Core 4: Error Messages on Fresh Install re CTX/SSL

Discussion in 'Installation/Configuration' started by jjw, Sep 1, 2006.

  1. jjw

    jjw New Member

    Thank is advance to anyone reading and helping. ~jjw

    Fresh install Core 4 following perfect setup (except: I never added extra virtual IPs)

    We have a local DNS server that points correctly to the new ISPConfig-installed server.

    I set up a site, and a mail user (web1_test). I then attemtped to connect to get mail with Thunderbird, set up for secure connection. It failed, and I got similar error messages as a previous failed attempt remotely.

    Here are the errors:
    Code:
    Aug 31 18:04:58 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:04:58 mail postfix/master[29873]: daemon started -- version 2.2.2, con figuration /etc/postfix
    Aug 31 18:07:04 mail ipop3d[30995]: pop3 service init from 127.0.0.1
    Aug 31 18:08:15 mail ipop3d[31606]: pop3 service init from 127.0.0.1
    Aug 31 18:08:16 mail ipop3d[31606]: Login user=web1_lucifer host=localhost.local domain [127.0.0.1] nmsgs=0/0
    Aug 31 18:08:16 mail ipop3d[31606]: Command stream end of file while reading lin e user=web1_lucifer host=localhost.localdomain [127.0.0.1]
    Aug 31 18:19:47 mail ipop3d[29003]: pop3s SSL service init from 192.168.0.13
    Aug 31 18:19:47 mail ipop3d[29003]: Unable to load certificate from /usr/share/s sl/certs/ipop3d.pem, host=[192.168.0.13]
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:02001002:system libr ary:fopen:No such file or directory
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:20074002:BIO routine s:FILE_CTRL:system lib
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:140DC002:SSL routine s:SSL_CTX_use_certificate_chain_file:system lib
    Aug 31 18:31:54 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:31:54 mail postfix/master[2204]: daemon started -- version 2.2.2, conf iguration /etc/postfix
    
    I then attempted a non-secure connection. It never worked, and there were no new entries in maillog. :| Matter of fact, I rebooted the system and attempted another non-secure connection. Again, nothing new added.

    Where have I erred?

    Entire maillog:
    Code:
    Aug 31 16:24:11 mail sendmail[2031]: alias database /etc/aliases rebuilt by root
    Aug 31 16:24:11 mail sendmail[2031]: /etc/aliases: 76 aliases, longest 10 bytes,  765 bytes total
    Aug 31 16:24:11 mail sendmail[2035]: starting daemon (8.13.4): SMTP+queueing@01: 00:00
    Aug 31 16:24:11 mail sm-msp-queue[2041]: starting daemon (8.13.4): queueing@01:0 0:00
    Aug 31 17:01:12 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 17:01:12 mail postfix/master[4051]: daemon started -- version 2.2.2, conf iguration /etc/postfix
    Aug 31 17:01:12 mail postfix/smtpd[4080]: connect from localhost.localdomain[127 .0.0.1]
    Aug 31 17:01:22 mail postfix/smtpd[4080]: disconnect from localhost.localdomain[ 127.0.0.1]
    Aug 31 17:29:16 mail sendmail[20178]: k7VLTGmu020178: from=root, size=822, class =0, nrcpts=1, msgid=<[email protected]>, relay=root @localhost
    Aug 31 17:29:17 mail postfix/smtpd[20179]: connect from localhost.localdomain[12 7.0.0.1]
    Aug 31 17:29:17 mail postfix/smtpd[20179]: setting up TLS connection from localh ost.localdomain[127.0.0.1]
    Aug 31 17:29:17 mail postfix/smtpd[20179]: TLS connection established from local host.localdomain[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Aug 31 17:29:17 mail sendmail[20178]: STARTTLS=client, relay=[127.0.0.1], versio n=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
    Aug 31 17:29:17 mail postfix/smtpd[20179]: 901E676E2A9: client=localhost.localdo main[127.0.0.1], sasl_sender=[email protected]
    Aug 31 17:29:17 mail postfix/cleanup[20182]: 901E676E2A9: message-id=<2006083121 [email protected]>
    Aug 31 17:29:17 mail postfix/qmgr[4057]: 901E676E2A9: from=<[email protected] net>, size=1448, nrcpt=1 (queue active)
    Aug 31 17:29:17 mail sendmail[20178]: k7VLTGmu020178: to=root, ctladdr=root (0/0 ), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30822, relay=[127.0.0.1] [ 127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 901E676E2A9)
    Aug 31 17:29:17 mail postfix/smtpd[20179]: disconnect from localhost.localdomain [127.0.0.1]
    Aug 31 17:29:17 mail postfix/local[20183]: 901E676E2A9: to=<[email protected] net>, relay=local, delay=0, status=sent (delivered to mailbox)
    Aug 31 17:29:17 mail postfix/qmgr[4057]: 901E676E2A9: removed
    Aug 31 17:57:38 mail postfix/postfix-script: stopping the Postfix mail system
    Aug 31 17:57:38 mail postfix/master[4051]: terminating on signal 15
    Aug 31 17:57:41 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 17:57:41 mail postfix/master[14695]: daemon started -- version 2.2.2, con figuration /etc/postfix
    Aug 31 17:58:18 mail postfix/postfix-script: stopping the Postfix mail system
    Aug 31 17:58:18 mail postfix/master[14695]: terminating on signal 15
    Aug 31 17:58:19 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 17:58:19 mail postfix/master[17235]: daemon started -- version 2.2.2, con figuration /etc/postfix
    Aug 31 18:04:18 mail postfix/postfix-script: stopping the Postfix mail system
    Aug 31 18:04:18 mail postfix/master[17235]: terminating on signal 15
    Aug 31 18:04:23 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:04:23 mail postfix/master[29452]: daemon started -- version 2.2.2, con figuration /etc/postfix
    Aug 31 18:04:57 mail postfix/postfix-script: stopping the Postfix mail system
    Aug 31 18:04:57 mail postfix/master[29452]: terminating on signal 15
    Aug 31 18:04:58 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:04:58 mail postfix/master[29873]: daemon started -- version 2.2.2, con figuration /etc/postfix
    Aug 31 18:07:04 mail ipop3d[30995]: pop3 service init from 127.0.0.1
    Aug 31 18:08:15 mail ipop3d[31606]: pop3 service init from 127.0.0.1
    Aug 31 18:08:16 mail ipop3d[31606]: Login user=web1_lucifer host=localhost.local domain [127.0.0.1] nmsgs=0/0
    Aug 31 18:08:16 mail ipop3d[31606]: Command stream end of file while reading lin e user=web1_lucifer host=localhost.localdomain [127.0.0.1]
    Aug 31 18:19:47 mail ipop3d[29003]: pop3s SSL service init from 192.168.0.13
    Aug 31 18:19:47 mail ipop3d[29003]: Unable to load certificate from /usr/share/s sl/certs/ipop3d.pem, host=[192.168.0.13]
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:02001002:system libr ary:fopen:No such file or directory
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:20074002:BIO routine s:FILE_CTRL:system lib
    Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:140DC002:SSL routine s:SSL_CTX_use_certificate_chain_file:system lib
    Aug 31 18:31:54 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:31:54 mail postfix/master[2204]: daemon started -- version 2.2.2, conf iguration /etc/postfix
    Aug 31 18:32:33 mail postfix/postfix-script: stopping the Postfix mail system
    Aug 31 18:32:33 mail postfix/master[2204]: terminating on signal 15
    Aug 31 18:32:34 mail postfix/postfix-script: starting the Postfix mail system
    Aug 31 18:32:35 mail postfix/master[2553]: daemon started -- version 2.2.2, conf iguration /etc/postfix
    
     
  2. jjw

    jjw New Member

    # find / -name ipop3d.pem yields nothing. Of course then, this error message:
    Code:
    Aug 31 18:53:50 mail ipop3d[3621]: Unable to load certificate from /usr/share/ssl/certs/ipop3d.pem, host=[192.168.0.13]
    So, why is there no ipop3d.pem?:confused:
     
  3. jjw

    jjw New Member

    # find / -name "*.pem"
    /etc/pki/tls/cert.pem
    /etc/pki/dovecot/dovecot.pem
    /etc/pki/dovecot/private/dovecot.pem
    /etc/postfix/ssl/cacert.pem
    /etc/postfix/ssl/cakey.pem
    /usr/share/swamp/CA.pem
    /usr/share/swamp/A-client.pem
    /home/joe/Desktop/edMailServer/master/etc/postfix/ssl/cacert.pem
    /home/joe/Desktop/edMailServer/master/etc/postfix/ssl/cakey.pem
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Your ipop3d ssl certificates where missing. Try to reinstall ipop3d, the certificates where normally generated automatically during installation.
     
  5. jjw

    jjw New Member

    Thank you for the response Till.

    I am not sure how to do this, as there is no outright declaration for install pop3d in the perfect setup guide. How would you do this?

    ~jjw
     
  6. jjw

    jjw New Member

    Trying Again

    Thanks for reading ~ jjw

    Ok, so I started from scratch again. Followed the perfect install for Core 4 (except, no added IPs-why does it tell us to do this if we don't use them?).

    Followed it every step of the way, and I'm getting the same error messages:
    Code:
    Sep  1 13:35:28 mail postfix/master[4185]: daemon started -- version 2.2.2, configuration /etc/postfix
    Sep  1 13:35:47 mail ipop3d[4226]: pop3 service init from 127.0.0.1
    Sep  1 13:35:47 mail ipop3d[4226]: Login user=web1_newTest host=localhost.localdomain [127.0.0.1] nmsgs=0/0
    Sep  1 13:35:47 mail ipop3d[4226]: Command stream end of file while reading line user=web1_newTest host=localhost.localdomain [127.0.0.1]
    Sep  1 13:40:01 mail ipop3d[4560]: pop3 service init from 192.168.0.13
    Sep  1 13:40:26 mail ipop3d[4560]: Command stream end of file while reading line user=??? host=[192.168.0.13]
    Sep  1 13:40:44 mail ipop3d[4583]: pop3s SSL service init from 192.168.0.13
    Sep  1 13:40:44 mail ipop3d[4583]: Unable to load certificate from /usr/share/ssl/certs/ipop3d.pem, host=[192.168.0.13]
    Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:02001002:system library:fopen:No such file or directory
    Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:20074002:BIO routines:FILE_CTRL:system lib
    Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
    
    I have DNS pointing to the IP address of the interface, and you can see I started a connection. If I followed the perfect install, why wasn't this certificate created?

    In fact, I got an error this time after reinstall (8182 corrupt certificate), and followed the dorections here for a rebuild:

    http://www.wallpaperama.com/disp-post70.html

    The 8182 error has happened every time I've done an install, except one time. Can someone tell me where I am wrong?

    ~jjw
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you able to connect to pop3 without ssl encryption?
     
  8. jjw

    jjw New Member

    Thank you Till. I have since done two complete re-installs of OS & ISPConfig, and getting the same issue.

    To answer your question: Yes, I can connect to pop3 from another machine from command line, and send email to the newest account I have created. I can see the statistics, and I can see the email in the mbox file (I've since changed to Maildir). Yet, cannot connect with mail client using SSL.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of:

    netstat -tap
     
  10. jjw

    jjw New Member

    netstat -tap:
    Code:
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 *:imaps                     *:*                         LISTEN      2002/xinetd
    tcp        0      0 *:32769                     *:*                         LISTEN      1670/rpc.statd
    tcp        0      0 *:pop3s                     *:*                         LISTEN      2002/xinetd
    tcp        0      0 *:mysql                     *:*                         LISTEN      2093/mysqld
    tcp        0      0 *:pop3                      *:*                         LISTEN      2002/xinetd
    tcp        0      0 *:imap                      *:*                         LISTEN      2002/xinetd
    tcp        0      0 *:sunrpc                    *:*                         LISTEN      1651/portmap
    tcp        0      0 *:81                        *:*                         LISTEN      2415/ispconfig_http
    tcp        0      0 192.168.0.10:domain         *:*                         LISTEN      3370/named
    tcp        0      0 mail.wnetworks.net:domain   *:*                         LISTEN      3370/named
    tcp        0      0 mail.wnetworks.net:ipp      *:*                         LISTEN      1945/cupsd
    tcp        0      0 mail.wnetworks.net:5335     *:*                         LISTEN      1927/mDNSResponder
    tcp        0      0 mail.wnetworks.net:rndc     *:*                         LISTEN      3370/named
    tcp        0      0 *:smtp                      *:*                         LISTEN      3339/master
    tcp        0      0 mail.wnetworks.net:rndc     mail.wnetworks.net:46981    TIME_WAIT   -
    tcp        0      0 mail.wnetworks.net:53582    mail.wnetworks.net:ipp      ESTABLISHED 3602/eggcups
    tcp        0      0 mail.wnetworks.net:ipp      mail.wnetworks.net:53582    ESTABLISHED 1945/cupsd
    tcp        0      0 *:http                      *:*                         LISTEN      3271/httpd
    tcp        0      0 *:ftp                       *:*                         LISTEN      3390/proftpd: (acce
    tcp        0      0 *:ssh                       *:*                         LISTEN      1993/sshd
    tcp        0      0 *:https                     *:*                         LISTEN      3271/httpd
    tcp        0      0 ::ffff:192.168.0.10:ssh     ::ffff:192.168.0.13:1204    ESTABLISHED 2975/sshd: joe [pri
    tcp        0      0 ::ffff:192.168.0.10:ssh     ::ffff:192.168.0.13:1203    ESTABLISHED 2955/sshd: joe [pri
    
     
  11. falko

    falko Super Moderator ISPConfig Developer

    Aren't you using Maildir? Then you should run Dovecot instead of your xinetd based POP3/IMAP daemon... Your current POP3/IMAP daemon uses mbox.
     
  12. jjw

    jjw New Member

    Hello Falko, and thanks to you for helping me (as well as the How To's and The Forum).

    The error I got was *before* I switched over to Maildir. Why did I get that message before I switched over to Maildir format?:confused:

    Your suggestion worked (surprise). :)

    I've stopped xinetd and started dovecot (actually, I had to remove the 0.99 version and install the 1.0 version which allows for character translation with the 'auth_username_translation =' directive). I've been able to send email from behind the network, and I'll check for remote authentication as soon as I get to a remote machine.

    I'll add more when I get the results.

    ~jjw
     
  13. jjw

    jjw New Member

    Ouch. I got the message from my mail client that "Server Does Not Support Secure Authentication. This was from the LAN, and trying to use SSL & Seucre Authentication. Client is Thunderbird 1.0.2
     
  14. jjw

    jjw New Member

    Ouch. I just tried using Thunderbird 1.0.2 and got the "Server Does Not Support Secure Authentication" message.

    Here is what I get when I telnet localhost 25:

    Code:
    250-mail.wnetworks.net
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250 8BITMIME
     
  15. jjw

    jjw New Member

    Well, I just realized that I didn't need the 'auth_username_translation =' directive, so I did a reinstall to get back to the 'perfect install', and utilizing Falko's suggestion to use Dovecot with Maildir.

    I'm hanging on SMTP AUTH it seems.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the output of "netstat -tap" and check your postfix master.cf file that TLS is enabled.
     
  17. jjw

    jjw New Member

    Thank you Till. Here is the relevant output:

    netstat -tap
    Code:
    
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
    tcp        0      0 *:imaps                     *:*                         LISTEN      4100/xinetd
    tcp        0      0 *:32769                     *:*                         LISTEN      1651/rpc.statd
    tcp        0      0 *:pop3s                     *:*                         LISTEN      4100/xinetd
    tcp        0      0 *:mysql                     *:*                         LISTEN      5245/mysqld
    tcp        0      0 *:pop3                      *:*                         LISTEN      4100/xinetd
    tcp        0      0 *:imap                      *:*                         LISTEN      4100/xinetd
    tcp        0      0 *:sunrpc                    *:*                         LISTEN      1633/portmap
    tcp        0      0 *:81                        *:*                         LISTEN      28766/ispconfig_htt
    tcp        0      0 mail.wnetworks.net:domain   *:*                         LISTEN      28886/named
    tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      28886/named
    tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      1960/cupsd
    tcp        0      0 localhost.localdomain:5335  *:*                         LISTEN      1942/mDNSResponder
    tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      28886/named
    tcp        0      0 *:smtp                      *:*                         LISTEN      28861/master
    tcp        0      0 *:http                      *:*                         LISTEN      28789/httpd
    tcp        0      0 *:ftp                       *:*                         LISTEN      28902/proftpd: (acc
    tcp        0      0 *:ssh                       *:*                         LISTEN      2020/sshd
    tcp        0      0 *:https                     *:*                         LISTEN      28789/httpd
    
    # telnet localhost 25
    Code:
    Trying 127.0.0.1...
    Connected to localhost.localdomain (127.0.0.1).
    Escape character is '^]'.
    220 mail.wnetworks.net ESMTP Postfix
    ehlo localhost
    250-mail.wnetworks.net
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250 8BITMIME
    
    main.cf:
    Code:
    queue_directory = /var/spool/postfix
    
    command_directory = /usr/sbin
    
    daemon_directory = /usr/libexec/postfix
    
    mail_owner = postfix
    
    
    inet_interfaces = all
    
    
    unknown_local_recipient_reject_code = 550
    
    
    alias_maps = hash:/etc/aliases
    
    alias_database = hash:/etc/aliases
    debug_peer_level = 2
    
    
    debugger_command =
             PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
             xxgdb $daemon_directory/$process_name $process_id & sleep 5
    
    
    sendmail_path = /usr/sbin/sendmail.postfix
    
    newaliases_path = /usr/bin/newaliases.postfix
    
    mailq_path = /usr/bin/mailq.postfix
    
    setgid_group = postdrop
    
    html_directory = no
    
    manpage_directory = /usr/share/man
    
    sample_directory = /usr/share/doc/postfix-2.2.2/samples
    
    readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtpd_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    virtual_maps = hash:/etc/postfix/virtusertable
    
    mydestination = /etc/postfix/local-host-names
    
    Why is it that I have to rebuild the certificates *after* the install process after a fresh os/ispcoinfig install? I always get the 8182 error (except one time).
     
  18. jjw

    jjw New Member

    Here is the output from another machine:

    $ telnet mail.wnetworks.net 25
    Code:
    Trying 192.168.0.10...
    Connected to mail.wnetworks.net.
    Escape character is '^]'.
    220 mail.wnetworks.net ESMTP Postfix
    ehlo http.wnetworks.net
    250-mail.wnetworks.net
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250 8BITMIME
    
     
  19. falko

    falko Super Moderator ISPConfig Developer

    Because you enter invalid information when you create the certificates the first time. Accept the default values. The most common error is this: when you're asked for the "common name (e.g., your name)", this doesn't mean your personal name, but your domain name (e.g. example.com).

    Please add
    Code:
    mynetworks = 127.0.0.0/8
    to /etc/postfix/main.cf and restart Postfix. Then try to send a mail over that server with your email client (without SSL, but with "Server requires authentication." enabled).
     
  20. jjw

    jjw New Member

    Thank you Falko.

    Ok, I thought I did it right. Anyway, I entered the same info the second time around. :eek:

    I did this. I then attempted to connect from my mail client. I just timed out. No messages anywhere. I then logged in from another machine on the command line port 110, and then I logged in as the user, but it didn't list any messages, even though I have another screen open that shows a file in /var/www/web1/user/web1_test4/Maildir/new. This seems odd indeed.
     

Share This Page