Re: OpenSMTPd stops after connection errors
Hi again, While working on smtpd, i realized that my openssl[0] tests were failing too. Obviously, the cipher info is empty. openssl s_client -connect my_IP:25 -starttls smtp -tls1_1 ... ... New, (NONE), Cipher is (NONE) Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Start Time: 1595094409 Timeout : 7200 (sec) Verify return code: 0 (ok) --- ... Related log lines from "/var/log/maillog" Jul 18 21:28:42 volgograd smtpd[32258]: d680225f58ddc566 smtp connected address=XX.YY.ZZ.QQ host=mx.domainname.com Jul 18 21:28:42 volgograd smtpd[32258]: d680225f58ddc566 smtp disconnected reason="io-error: error:140270C1:SSL routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher" As you see in the above output there is no selected cipher for this conversation. "Cipher : and New, (NONE), Cipher is (NONE)" I'm trying to understand what is happening here but could not find any clue. The smtpd.conf man page says, there is a default set of ciphers for SSL / TLS connections.
Re: OpenSMTPd stops after connection errors
Hi again, I tried to run smtpd in debug mode with below command. smtpd -d -v -f /etc/mail/smtpd.conf Here is the nmap command and its output. nmap -sV -Pn -p 25,587 --version-intensity 8 --script ssl-enum-ciphers XX.YY.ZZ.QQ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 21:26 +03 Nmap scan report for mx.podworin.com (XX.YY.ZZ.QQ) Host is up (0.59s latency). PORTSTATE SERVICE VERSION 25/tcp open smtpOpenSMTPD 587/tcp open smtpOpenSMTPD Service Info: Host: volgograd.podworin.com Here is the produced outputs of smtpd process while running in debug mode. debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend info: OpenSMTPD 6.7.0 starting debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: klondike -> control[27654] fd=4 setup_peer: klondike -> pony express[70123] fd=5 setup_done: ca[55696] done debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: queue -> control[27654] fd=4 setup_peer: queue -> pony express[70123] fd=5 setup_peer: queue -> lookup[20361] fd=6 setup_peer: queue -> scheduler[34042] fd=7 setup_proc: klondike done debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: control -> klondike[55696] fd=4 setup_peer: control -> lookup[20361] fd=5 setup_peer: control -> pony express[70123] fd=6 setup_peer: control -> queue[15276] fd=7 setup_peer: control -> scheduler[34042] fd=8 setup_done: control[27654] done debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: pony express -> control[27654] fd=4 setup_peer: pony express -> klondike[55696] fd=5 setup_peer: pony express -> lookup[20361] fd=6 setup_peer: pony express -> queue[15276] fd=7 debug: init ssl-tree info: loading pki information for mx.domainname.tld debug: init ca-tree debug: init ssl-tree info: loading pki keys for mx.domainname.tld debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: scheduler -> control[27654] fd=4 setup_peer: scheduler -> queue[15276] fd=5 setup_proc: control done debug: using "fs" queue backend debug: using "ramqueue" scheduler backend debug: using "ram" stat backend setup_peer: lookup -> control[27654] fd=4 setup_peer: lookup -> pony express[70123] fd=5 setup_peer: lookup -> queue[15276] fd=6 setup_done: lka[20361] done setup_proc: pony express done setup_done: pony[70123] done setup_proc: queue done setup_done: queue[15276] done setup_proc: scheduler done debug: bounce warning after 4h setup_done: scheduler[34042] done smtpd: setup done setup_proc: lookup done debug: rsa_engine_init: using RSA privsep engine debug: ecdsa_engine_init: using ECDSA privsep engine debug: parent_send_config_ruleset: reloading debug: parent_send_config: configuring pony process debug: parent_send_config: configuring ca process debug: smtp: listen on [::1] port 25 flags 0x2401 pki "mx.domainname.tld" ca "" debug: smtp: listen on [fe80::1%lo0] port 25 flags 0x2401 pki "mx.domainname.tld" ca "" debug: smtp: listen on 127.0.0.1 port 25 flags 0x2401 pki "mx.domainname.tld" ca "" debug: smtp: listen on XX.YY.ZZ.QQ port 25 flags 0x2401 pki "mx.domainname.tld" ca "" debug: smtp: listen on [::1] port 587 flags 0x2469 pki "mx.domainname.tld" ca "" debug: smtp: listen on [fe80::1%lo0] port 587 flags 0x2469 pki "mx.domainname.tld" ca "" debug: smtp: listen on 127.0.0.1 port 587 flags 0x2469 pki "mx.domainname.tld" ca "" debug: smtp: listen on XX.YY.ZZ.QQ port 587 flags 0x2469 pki "mx.domainname.tld" ca "" debug: pony: rsae_init debug: pony: rsae_init debug: smtp: will accept at most 498 clients debug: init private ssl-tree debug: queue: done loading queue into scheduler debug: smtpd: scanning offline queue... debug: smtpd: offline scanning done 7b4d1af8fd21be6d smtp connected address=XX.YY.ZZ.QQ host=mx.domainname.tld 7b
Re: OpenSMTPd stops after connection errors
Hi Todd I'm using below [0] command. [0] nmap --script ssl-enum-ciphers -p 25 XX.YY.ZZ.QQ The version information of nmap (nmap --version) Nmap version 7.80 ( https://nmap.org ) Platform: x86_64-unknown-openbsd6.7 Compiled with: liblua-5.3.5 openssl-3.1.1 libssh2-1.9.0 libz-1.2.3 libpcre-8.41 nmap-libpcap-1.9.0 nmap-libdnet-1.12 ipv6 Compiled without: Available nsock engines: kqueue poll select I used the script which comes with nmap installation (OpenBSD volgograd.domainname.tld 6.7 GENERIC#4 amd64) As a demonstration, i use same command twice and sharing the sommand outputs here. As you can see in my first attempt, port 25 is open and second time the command returns it as closed. root@volgograd:~# date; nmap --script ssl-enum-ciphers -p 25 XX.YY.ZZ.QQ Fri Jul 17 20:58:51 +03 2020 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 20:58 +03 Nmap scan report for mx.podworin.com (149.210.164.55) Host is up (0.43s latency). PORT STATE SERVICE 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 1.10 seconds root@volgograd:~# date; nmap --script ssl-enum-ciphers -p 25 XX.YY.ZZ.QQ Fri Jul 17 20:58:54 +03 2020 Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 20:58 +03 Nmap scan report for mx.podworin.com (149.210.164.55) Host is up (0.40s latency). PORT STATE SERVICE 25/tcp closed smtp Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds Also i tried your nmap command example. The results are same. root@volgograd:~# nmap -sV -Pn -p 25,587 --version-intensity 8 --script ssl-enum-ciphers XX.YY.ZZ.QQ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 21:10 +03 Nmap scan report for mx.domainname.tld (XX.YY.ZZ.QQ) Host is up (0.45s latency). PORTSTATE SERVICE VERSION 25/tcp open smtpOpenSMTPD 587/tcp open smtpOpenSMTPD Service Info: Host: volgograd.domainname.tld Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds root@volgograd:~# nmap -sV -Pn -p 25,587 --version-intensity 8 --script ssl-enum-ciphers XX.YY.ZZ.QQ Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-17 21:10 +03 Nmap scan report for mx.domainname.tld (XX.YY.ZZ.QQ) Host is up (0.40s latency). PORTSTATE SERVICEVERSION 25/tcp closed smtp 587/tcp closed submission Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds Todd C. Miller , 17 Tem 2020 Cum, 17:52 tarihinde şunu yazdı: > Yes, smtpd should not die in this case. Can you share the nmap > command and script you are running? I tried the following and it > worked as expected: > > nmap -sV -Pn -p 25,587 --version-intensity 8 --script ssl-enum-ciphers \ > servername > > The server did not exit and nmap returned the list of ciphers as > expected. The log message: > > smtpd: process pony socket closed > > makes it sound like the smtpd pony express process crashed. > > - todd > -- *There is no place like "/home"* *Tuco (Benedicto Pacifico Juan Maria) Ramirez*
Re: OpenSMTPd stops after connection errors
Yes, smtpd should not die in this case. Can you share the nmap command and script you are running? I tried the following and it worked as expected: nmap -sV -Pn -p 25,587 --version-intensity 8 --script ssl-enum-ciphers \ servername The server did not exit and nmap returned the list of ciphers as expected. The log message: smtpd: process pony socket closed makes it sound like the smtpd pony express process crashed. - todd
