/Haraka

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls plugin isn't loading correctly on 2.8.19 #2455

Closed
r3pek opened this Issue Jun 26, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@r3pek @msimerson @analogic
@r3pek

r3pek commented Jun 26, 2018
edited

system info

echo "Haraka | $(haraka -v)"; echo " --- | :--- "; echo "Node | $(node -v)"; echo "OS | $(uname -a)";

Haraka | Haraka.js — Version: 2.8.19
 --- | :--- 
Node | v6.14.2
OS | Linux mail.example.com 3.10.0-862.3.3.el7.x86_64 #1 SMP Fri Jun 15 04:15:27 UTC 2018 x86_64 
x86_64 x86_64 GNU/Linux

echo "openssl | $(openssl version)"
openssl | OpenSSL 1.0.2k-fips 26 Jan 2017

Expected behavior

After updating from 2.8.18, server should continue to work as normal.

Observed behavior

TLS plugin failes to load correctly with this on the logs:

Jun 26 23:34:47 mail.example.com haraka[20396]: [ERROR] [-] [core] tls key /haraka/config/etc/letsencrypt/live/mail.example.com/privkey.pem could not be loaded.
Jun 26 23:34:47 mail.example.com haraka[20396]: [ERROR] [-] [core] tls cert /haraka/config/etc/letsencrypt/live/mail.example.com/fullchain.pem could not be loaded.
[...]
Jun 27 00:10:36 mail.example.com haraka[22101]: [ERROR] [-] [tls] no valid TLS config

Steps to reproduce

Upgrade to 2.8.19 with a valid TLS config.

tls.ini as follows:

cat tls.ini

cert=/etc/letsencrypt/live/mail.example.com/fullchain.pem
key=/etc/letsencrypt/live/mail.example.com/privkey.pem
ciphers=EECDH+AESGCM:EDH+aRSA+AESGCM:EECDH+AES256:EDH+aRSA+AES256:EECDH+AES128:EDH+aRSA+AES128:RSA+AES:RSA+3DES
dhparam=tls/dhparam.pem
@msimerson

This comment has been minimized.

Show comment
Hide comment
@msimerson

msimerson Jun 26, 2018

Member

It's a config issue. The "active" config (see path in log message) is /haraka/config/etc/... whereas the config in tls.ini (wherever that is located) shows /etc/...
Member

msimerson commented Jun 26, 2018

It's a config issue. The "active" config (see path in log message) is /haraka/config/etc/... whereas the config in tls.ini (wherever that is located) shows /etc/...
@r3pek

This comment has been minimized.

Show comment
Hide comment
@r3pek

r3pek Jun 26, 2018

@msimerson a config "parsing" issue you mean right? Because the path in the config is not relative, it's absolute, although it's being parsed as relative.

r3pek commented Jun 26, 2018

@msimerson a config "parsing" issue you mean right? Because the path in the config is not relative, it's absolute, although it's being parsed as relative.
@analogic

This comment has been minimized.

Show comment
Hide comment
@analogic

analogic Jun 28, 2018

Contributor

There is definitely something wrong

# freshly started haraka

$ nc localhost 587
220 mailserver ESMTP Haraka ready
EHLO test
250-mailserver Hello Unknown [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SMTPUTF8
250 SIZE 26214400

$ echo " " >> /opt/haraka-submission/config/tls.ini
# force haraka to reload tls.ini

$ nc localhost 587
220 mailserver ESMTP Haraka ready
EHLO test
250-mailserver Hello Unknown [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SMTPUTF8
250-SIZE 26214400
250 STARTTLS

tls.ini

[inbound]
ciphers=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
key=tls_key.pem
cert=tls_cert.pem
dhparam=dhparams.pem

[outbound]
ciphers=DEFAULT

[redis]
disable_for_failed_hosts=true
Contributor

analogic commented Jun 28, 2018
edited

There is definitely something wrong

# freshly started haraka

$ nc localhost 587
220 mailserver ESMTP Haraka ready
EHLO test
250-mailserver Hello Unknown [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SMTPUTF8
250 SIZE 26214400

$ echo " " >> /opt/haraka-submission/config/tls.ini
# force haraka to reload tls.ini

$ nc localhost 587
220 mailserver ESMTP Haraka ready
EHLO test
250-mailserver Hello Unknown [127.0.0.1], Haraka is at your service.
250-PIPELINING
250-8BITMIME
250-SMTPUTF8
250-SIZE 26214400
250 STARTTLS

tls.ini

[inbound]
ciphers=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
key=tls_key.pem
cert=tls_cert.pem
dhparam=dhparams.pem

[outbound]
ciphers=DEFAULT

[redis]
disable_for_failed_hosts=true

@analogic analogic referenced this issue Jun 28, 2018

Merged

Removed invalid opt from load_tls_ini() #2456

@msimerson msimerson closed this in #2456 Jun 28, 2018

@r3pek

This comment has been minimized.

Show comment
Hide comment
@r3pek

r3pek Jun 28, 2018

@msimerson maybe bump version to 2.8.19.1 or just update npmjs version along with the fix?

r3pek commented Jun 28, 2018

@msimerson maybe bump version to 2.8.19.1 or just update npmjs version along with the fix?
@msimerson

This comment has been minimized.

Show comment
Hide comment
@msimerson

msimerson Jun 28, 2018

Member

We'll just cut a new version. We have no shortage of version numbers.
Member

msimerson commented Jun 28, 2018

We'll just cut a new version. We have no shortage of version numbers.

@Bramzor Bramzor referenced this issue Aug 23, 2018

Closed

No 250-STARTTLS #2500

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment