Re: Courier-Imap no longer accepts ssl connections after update to -current

Yes, it is (was) a permission issue.

> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf
> Of Giovanni Bechis
> Sent: Sunday, November 03, 2019 5:22 AM
> To: misc@openbsd.org
> Subject: Re: Courier-Imap no longer accepts ssl connections after
> update to -current
>
> Theodore Wynnychenko <tmw@uchicago.edu> wrote:
> > Hi (again):
> >
> > After updating to current yesterday, and then updating all the
> packages
> > (using "pkg_add -vui -Dsnap"), I can no longer connect to the ssl
> (993) port
> > of the courier-imap server running on the system.
> >
> > Prior to the update, ssl connections were working without an issue.
> >
> it's working fine for me with:
> $ ldd /usr/local/bin/couriertls | grep ssl
> 000011ae13a38000 000011ae13a9c000 rlib 0 1 0
> /usr/lib/libssl.so.48.0
> and
> OpenBSD 6.6-current (GENERIC.MP) #425: Fri Nov 1 23:49:35 MDT 2019
>
I updated this AM to be sure:

OpenBSD 6.6-current (GENERIC.MP) #427: Sat Nov 2 13:23:11 MDT 2019

# ldd /usr/local/bin/couriertls | grep ssl
0000113249966000 00001132499ca000 rlib 0 1 0
/usr/lib/libssl.so.48.1

But, I kept getting the error and no connection:
# openssl s_client -connect 127.0.0.1:993
CONNECTED(00000003)
11102104709736:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl
handshake failure:/usr/src/lib/libssl/ssl_pkt.c:585:


I then compared to prior (6.5) working courier package with the -current
one.
When I compared /usr/local/libexec/imapd-ssl.rc (and pop3d-ssl.rc), I
noticed the addition of:
>
56a62
> -user=_courier \

So, it seems that before the last update, couriertls ran as root, and now it
runs as _courier.

I completely understand the desire to drop root. But, in my case, my
private cert was in /etc/ssl/private.

drwx------ 2 root wheel 512B Nov 2 14:00 private
and:
-rw------- 1 root wheel 6.2K Dec 17 2016 imapd.pem

So, this was the issue for me.

I did not want to disrupt the structure of my ssl private keys too much, so
I just made a second "private" directory for courier.

drwx------ 2 _courier _courier 512B Nov 3 17:17
private-courier
Put a copy of the file there.
-rw------- 1 _courier _courier 6.2K Nov 3 17:09 imapd.pem

And updated the /etc/imap-ssl configuration:

TLS_CERTFILE=/etc/ssl/private-courier/imapd.pem
TLS_DHPARAMS=/etc/ssl/private-courier/imapd.pem

This fixed my issue (did the same for the pop3-ssl configuration).

I reviewed my notes from when I installed this (back around 5.5-5.6 - I did
not realize I was following -current for so long), and did not see a note
that couriertls required the private key to be non-root readable.

Also, the current README/config file does not inform that the cert file must
now be readable by _courier, it only indicates that it "must not be
world-readable."

I am posting this here in case someone else runs into a similar issue.

Thanks again for pointing me in the right direction.
Ted