DEV Community

nabbisen
nabbisen

Posted on • Edited on • Originally published at obsd.solutions

OpenSMTPD: How to debug - OpenBSD's smtpd failed to start

This post is about:

# smtpd -dv -Tlookup
Enter fullscreen mode Exit fullscreen mode

I wrote about how to debug rcctl and find why an error occurs in OpenBSD last year:

rcctl: How to debug on OpenBSD 6.4

The -d option is still useful to me as well.
But it's sometimes insufficient.

I have managed my mail server using OpenSMTPD.
On the day when several months had passed since then, smtpd daemon in my mail server began to fail:

# rcctl restart smtpd
smtpd(failed)
Enter fullscreen mode Exit fullscreen mode

It was when I did some operations which seemed to indifferent from smtpd.
I checked smtpd.conf but nothing was cleared.
But I thought it was time not to judge a book by its cover.
So I debugged rcctl:

# rcctl -d restart smtpd
Enter fullscreen mode Exit fullscreen mode

The result was:

doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
smtpd
doing rc_start
doing _rc_wait start
doing rc_check
doing _rc_rm_runfile
(failed)
Enter fullscreen mode Exit fullscreen mode

Is there any information important?
I couldn't find any.

Well, where there's a will, there's a way.
There is smtpd.8 which provides the way!

# smtpd -dv -Tlookup
Enter fullscreen mode Exit fullscreen mode

The result was:

debug: init ssl-tree
info: loading pki information for mail.mana.casa
debug: init ca-tree
debug: init ssl-tree
info: loading pki keys for mail.mana.casa
warn:  /etc/letsencrypt/live/mail.harvest.mana.casa/privkey.pem: insecure permissions: must be at most rwxr----- 
smtpd: load_pki_keys: failed to load key file
Enter fullscreen mode Exit fullscreen mode

I found the reason in the last 2 lines:

permissions: must be at most rwxr-----
smtpd: load_pki_keys: failed to load key file

The permissions of the key file were wrong, because they were changed accidentally to insecure rwxr-xr-x (755) when I ran certbot renew!
This GitHub issue was helpful.

I changed the permissions:

# chmod go-x <my-key>
# chmod go-r <my-key>
Enter fullscreen mode Exit fullscreen mode

Then I got a good output 🙂

# rcctl restart smtpd
smtpd(ok)
Enter fullscreen mode Exit fullscreen mode

Thank you for your reading.
Happy computing.

Top comments (0)