprint       =
>   EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
>   tls_key_file          = (not set)
>   tls_cert_file         = (not set)
>   tls_certcheck         = on
>   tls_force_sslv3       = off
>   tls_min_dh_prime_bits = (not set)
>   tls_priorities        = (not set)
>   auto_from             = off
>   maildomain            = (not set)
>   from                  = [hidden email]
>   dsn_notify            = (not set)
>   dsn_return            = (not set)
>   keepbcc               = off
>   logfile               = /home/gbe/log/msmtp/log
>   syslog                = (not set)
>   aliases               = (not set)
>   reading recipients from the command line
>   <-- 220 neon.unobtanium.de ESMTP OpenSMTPD
>   --> EHLO localhost
>   <-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to
>   meet you <-- 250-8BITMIME
>   <-- 250-ENHANCEDSTATUSCODES
>   <-- 250-SIZE 36700160
>   <-- 250-DSN
>   <-- 250-STARTTLS
>   <-- 250 HELP
>   --> STARTTLS
>   <-- 220 2.0.0: Ready to start TLS
>   TLS certificate information:
>       Owner:
>           Common Name: gbe.ring0.de
>       Issuer:
>           Common Name: CAcert Class 3 Root
>           Organization: CAcert Inc.
>           Organizational unit: http://www.CAcert.org
>       Validity:
>           Activation time: Sun Jul  7 18:28:15 2013
>           Expiration time: Tue Jul  7 18:28:15 2015
>       Fingerprints:
>           SHA1:
>           EB:8E:EA:3A:BC:3A:1D:6C:C4:80:5F:FB:A8:24:C8:EB:C8:24:71:5D
>           MD5:  69:40:AD:DD:02:63:41:C1:67:55:34:3E:63:95:06:6A
>   --> EHLO localhost
>   <-- 250-neon.unobtanium.de Hello localhost [131.234.75.222], pleased to
>   meet you <-- 250-8BITMIME
>   <-- 250-ENHANCEDSTATUSCODES
>   <-- 250-SIZE 36700160
>   <-- 250-DSN
>   <-- 250-AUTH PLAIN LOGIN
>   <-- 250 HELP
>   --> AUTH PLAIN AGdiZQA0bjRyY2hZXw==
>
> Yes, the certificate is weird (common name does not match the host name),
> but that should not cause the smtp daemon to exit. The setup worked before
> my last update, but I can't pinpoint the previous version of OpenSMTPD
> because the maillog rotated away before I noticed the issue.
>
> What am I doing wrong here? And how can I debug this further?
>

Is this commit the culprit:
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD exits with value 1 when clients attempd to authenticate

Gregor Best
Hi Remco,

On Fri, Apr 11, 2014 at 01:18:54PM +0200, Remco wrote:
> [...]
> Is this commit the culprit:
> http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/cert.pem?rev=1.24
> [...]

I think that is quite unlikely. I still have the old version of
/etc/ssl/cert.pem because I didn't see the point of removing certificate
authorities I use myself.

Also, I don't think a missing certificate authority for the server's own
certificate would cause the smtp daemon do exit, especially since it
doesn't print out any message regarding certificate validity.

--
        Gregor Best

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD exits with value 1 when clients attempd to authenticate

Eric Faurot-3
In reply to this post by Gregor Best
On Fri, Apr 11, 2014 at 12:44:47PM +0200, Gregor Best wrote:
> Hi people,

Hi,

> I'm running OpenSMTPD 5.4.3 from -current on my private mail server. After a
> recent update, using authentication for sending mail cause smtpd to exit with
> exit value 1. A (stripped down) configuration that exhibits the issue is the
> following:

 [...]

>   smtpd: session_imsg: unexpected IMSG_LKA_AUTHENTICATE imsg

  [...]

Hi,

This is a fallout due to the merging of multiple processes. It's been
fixed in cvs two days agos.  Rebuild smtpd from src and you'll be
fine.

Eric.

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD exits with value 1 when clients attempd to authenticate

Gregor Best
On Fri, Apr 11, 2014 at 03:07:02PM +0200, Eric Faurot wrote:
> [...]
> This is a fallout due to the merging of multiple processes. It's been
> fixed in cvs two days agos.
> [...]

Wonderful. Everything is back to normal now, thanks.

--
        Gregor Best