i've got two servers communicating over ssl.
comms between them work if
/etc/pki/tls/openssl.cnf
includes
Options = PrioritizeChaCha
but fail if 'ServerPreference'
(cref:
Undocumented openssl.cnf options and PrioritizeChaCha
https://blog.germancoding.com/2020/05/30/undocumented-openssl-cnf-options-and-prioritizechacha/
man SSL_CONF_cmd
ServerPreference: use server and not client preference
order when determining which cipher suite, signature algorithm or elliptic
curve to use for an incoming connection. Equivalent to
SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers.
)
is added,
Options = ServerPreference,PrioritizeChaCha
i'm trying to understand expected behavior, and troubleshoot
the 2 servers are
postconf mail_version
mail_version = 3.5.7
dovecot --version
2.3.10.1 (a3d0e1171)
they're on the same machine, which runs
grep PRETTY /etc/os-release
PRETTY_NAME="Fedora 32 (Server Edition)"
openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020
dovecot's configured to listen for SMTP submissions on its own submission proxy
port 60465
dovecot then re-submits the message to postfix, on submission port 465.
the openssl cnf containts
/etc/pki/tls/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString =
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
Ciphersuites =
TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Options = PrioritizeChaCha
with that^^ config, message submit
cat ~/test.eml | msmtp -a internal testrecipi...@example.net
to dovecot:60465 succeeds. postfix logs report no probs,
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]:
connect from internal.mx.example.com[10.0.1.50]
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]:
Trusted TLS connection established from internal.mx.example.com[10.0.1.50]:
TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange
X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature
ECDSA (P-384) client-digest SHA384
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]:
4BxVWX41svzWf7g: client=internal.mx.example.com[10.0.1.50]
Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g:
from=<testsen...@example.com>, size=583, nrcpt=1 (queue active)
Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]:
disconnect from internal.mx.example.com[10.0.1.50] ehlo=1 mail=1 rcpt=1 data=1
quit=1 commands=5
Sep 23 13:43:36 mx postfix/lmtp[27329]: 4BxVWX41svzWf7g:
to=<testrecipi...@example.net>, relay=mx.example.com[private/dovecot-lmtp],
delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0
<testrecipi...@example.net> kPB/Iniza1/YaQAA+IOfAw Saved)
Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: removed
and the message _is_ delivered to final destination without error. mail flows
-- in- & out-bound -- without interruption.
OTOH, if, as mentioned above, I simply change
- Options = PrioritizeChaCha
+ Options = ServerPreference,PrioritizeChaCha
, then otherwise-identical submission to dovecot:60465 fails,
cat ~/test.eml | msmtp -a internal testrecipi...@example.net
msmtp: envelope from address testsen...@example.com not
accepted by the server
msmtp: server message: 421 4.4.0 internal.mx.example.com Failed
to establish relay connection
msmtp: could not send mail (account internal from /etc/msmtprc)
and in postfix logs,
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
connect from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
setting up TLS connection from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
internal.mx.example.com[10.0.1.50]: TLS cipher list
"TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL"
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
SSL_accept:before SSL initialization
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
SSL_accept:error in error
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
SSL_accept error from internal.mx.example.com[10.0.1.50]: -1
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong
version number:ssl/record/ssl3_record.c:331:
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost
connection after CONNECT from internal.mx.example.com[10.0.1.50]
Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]:
disconnect from internal.mx.example.com[10.0.1.50] commands=0/0
iiuc (?) that^^ _is_ an ssl error, reported by postfix, and preventing the send
'tween dovecot & postfix.
1st, is there any reason to expect that use of "Options = ServerPreference"
should _not_ work here?
If not, then what's a likely cause of the problem? At this point, I'm not
clear if this is postfix, dovecot, openssl, or some combo.
&/or, what additional info's required to determine further?
