PDA

View Full Version : postfix TLS problem - please help!


ryanhs
7th March 2006, 03:01
hello I have successfully installed howtoforge ubuntu breezy and everything is working great except smtp tls. here is a copy of the problem from mail.log. I would very much appreciate any information that woudl help me with this issue. I have been trying to figure this out all day.

Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt
Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: TLS library problem: 15657:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY:
Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: TLS library problem: 15657:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: cannot load RSA certificate and key data
Mar 6 20:47:27 bbmail3 postfix/smtpd[15657]: connect from unknown[67.50.128.80]
Mar 6 20:47:42 bbmail3 postfix/smtpd[15657]: lost connection after STARTTLS from unknown[67.50.128.80]
Mar 6 20:47:42 bbmail3 postfix/smtpd[15657]: disconnect from unknown[67.50.128.80]



Additional information:
-----------------------------------------------------------------------
ls -l /etc/postfix/ssl
total 20
-rw-r--r-- 1 root root 969 2006-03-06 20:12 cacert.pem
-rw-r--r-- 1 root root 963 2006-03-06 20:12 cakey.pem
-rw-r--r-- 1 root root 741 2006-03-06 20:11 smtpd.crt
-rw-r--r-- 1 root root 631 2006-03-06 20:11 smtpd.csr
-rw-r--r-- 1 root root 887 2006-03-06 20:11 smtpd.key
root@bbmail3:/etc/postfix#

------------------------------------------------------------------------
root@bbmail3:/etc/postfix/ssl# cat smtpd.crt
-----BEGIN CERTIFICATE-----
MIIB9TCCAV4CCQDG3QcPheHAVjANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJV
UzOpkSo2VCwtCQoa7755gAmldydeOru
vacIU4Heskrv6PVj/0CWLvDhh7gvkydN0XLZMp21j22b2m8fRhuI+X9c/neesEQ0
BxV0F+ixLs+2bIMseMFBrSrCx6AuBITL9Q==
-----END CERTIFICATE-----
root@bbmail3:/etc/postfix/ssl#

NOTE: The middle of the ssl cert was removed for security.

I was not able to find any information online about the problem that I am having.

I have redone the openssl steps from:
http://howtoforge.com/perfect_setup_ubuntu_5.10_p4

falko
7th March 2006, 10:14
Hm, maybe you have a corrupt SSL cert (but you have already redone all the steps from the tutorial...). :confused:

If you don't need TLS I wouldn't use it.

ryanhs
7th March 2006, 17:34
is there some other agent that relays the ssl cert to postfix/smtpd?

falko
7th March 2006, 23:17
How do you mean that?

paolo
9th August 2006, 22:40
Same problem here...

falko
10th August 2006, 18:27
What's the exact problem? What's in your logs?

paolo
10th August 2006, 18:46
Aug 10 18:38:24 *** postfix/smtpd[7024]: initializing the server-side TLS engine
Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: cannot get private key from file /etc/postfix/newreq.pem
Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: TLS library problem: 7024:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY:
Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: TLS library problem: 7024:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
Aug 10 18:38:24 *** postfix/smtpd[7024]: cannot load RSA certificate and key data

falko
11th August 2006, 17:09
Are you using TLS to send emails? If so, does it work with "normal" SMTP?

paolo
11th August 2006, 17:30
I wanted to use TLS to receive email. Dunno if it use TLS to sending to other SMTP.

falko
12th August 2006, 18:24
Dunno if it use TLS to sending to other SMTP.Please check your settings in your email client.

What's in /etc/postfix/master.cf?

mebusybody
21st August 2006, 10:56
Please check your settings in your email client.

What's in /etc/postfix/master.cf?
Hi falko
I have the same error too.
my /etc/postfix/master.cf is below

Any hint ? Thanks
Cheers
#================================================= ================
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
#smtp inet n - n - - smtpd
#smtp inet n - n - - smtpd -v
smtp inet n n n - - smtpd -v
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
ttlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
# ================================================== ==================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ================================================== ==================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1

falko
22nd August 2006, 13:17
It seems you edited that file a lot, I don't think it's the standard master.cf.

Change
smtp inet n n n - - smtpd -v
to

smtp inet n - - - - smtpd -vand


smtp unix - - n - - smtp
to
smtp unix - - - - - smtpand restart Postfix.

mebusybody
22nd August 2006, 13:33
Hi folks
Thanks for the tips. Problem solved after some searching.
What I did :-
1. cd /etc/postfix
2. openssl rsa -in newreq.pem -out newreq.pem.out
3. cp -p newreq.pem.out newreq.pem
4. /etc/init.d/postfix restart

Question is why I need to execute step 2. Please enlighten me

Cheers

paolo
3rd October 2006, 13:25
Hi folks
Thanks for the tips. Problem solved after some searching.
What I did :-
1. cd /etc/postfix
2. openssl rsa -in newreq.pem -out newreq.pem.out
3. cp -p newreq.pem.out newreq.pem
4. /etc/init.d/postfix restart

Question is why I need to execute step 2. Please enlighten me

Cheers

That didn't work for me:
# openssl rsa -in newreq.pem -out newreq.pem.out
unable to load Private Key
2627:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY

So it's not a mail.cf issue, as I copied it from the tutorial :\

falko
4th October 2006, 17:54
You can try to regenerate the cert exactly as shown in the tutorial.

dabro
4th October 2006, 18:04
I'm having the same problems, these errors show up repeatedly in the mail log:

warning: cannot get certificate from file /etc/postfix/ssl/smtpd.cert
warning: TLS library problem: 718:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen('/etc/postfix/ssl/smtpd.cert','r'):
warning: TLS library problem: 718:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
warning: TLS library problem: 718:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720:
cannot load RSA certificate and key data

Any help in corecting this would be appreciated.
BTW I'm using ISPConfig ver 2.2 on Fed Core 5 Perfect Install
Thanks

falko
5th October 2006, 16:57
Have a look at my previous post.

wapa17
3rd March 2007, 01:55
Hi all,

sometimes it seems we dont see the wood because of a lot of trees ;-)
I searched days and nights to solve the TLS-library problem too - although Postfix is running well.
Ok.. and here is the solution:

1.) rebuild the key as falko and the tutorial said.
2.) send and receive one mail.
2.) the warning-message says:
Mar 2 19:25:53 mail postfix/smtpd[28338]: warning: cannot get certificate from file /etc/postfix/ssl/smtpd.crt
Mar 2 19:25:53 mail postfix/smtpd[28338]: warning: TLS library problem: 28338:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('/etc/postfix/ssl/smtpd.crt','r'):

3.) cd /etc/postfix/ssl
4.) have a look on the file-names: You have a smtp.crt AND NOT a smtpd.crt !!
Solution quick and dirty: cp smtp.crt smtpd.crt

..and you are done...

..by the way: congratulations for the great work of falko & co !