DEV Community

nabbisen
nabbisen

Posted on • Edited on • Originally published at obsd.solutions

OpenSMTPD: How to debug - OpenBSD's smtpd failed to start

#opensmtpd #mailserver #debug #letsencrypt

This post is about:

# smtpd -dv -Tlookup
Enter fullscreen mode Exit fullscreen mode

I wrote about how to debug rcctl and find why an error occurs in OpenBSD last year:

rcctl: How to debug on OpenBSD 6.4

The -d option is still useful to me as well.
But it's sometimes insufficient.

I have managed my mail server using OpenSMTPD.
On the day when several months had passed since then, smtpd daemon in my mail server began to fail:

# rcctl restart smtpd smtpd(failed)
Enter fullscreen mode Exit fullscreen mode

It was when I did some operations which seemed to indifferent from smtpd.
I checked smtpd.conf but nothing was cleared.
But I thought it was time not to judge a book by its cover.
So I debugged rcctl:

# rcctl -d restart smtpd
Enter fullscreen mode Exit fullscreen mode

The result was:

doing _rc_parse_conf doing _rc_quirks smtpd_flags empty, using default >< doing _rc_parse_conf /var/run/rc.d/smtpd doing _rc_quirks doing _rc_parse_conf doing _rc_quirks smtpd_flags empty, using default >< doing _rc_parse_conf /var/run/rc.d/smtpd doing _rc_quirks doing rc_check doing _rc_parse_conf doing _rc_quirks smtpd_flags empty, using default >< doing _rc_parse_conf /var/run/rc.d/smtpd doing _rc_quirks doing rc_check smtpd doing rc_start doing _rc_wait start doing rc_check doing _rc_rm_runfile (failed)
Enter fullscreen mode Exit fullscreen mode

Is there any information important?
I couldn't find any.

Well, where there's a will, there's a way.
There is smtpd.8 which provides the way!

# smtpd -dv -Tlookup
Enter fullscreen mode Exit fullscreen mode

The result was:

debug: init ssl-tree info: loading pki information for mail.mana.casa debug: init ca-tree debug: init ssl-tree info: loading pki keys for mail.mana.casa warn: /etc/letsencrypt/live/mail.harvest.mana.casa/privkey.pem: insecure permissions: must be at most rwxr----- smtpd: load_pki_keys: failed to load key file
Enter fullscreen mode Exit fullscreen mode

I found the reason in the last 2 lines:

permissions: must be at most rwxr-----
smtpd: load_pki_keys: failed to load key file

The permissions of the key file were wrong, because they were changed accidentally to insecure rwxr-xr-x (755) when I ran certbot renew!
This GitHub issue was helpful.

I changed the permissions:

# chmod go-x <my-key> # chmod go-r <my-key>
Enter fullscreen mode Exit fullscreen mode

Then I got a good output 🙂

# rcctl restart smtpd smtpd(ok)
Enter fullscreen mode Exit fullscreen mode

Thank you for your reading.
Happy computing.

Top comments (0)