OpenSMTPD 6.5: How to debug - OpenBSD's smtpd failed to start

created
( modified )
@nabbisen
#opensmtpd#mailserver#debug#letsencrypt

This post is about:

# smtpd -dv -Tlookup

I wrote about how to debug rcctl and find why an error occurs in OpenBSD last year:

rcctl: How to debug on OpenBSD 6.4

The -d option is still useful to me as well. But it’s sometimes insufficient.

I have managed my mail server using OpenSMTPD. On the day when several months had passed since then, smtpd daemon in my mail server began to fail:

# rcctl restart smtpd
smtpd(failed)

It was when I did some operations which seemed to indifferent from smtpd. I checked smtpd.conf but nothing was cleared. But I thought it was time not to judge a book by its cover. So I debugged rcctl:

# rcctl -d restart smtpd

The result was:

doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
doing _rc_parse_conf
doing _rc_quirks
smtpd_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/smtpd
doing _rc_quirks
doing rc_check
smtpd
doing rc_start
doing _rc_wait start
doing rc_check
doing _rc_rm_runfile
(failed)

Is there any information important? I couldn’t find any.

Well, where there’s a will, there’s a way. There is smtpd.8 which provides the way!

# smtpd -dv -Tlookup

The result was:

debug: init ssl-tree
info: loading pki information for mail.mana.casa
debug: init ca-tree
debug: init ssl-tree
info: loading pki keys for mail.mana.casa
warn:  /etc/letsencrypt/live/mail.harvest.mana.casa/privkey.pem: insecure permissions: must be at most rwxr----- 
smtpd: load_pki_keys: failed to load key file

I found the reason in the last 2 lines:

permissions: must be at most rwxr—– smtpd: load_pki_keys: failed to load key file

The permissions of the key file were wrong, because they were changed accidentally to insecure rwxr-xr-x (755) when I ran certbot renew! This GitHub issue was helpful.

I changed the permissions:

# chmod go-x <my-key>
# chmod go-r <my-key>

Then I got a good output 🙂

# rcctl restart smtpd
smtpd(ok)

Thank you for your reading. Happy computing.

Comments or feedbacks are welcomed and appreciated.