loading...

Debugging OpenSMTPD: OpenBSD's smtpd failed when starting

nabbisen profile image Heddi Nabbisen ・2 min read

This post is about:

# smtpd -dv -Tlookup

I wrote about how to debug rcctl and find why an error occurs in OpenBSD last year:

The -d option is still useful to me as well.
But it's sometimes insufficient.

I have managed my mail server using OpenSMTPD.
On the day when several months had passed since then, smtpd daemon in my mail server began to fail:

# rcctl restart smtpd
smtpd(failed)

It was when I did some operations which seemed to indifferent from smtpd.
I checked smtpd.conf but nothing was cleared.
But I thought it was time not to judge a book by its cover.
So I debugged rcctl:

# rcctl -d restart smtpd

The result was:

doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
smtpd
doing rc_start
doing _rc_wait start
doing rc_check
doing _rc_rm_runfile
(failed)

Is there any information important?
I couldn't find any.

Well, where there's a will, there's a way.
There is smtpd.8 which provides the way!

# smtpd -dv -Tlookup

The result was:

debug: init ssl-tree
info: loading pki information for mail.mana.casa
debug: init ca-tree
debug: init ssl-tree
info: loading pki keys for mail.mana.casa
warn:  /etc/letsencrypt/live/mail.harvest.mana.casa/privkey.pem: insecure permissions: must be at most rwxr----- 
smtpd: load_pki_keys: failed to load key file

I found the reason in the last 2 lines:

permissions: must be at most rwxr-----
smtpd: load_pki_keys: failed to load key file

The permissions of the key file were wrong, because they were changed accidentally to insecure rwxr-xr-x (755) when I ran certbot renew!
This Github issue was helpful.

I changed the permissions:

# chmod go-x <my-key>
# chmod go-r <my-key>

Then I got a good output 🙂

# rcctl restart smtpd
smtpd(ok)

Thank you for your reading.
Happy computing.

Posted on Jul 20 '19 by:

nabbisen profile

Heddi Nabbisen

@nabbisen

An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.

Discussion

markdown guide