dovecot - Sep 2020 - BUG: _presence_ of valid openssl.cnf Option = 'ServerPreference' causes Dovecot submission relay FAIL: "failed: Failed to initialize SSL: ..."

> On 22/09/2020 21:00 PGNet Dev <pgnet.dev at gmail.com> wrote:
> 
>  
> On 9/22/20 10:51 AM, Aki Tuomi wrote:
> >>>
> > 
> > Well, dovecot does not actually do any parsing for system-wide
openssl.cnf. This sounds more like OpenSSL issue than dovecot issue.
> 
> I've NO issue with that config/setting with any _other_ app -- whether
in general openssl-lib-linked usage, or specifically for a mail submitter (e.g.,
postfix).  The ServerPreference setting is seen/respected/utilized as intended.
> 
> It's ONLY Dovecot that's reproducibly firing the error, as reported
above.
> 
> It's also NOT a generalized openssl problem "with" Dovecot --
all (well, so far ...) _other_ crypto-/openssl-related capabilities in Dovecot
are behaving normally.
Hi!

I tried to reproduce this with the config you provided. I made sure openssl uses
the configuration, but alas, it works just fine for me.

Aki

On 9/23/20 2:14 AM, Aki Tuomi wrote:
> I tried to reproduce this with the config you provided. I made sure openssl
uses the configuration, but alas, it works just fine for me.
ugh.

well, good to know.

with my my full-blown configs, it's definitely reproducible here.

I'll see if I can reduce this to a simple demonstrator ...

On 9/23/20 7:27 AM, PGNet Dev wrote:
> I'll see if I can reduce this to a simple demonstrator ...
well, i can confirm that a CLEAN, minimal install works OK with the
/etc/pki/tls/openssl.cnf spec'd above

but my full/production instance FAILs. :-/  still, only on/with Dovecot
submission.

on a clean Fedora 32 "Server Edition" net-iso install


	dnf install \
	dovecot \
	msmtp

	mkdir -p /home/Maildir

	/usr/libexec/dovecot/mkcert.sh
	tree /etc/pki/dovecot/
		/etc/pki/dovecot/
			??? certs
			??? ??? dovecot.pem
			??? dovecot-openssl.cnf
			??? private
				??? dovecot.pem

	cat /etc/dovecot/local.conf
		auth_verbose           = yes
		auth_debug             = yes
		mail_debug             = yes
		verbose_proctitle      = yes
		verbose_ssl            = yes

		mail_location = maildir:/home/Maildir/Maildir

		protocols = submission
		protocol submission {
			ssl_verify_client_cert       = no
			auth_ssl_require_client_cert = no
			mail_plugins = $mail_plugins
		}
		service submission-login {
			inet_listener submission {
				address = 127.0.0.1
				port = 60465
				ssl = yes
			}
		}
		service submission {
		}
		submission_relay_host       = smtp.fastmail.com
		submission_relay_port       = 587
		submission_relay_ssl        = starttls
		submission_relay_ssl_verify = no
		submission_relay_trusted    = yes
		submission_relay_user       = 'myexternaluser at fastmail.com'
		submission_relay_password   = 'myexternalpassword'

		!include conf.d/auth-passwdfile.conf.ext


	echo "testuser:$( doveadm pw -s CRYPT -p 'testpass'
):1000:1000:/run/dovecot::/usr/sbin/nologin::" > /etc/dovecot/users
	cat  /etc/dovecot/users
	
testuser:{CRYPT}$2y$05$JsJ2T6LuaHUeTj8.sKzVMeIma1jccDic2z0izcXRCJsijyReWh/9q:1000:1000::::

	doveadm pw -t $( cat /etc/dovecot/users | cut -d":" -f2) -p testpass
		{CRYPT}$2y$05$eWPR2jIGnGJuGV/47AO0LekLIxetotJAxfc84.DvjEyrOHwaBcFxS (verified)


	cat /etc/pki/tls/openssl.cnf
		openssl_conf = default_conf

		[default_conf]
		ssl_conf = ssl_sect

		[ssl_sect]
		system_default = system_default_sect

		[system_default_sect]
		MinProtocol = TLSv1.2
		CipherString =
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
		Ciphersuites =
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

		Options = ServerPreference,PrioritizeChaCha


testing submission

	cat /etc/msmtprc
		defaults
		logfile        /var/log/msmtp.log
		from           myexternaluser at fastmail.com

		account        external
		host           smtp.fastmail.com
		tls            on
		tls_starttls   on
		port           587
		auth           on
		user           myexternaluser at fastmail.com
		password       myexternalpassword

		account        internal
		host           127.0.0.1
		tls            on
		tls_key_file   /etc/pki/dovecot/private/dovecot.pem
		tls_cert_file  /etc/pki/dovecot/certs/dovecot.pem
		tls_certcheck  off
		tls_starttls   off
		port           60465
		auth           on
		user           testuser
		password       testpass

		account default : external


	cat ~/test.eml
		To: testrecipient at example.com
		From: myexternaluser at fastmail.com
		Subject: testsubject
		testbody
		EOF

works when submitting EXTERNALLY

	cat ~/test.eml | msmtp -a external testrecipient at example.com
		VERIFIED: RECEIVED OK

**AND** INTERNALLY, via dovecot submission

	cat ~/test.eml | msmtp -a internal testrecipient at example.com
		VERIFIED: RECEIVED OK

in both cases with

	Options = ServerPreference,PrioritizeChaCha



On my full/production system, similarly testing

	Options = ServerPreference

submit via dovecot submission works,

	cat ~/test.eml | msmtp -a internal testrecipient at example.com
		VERIFIED: RECEIVED OK

but with

-	Options = ServerPreference
+	Options = ServerPreference,PrioritizeChaCha


FAILs

	cat ~/test.eml | msmtp -a internal testrecipient at example.com

		msmtp: envelope from address myexternaluser at fastmail.com not accepted by
the server
		msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish
relay connection
		msmtp: could not send mail (account internal from /etc/msmtprc)


as it clearly works on the 'minimal' dovecot deploy, above,
I certainly can't disagree that it's something local to my production
config.

now to figure out what :-/

fwiw, i've asked with some further detail (errors from postfix relay host)
in openssl list,

	https://mta.openssl.org/pipermail/openssl-users/2020-September/012993.html

we'll see if anything comes of it ...