Core 4: Error Messages on Fresh Install re CTX/SSL

Thank is advance to anyone reading and helping. ~jjw

Fresh install Core 4 following perfect setup (except: I never added extra virtual IPs)

We have a local DNS server that points correctly to the new ISPConfig-installed server.

I set up a site, and a mail user (web1_test). I then attemtped to connect to get mail with Thunderbird, set up for secure connection. It failed, and I got similar error messages as a previous failed attempt remotely.

Here are the errors:

Code:

Aug 31 18:04:58 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:04:58 mail postfix/master[29873]: daemon started -- version 2.2.2, con figuration /etc/postfix
Aug 31 18:07:04 mail ipop3d[30995]: pop3 service init from 127.0.0.1
Aug 31 18:08:15 mail ipop3d[31606]: pop3 service init from 127.0.0.1
Aug 31 18:08:16 mail ipop3d[31606]: Login user=web1_lucifer host=localhost.local domain [127.0.0.1] nmsgs=0/0
Aug 31 18:08:16 mail ipop3d[31606]: Command stream end of file while reading lin e user=web1_lucifer host=localhost.localdomain [127.0.0.1]
Aug 31 18:19:47 mail ipop3d[29003]: pop3s SSL service init from 192.168.0.13
Aug 31 18:19:47 mail ipop3d[29003]: Unable to load certificate from /usr/share/s sl/certs/ipop3d.pem, host=[192.168.0.13]
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:02001002:system libr ary:fopen:No such file or directory
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:20074002:BIO routine s:FILE_CTRL:system lib
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:140DC002:SSL routine s:SSL_CTX_use_certificate_chain_file:system lib
Aug 31 18:31:54 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:31:54 mail postfix/master[2204]: daemon started -- version 2.2.2, conf iguration /etc/postfix

I then attempted a non-secure connection. It never worked, and there were no new entries in maillog. :| Matter of fact, I rebooted the system and attempted another non-secure connection. Again, nothing new added.

Where have I erred?

Entire maillog:

Code:

Aug 31 16:24:11 mail sendmail[2031]: alias database /etc/aliases rebuilt by root
Aug 31 16:24:11 mail sendmail[2031]: /etc/aliases: 76 aliases, longest 10 bytes,  765 bytes total
Aug 31 16:24:11 mail sendmail[2035]: starting daemon (8.13.4): SMTP+queueing@01: 00:00
Aug 31 16:24:11 mail sm-msp-queue[2041]: starting daemon (8.13.4): queueing@01:0 0:00
Aug 31 17:01:12 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 17:01:12 mail postfix/master[4051]: daemon started -- version 2.2.2, conf iguration /etc/postfix
Aug 31 17:01:12 mail postfix/smtpd[4080]: connect from localhost.localdomain[127 .0.0.1]
Aug 31 17:01:22 mail postfix/smtpd[4080]: disconnect from localhost.localdomain[ 127.0.0.1]
Aug 31 17:29:16 mail sendmail[20178]: k7VLTGmu020178: from=root, size=822, class =0, nrcpts=1, msgid=<200608312129.k7VLTGmu020178@mail.wnetworks.net>, relay=root @localhost
Aug 31 17:29:17 mail postfix/smtpd[20179]: connect from localhost.localdomain[12 7.0.0.1]
Aug 31 17:29:17 mail postfix/smtpd[20179]: setting up TLS connection from localh ost.localdomain[127.0.0.1]
Aug 31 17:29:17 mail postfix/smtpd[20179]: TLS connection established from local host.localdomain[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 31 17:29:17 mail sendmail[20178]: STARTTLS=client, relay=[127.0.0.1], versio n=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Aug 31 17:29:17 mail postfix/smtpd[20179]: 901E676E2A9: client=localhost.localdo main[127.0.0.1], sasl_sender=root@mail.wnetworks.net
Aug 31 17:29:17 mail postfix/cleanup[20182]: 901E676E2A9: message-id=<2006083121 29.k7VLTGmu020178@mail.wnetworks.net>
Aug 31 17:29:17 mail postfix/qmgr[4057]: 901E676E2A9: from=<root@mail.wnetworks. net>, size=1448, nrcpt=1 (queue active)
Aug 31 17:29:17 mail sendmail[20178]: k7VLTGmu020178: to=root, ctladdr=root (0/0 ), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30822, relay=[127.0.0.1] [ 127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as 901E676E2A9)
Aug 31 17:29:17 mail postfix/smtpd[20179]: disconnect from localhost.localdomain [127.0.0.1]
Aug 31 17:29:17 mail postfix/local[20183]: 901E676E2A9: to=<root@mail.wnetworks. net>, relay=local, delay=0, status=sent (delivered to mailbox)
Aug 31 17:29:17 mail postfix/qmgr[4057]: 901E676E2A9: removed
Aug 31 17:57:38 mail postfix/postfix-script: stopping the Postfix mail system
Aug 31 17:57:38 mail postfix/master[4051]: terminating on signal 15
Aug 31 17:57:41 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 17:57:41 mail postfix/master[14695]: daemon started -- version 2.2.2, con figuration /etc/postfix
Aug 31 17:58:18 mail postfix/postfix-script: stopping the Postfix mail system
Aug 31 17:58:18 mail postfix/master[14695]: terminating on signal 15
Aug 31 17:58:19 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 17:58:19 mail postfix/master[17235]: daemon started -- version 2.2.2, con figuration /etc/postfix
Aug 31 18:04:18 mail postfix/postfix-script: stopping the Postfix mail system
Aug 31 18:04:18 mail postfix/master[17235]: terminating on signal 15
Aug 31 18:04:23 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:04:23 mail postfix/master[29452]: daemon started -- version 2.2.2, con figuration /etc/postfix
Aug 31 18:04:57 mail postfix/postfix-script: stopping the Postfix mail system
Aug 31 18:04:57 mail postfix/master[29452]: terminating on signal 15
Aug 31 18:04:58 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:04:58 mail postfix/master[29873]: daemon started -- version 2.2.2, con figuration /etc/postfix
Aug 31 18:07:04 mail ipop3d[30995]: pop3 service init from 127.0.0.1
Aug 31 18:08:15 mail ipop3d[31606]: pop3 service init from 127.0.0.1
Aug 31 18:08:16 mail ipop3d[31606]: Login user=web1_lucifer host=localhost.local domain [127.0.0.1] nmsgs=0/0
Aug 31 18:08:16 mail ipop3d[31606]: Command stream end of file while reading lin e user=web1_lucifer host=localhost.localdomain [127.0.0.1]
Aug 31 18:19:47 mail ipop3d[29003]: pop3s SSL service init from 192.168.0.13
Aug 31 18:19:47 mail ipop3d[29003]: Unable to load certificate from /usr/share/s sl/certs/ipop3d.pem, host=[192.168.0.13]
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:02001002:system libr ary:fopen:No such file or directory
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:20074002:BIO routine s:FILE_CTRL:system lib
Aug 31 18:19:47 mail ipop3d[29003]: SSL error status: error:140DC002:SSL routine s:SSL_CTX_use_certificate_chain_file:system lib
Aug 31 18:31:54 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:31:54 mail postfix/master[2204]: daemon started -- version 2.2.2, conf iguration /etc/postfix
Aug 31 18:32:33 mail postfix/postfix-script: stopping the Postfix mail system
Aug 31 18:32:33 mail postfix/master[2204]: terminating on signal 15
Aug 31 18:32:34 mail postfix/postfix-script: starting the Postfix mail system
Aug 31 18:32:35 mail postfix/master[2553]: daemon started -- version 2.2.2, conf iguration /etc/postfix

 

# find / -name ipop3d.pem yields nothing. Of course then, this error message:

Code:

Aug 31 18:53:50 mail ipop3d[3621]: Unable to load certificate from /usr/share/ssl/certs/ipop3d.pem, host=[192.168.0.13]

So, why is there no ipop3d.pem?

 

# find / -name "*.pem"
/etc/pki/tls/cert.pem
/etc/pki/dovecot/dovecot.pem
/etc/pki/dovecot/private/dovecot.pem
/etc/postfix/ssl/cacert.pem
/etc/postfix/ssl/cakey.pem
/usr/share/swamp/CA.pem
/usr/share/swamp/A-client.pem
/home/joe/Desktop/edMailServer/master/etc/postfix/ssl/cacert.pem
/home/joe/Desktop/edMailServer/master/etc/postfix/ssl/cakey.pem

 

Your ipop3d ssl certificates where missing. Try to reinstall ipop3d, the certificates where normally generated automatically during installation.

 

Thank you for the response Till.

I am not sure how to do this, as there is no outright declaration for install pop3d in the perfect setup guide. How would you do this?

~jjw

 

Trying Again

Thanks for reading ~ jjw

Ok, so I started from scratch again. Followed the perfect install for Core 4 (except, no added IPs-why does it tell us to do this if we don't use them?).

Followed it every step of the way, and I'm getting the same error messages:

Code:

Sep  1 13:35:28 mail postfix/master[4185]: daemon started -- version 2.2.2, configuration /etc/postfix
Sep  1 13:35:47 mail ipop3d[4226]: pop3 service init from 127.0.0.1
Sep  1 13:35:47 mail ipop3d[4226]: Login user=web1_newTest host=localhost.localdomain [127.0.0.1] nmsgs=0/0
Sep  1 13:35:47 mail ipop3d[4226]: Command stream end of file while reading line user=web1_newTest host=localhost.localdomain [127.0.0.1]
Sep  1 13:40:01 mail ipop3d[4560]: pop3 service init from 192.168.0.13
Sep  1 13:40:26 mail ipop3d[4560]: Command stream end of file while reading line user=??? host=[192.168.0.13]
Sep  1 13:40:44 mail ipop3d[4583]: pop3s SSL service init from 192.168.0.13
Sep  1 13:40:44 mail ipop3d[4583]: Unable to load certificate from /usr/share/ssl/certs/ipop3d.pem, host=[192.168.0.13]
Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:02001002:system library:fopen:No such file or directory
Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:20074002:BIO routines:FILE_CTRL:system lib
Sep  1 13:40:44 mail ipop3d[4583]: SSL error status: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib

I have DNS pointing to the IP address of the interface, and you can see I started a connection. If I followed the perfect install, why wasn't this certificate created?

In fact, I got an error this time after reinstall (8182 corrupt certificate), and followed the dorections here for a rebuild:

http://www.wallpaperama.com/disp-post70.html

The 8182 error has happened every time I've done an install, except one time. Can someone tell me where I am wrong?

~jjw

 

Are you able to connect to pop3 without ssl encryption?

 

Thank you Till. I have since done two complete re-installs of OS & ISPConfig, and getting the same issue.

To answer your question: Yes, I can connect to pop3 from another machine from command line, and send email to the newest account I have created. I can see the statistics, and I can see the email in the mbox file (I've since changed to Maildir). Yet, cannot connect with mail client using SSL.

 

Please post the output of:

netstat -tap

 

netstat -tap:

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:imaps                     *:*                         LISTEN      2002/xinetd
tcp        0      0 *:32769                     *:*                         LISTEN      1670/rpc.statd
tcp        0      0 *:pop3s                     *:*                         LISTEN      2002/xinetd
tcp        0      0 *:mysql                     *:*                         LISTEN      2093/mysqld
tcp        0      0 *:pop3                      *:*                         LISTEN      2002/xinetd
tcp        0      0 *:imap                      *:*                         LISTEN      2002/xinetd
tcp        0      0 *:sunrpc                    *:*                         LISTEN      1651/portmap
tcp        0      0 *:81                        *:*                         LISTEN      2415/ispconfig_http
tcp        0      0 192.168.0.10:domain         *:*                         LISTEN      3370/named
tcp        0      0 mail.wnetworks.net:domain   *:*                         LISTEN      3370/named
tcp        0      0 mail.wnetworks.net:ipp      *:*                         LISTEN      1945/cupsd
tcp        0      0 mail.wnetworks.net:5335     *:*                         LISTEN      1927/mDNSResponder
tcp        0      0 mail.wnetworks.net:rndc     *:*                         LISTEN      3370/named
tcp        0      0 *:smtp                      *:*                         LISTEN      3339/master
tcp        0      0 mail.wnetworks.net:rndc     mail.wnetworks.net:46981    TIME_WAIT   -
tcp        0      0 mail.wnetworks.net:53582    mail.wnetworks.net:ipp      ESTABLISHED 3602/eggcups
tcp        0      0 mail.wnetworks.net:ipp      mail.wnetworks.net:53582    ESTABLISHED 1945/cupsd
tcp        0      0 *:http                      *:*                         LISTEN      3271/httpd
tcp        0      0 *:ftp                       *:*                         LISTEN      3390/proftpd: (acce
tcp        0      0 *:ssh                       *:*                         LISTEN      1993/sshd
tcp        0      0 *:https                     *:*                         LISTEN      3271/httpd
tcp        0      0 ::ffff:192.168.0.10:ssh     ::ffff:192.168.0.13:1204    ESTABLISHED 2975/sshd: joe [pri
tcp        0      0 ::ffff:192.168.0.10:ssh     ::ffff:192.168.0.13:1203    ESTABLISHED 2955/sshd: joe [pri

 

Aren't you using Maildir? Then you should run Dovecot instead of your xinetd based POP3/IMAP daemon... Your current POP3/IMAP daemon uses mbox.

 

Hello Falko, and thanks to you for helping me (as well as the How To's and The Forum).

The error I got was *before* I switched over to Maildir. Why did I get that message before I switched over to Maildir format?

Your suggestion worked (surprise).

I've stopped xinetd and started dovecot (actually, I had to remove the 0.99 version and install the 1.0 version which allows for character translation with the 'auth_username_translation =' directive). I've been able to send email from behind the network, and I'll check for remote authentication as soon as I get to a remote machine.

I'll add more when I get the results.

~jjw

 

Ouch. I got the message from my mail client that "Server Does Not Support Secure Authentication. This was from the LAN, and trying to use SSL & Seucre Authentication. Client is Thunderbird 1.0.2

 

Ouch. I just tried using Thunderbird 1.0.2 and got the "Server Does Not Support Secure Authentication" message.

Here is what I get when I telnet localhost 25:

Code:

250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME

 

Well, I just realized that I didn't need the 'auth_username_translation =' directive, so I did a reinstall to get back to the 'perfect install', and utilizing Falko's suggestion to use Dovecot with Maildir.

I'm hanging on SMTP AUTH it seems.

 

Please post the output of "netstat -tap" and check your postfix master.cf file that TLS is enabled.

 

Thank you Till. Here is the relevant output:

netstat -tap

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 *:imaps                     *:*                         LISTEN      4100/xinetd
tcp        0      0 *:32769                     *:*                         LISTEN      1651/rpc.statd
tcp        0      0 *:pop3s                     *:*                         LISTEN      4100/xinetd
tcp        0      0 *:mysql                     *:*                         LISTEN      5245/mysqld
tcp        0      0 *:pop3                      *:*                         LISTEN      4100/xinetd
tcp        0      0 *:imap                      *:*                         LISTEN      4100/xinetd
tcp        0      0 *:sunrpc                    *:*                         LISTEN      1633/portmap
tcp        0      0 *:81                        *:*                         LISTEN      28766/ispconfig_htt
tcp        0      0 mail.wnetworks.net:domain   *:*                         LISTEN      28886/named
tcp        0      0 localhost.localdomai:domain *:*                         LISTEN      28886/named
tcp        0      0 localhost.localdomain:ipp   *:*                         LISTEN      1960/cupsd
tcp        0      0 localhost.localdomain:5335  *:*                         LISTEN      1942/mDNSResponder
tcp        0      0 localhost.localdomain:rndc  *:*                         LISTEN      28886/named
tcp        0      0 *:smtp                      *:*                         LISTEN      28861/master
tcp        0      0 *:http                      *:*                         LISTEN      28789/httpd
tcp        0      0 *:ftp                       *:*                         LISTEN      28902/proftpd: (acc
tcp        0      0 *:ssh                       *:*                         LISTEN      2020/sshd
tcp        0      0 *:https                     *:*                         LISTEN      28789/httpd

# telnet localhost 25

Code:

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
ehlo localhost
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME

main.cf:

Code:

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix


inet_interfaces = all


unknown_local_recipient_reject_code = 550


alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases
debug_peer_level = 2


debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5


sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.2.2/samples

readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

virtual_maps = hash:/etc/postfix/virtusertable

mydestination = /etc/postfix/local-host-names

Why is it that I have to rebuild the certificates *after* the install process after a fresh os/ispcoinfig install? I always get the 8182 error (except one time).

 

Here is the output from another machine:

$ telnet mail.wnetworks.net 25

Code:

Trying 192.168.0.10...
Connected to mail.wnetworks.net.
Escape character is '^]'.
220 mail.wnetworks.net ESMTP Postfix
ehlo http.wnetworks.net
250-mail.wnetworks.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME

 

Because you enter invalid information when you create the certificates the first time. Accept the default values. The most common error is this: when you're asked for the "common name (e.g., your name)", this doesn't mean your personal name, but your domain name (e.g. example.com).

Please add

Code:

mynetworks = 127.0.0.0/8

to /etc/postfix/main.cf and restart Postfix. Then try to send a mail over that server with your email client (without SSL, but with "Server requires authentication." enabled).

 

Thank you Falko.

Ok, I thought I did it right. Anyway, I entered the same info the second time around.

I did this. I then attempted to connect from my mail client. I just timed out. No messages anywhere. I then logged in from another machine on the command line port 110, and then I logged in as the user, but it didn't list any messages, even though I have another screen open that shows a file in /var/www/web1/user/web1_test4/Maildir/new. This seems odd indeed.