Since upgrading to 14.0-RC1 TLS connections to opensmtpd have failed. Server side the following is logged: smtpd[45450]: e5d27e13fd324ea5 smtp connected address=192.168.122.1 host=<unknown> smtpd[45450]: e5d27e13fd324ea5 smtp disconnected reason="io-error: error:0A080006:SSL routines::EVP lib" Client side it fails with smtpd[3832]: e7c625a6ed384a93 mta error reason=IO Error: error:0A000438:SSL routines::tlsv1 alert internal error I'm going to assume this is due to the upgrade to OpenSSL 3. I tried adding in the protocols option in the OpenBSD man page https://man.openbsd.org/smtpd.conf#protocols but that doesn't appear to be an option in FreeBSD (it's not in the man page and throws a configuration error).
I got this client side output from the test command openssl s_client -host [hostname] -port 587 -starttls smtp CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = [domain] verify return:1 40E7EC9AD77F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1586:SSL alert number 80
I am getting this problem as well with 14.0-RELEASE and opensmtp 6.8.0p1 from the pkg binaries. looks like a similar issue to : https://bugs.launchpad.net/ubuntu/+source/opensmtpd/+bug/1969988
Same issue here. After upgrade to 14.0-RELEASE and using opensmtp 6.8.0p2 from the pkg binaries TLS fails for receiving and sending mails. https://github.com/OpenSMTPD/OpenSMTPD/issues/1171
I am also having this issue after upgrading from FreeBSD 13.2 to 14.0. I am using claws-mail on Devuan GNU/Linux 5 (daedalus) and have the follow error in the client log: * Account 'Personal': Connecting to SMTP server: smtp.nuegia.net:587... [2023-12-08 23:14:48] SMTP< 220 mail3.nuegia.net ESMTP OpenSMTPD [2023-12-08 23:14:48] ESMTP> EHLO lappy.lan [2023-12-08 23:14:48] ESMTP< 250-mail3.nuegia.net Hello lappy.lan [2001:REDACTED], pleased to meet you [2023-12-08 23:14:48] ESMTP< 250-8BITMIME [2023-12-08 23:14:48] ESMTP< 250-ENHANCEDSTATUSCODES [2023-12-08 23:14:48] ESMTP< 250-SIZE 36700160 [2023-12-08 23:14:48] ESMTP< 250-DSN [2023-12-08 23:14:48] ESMTP< 250-STARTTLS [2023-12-08 23:14:48] ESMTP< 250 HELP [2023-12-08 23:14:48] ESMTP> STARTTLS [2023-12-08 23:14:48] ESMTP< 220 2.0.0 Ready to start TLS ** couldn't start STARTTLS session *** Error occurred while sending the message. On the server side I see this: Dec 8 21:15:23 mail3 smtpd[74076]: f3dff929fa17beec smtp connected address=[2001:REDACTED] host=<unknown> Dec 8 21:15:23 mail3 smtpd[74076]: f3dff929fa17beec smtp disconnected reason="io-error: error:0A080006:SSL routines::EVP lib" # smtpd -h version: OpenSMTPD 6.8.0p2 $ claws-mail --version Claws Mail version 3.19.1
I also tried disabling tls-require but opensmtpd wouldn't let me, refusing to start the daemon with: smtpd: invalid listen option: auth requires tls/smtps auth does not require tls/smtps. It's perfectly capable of running over plaintext, even though that situation isn't ideal.
The release notes for this version mention there's a known regression with the TLS library and suggests to use the included bundled libtls library until it is fixed. https://opensmtpd.org/announces/release-7.3.0p0.txt Interestingly enough, I couldn't find release notes for p2 and the web server hosting the release restricts listing the release note directory. I'm going to try building the port with the `--with-bundled-libtls' suggested by upstream's release note. It's going to take me a long time to do this due to the Cogent-Hurricane Electric peering dispute throttling my download speed to the FreeBSD CDN to dialup speeds and the FreeBSD CDNs blocking usage of aptcacher-ng caching proxy for some reason. Is there any particular reason FreeBSD is using this older 7.3.0p2 version? Upstream is at 7.4.0 now and while I have not tested it, comments on Github suggest tls is no longer an issue in the latest version of OpenSMTPD. If that is the case it might be worth while to just jump to the latest version instead of patching 7.3.0p2.
Created attachment 246946 [details] use-bundled-libtls patch Here's a patch that changes the port to use the bundled libtls as recommended by the release note. This patch fixes the issue and restores ability to transfer email securely, but it may not be the best way to fix this. FreeBSD may have some rule I'm not aware of the makes the operating-system provided libtls usage mandatory, in which case this patch wouldn't be suitable except as a stopgap measure for us to get our mail servers running again. Another thing to consider to bumping the version to the latest release by upstream which at the time of writing is 7.4. https://www.opensmtpd.org/announces/release-7.4.0p0.txt
Created attachment 246959 [details] Update to 7.4.0p1 I've tested upgrading to 7.4.0p1 (the changes are negligible vs p0 https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/7.4.0p1) and it works fine, the attached patch updates to 7.4.0p1.
Any update on if this is going to get upstreamed or not?