postfix TLS problem - please help!

Discussion in 'HOWTO-Related Questions' started by ryanhs, Mar 7, 2006.

  1. ryanhs

    ryanhs New Member

    hello I have successfully installed howtoforge ubuntu breezy and everything is working great except smtp tls. here is a copy of the problem from mail.log. I would very much appreciate any information that woudl help me with this issue. I have been trying to figure this out all day.

    Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt
    Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: TLS library problem: 15657:error:0906D06C:pEM routines:pEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY:
    Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: warning: TLS library problem: 15657:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:pEM lib:ssl_rsa.c:709:
    Mar 6 20:47:22 bbmail3 postfix/smtpd[15657]: cannot load RSA certificate and key data
    Mar 6 20:47:27 bbmail3 postfix/smtpd[15657]: connect from unknown[67.50.128.80]
    Mar 6 20:47:42 bbmail3 postfix/smtpd[15657]: lost connection after STARTTLS from unknown[67.50.128.80]
    Mar 6 20:47:42 bbmail3 postfix/smtpd[15657]: disconnect from unknown[67.50.128.80]



    Additional information:
    -----------------------------------------------------------------------
    ls -l /etc/postfix/ssl
    total 20
    -rw-r--r-- 1 root root 969 2006-03-06 20:12 cacert.pem
    -rw-r--r-- 1 root root 963 2006-03-06 20:12 cakey.pem
    -rw-r--r-- 1 root root 741 2006-03-06 20:11 smtpd.crt
    -rw-r--r-- 1 root root 631 2006-03-06 20:11 smtpd.csr
    -rw-r--r-- 1 root root 887 2006-03-06 20:11 smtpd.key
    root@bbmail3:/etc/postfix#

    ------------------------------------------------------------------------
    root@bbmail3:/etc/postfix/ssl# cat smtpd.crt
    -----BEGIN CERTIFICATE-----
    MIIB9TCCAV4CCQDG3QcPheHAVjANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJV
    UzOpkSo2VCwtCQoa7755gAmldydeOru
    vacIU4Heskrv6PVj/0CWLvDhh7gvkydN0XLZMp21j22b2m8fRhuI+X9c/neesEQ0
    BxV0F+ixLs+2bIMseMFBrSrCx6AuBITL9Q==
    -----END CERTIFICATE-----
    root@bbmail3:/etc/postfix/ssl#

    NOTE: The middle of the ssl cert was removed for security.

    I was not able to find any information online about the problem that I am having.

    I have redone the openssl steps from:
    http://howtoforge.com/perfect_setup_ubuntu_5.10_p4
     
    Last edited: Mar 7, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

    Hm, maybe you have a corrupt SSL cert (but you have already redone all the steps from the tutorial...). :confused:

    If you don't need TLS I wouldn't use it.
     
  3. ryanhs

    ryanhs New Member

    is there perhaps..

    is there some other agent that relays the ssl cert to postfix/smtpd?
     
    Last edited: Mar 7, 2006
  4. falko

    falko Super Moderator ISPConfig Developer

    How do you mean that?
     
  5. paolo

    paolo New Member

    Same problem here...
     
  6. falko

    falko Super Moderator ISPConfig Developer

    What's the exact problem? What's in your logs?
     
  7. paolo

    paolo New Member

    Code:
    Aug 10 18:38:24 *** postfix/smtpd[7024]: initializing the server-side TLS engine
    Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: cannot get private key from file /etc/postfix/newreq.pem
    Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: TLS library problem: 7024:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY:
    Aug 10 18:38:24 *** postfix/smtpd[7024]: warning: TLS library problem: 7024:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:709:
    Aug 10 18:38:24 *** postfix/smtpd[7024]: cannot load RSA certificate and key data
     
  8. falko

    falko Super Moderator ISPConfig Developer

    Are you using TLS to send emails? If so, does it work with "normal" SMTP?
     
  9. paolo

    paolo New Member

    I wanted to use TLS to receive email. Dunno if it use TLS to sending to other SMTP.
     
  10. falko

    falko Super Moderator ISPConfig Developer

    Please check your settings in your email client.

    What's in /etc/postfix/master.cf?
     
  11. mebusybody

    mebusybody New Member

    Hi falko
    I have the same error too.
    my /etc/postfix/master.cf is below

    Any hint ? Thanks
    Cheers
    #=================================================================
    #
    # Postfix master process configuration file. For details on the format
    # of the file, see the Postfix master(5) manual page.
    #
    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    #smtp inet n - n - - smtpd
    #smtp inet n - n - - smtpd -v
    smtp inet n n n - - smtpd -v
    #submission inet n - n - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #smtps inet n - n - - smtpd
    # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #submission inet n - n - - smtpd
    # -o smtpd_etrn_restrictions=reject
    # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    #628 inet n - n - - qmqpd
    pickup fifo n - n 60 1 pickup
    cleanup unix n - n - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    ttlsmgr unix - - n 1000? 1 tlsmgr
    rewrite unix - - n - - trivial-rewrite
    bounce unix - - n - 0 bounce
    defer unix - - n - 0 bounce
    trace unix - - n - 0 bounce
    verify unix - - n - 1 verify
    flush unix n - n 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - n - - smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay unix - - n - - smtp
    -o fallback_relay=
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - n - - showq
    error unix - - n - - error
    discard unix - - n - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    scache unix - - n - 1 scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent. See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    #
    # The Cyrus deliver program has changed incompatibly, multiple times.
    #
    old-cyrus unix - n n - - pipe
    flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
    # Cyrus 2.1.5 (Amos Gouaux)
    # Also specify in main.cf: cyrus_destination_recipient_limit=1
     
  12. falko

    falko Super Moderator ISPConfig Developer

    It seems you edited that file a lot, I don't think it's the standard master.cf.

    Change
    to

    Code:
    smtp      inet  n       -       -       -       -       smtpd -v
    and

    to
    Code:
    smtp      unix  -       -       -       -       -       smtp
    and restart Postfix.
     
  13. mebusybody

    mebusybody New Member

    Hi folks
    Thanks for the tips. Problem solved after some searching.
    What I did :-
    1. cd /etc/postfix
    2. openssl rsa -in newreq.pem -out newreq.pem.out
    3. cp -p newreq.pem.out newreq.pem
    4. /etc/init.d/postfix restart

    Question is why I need to execute step 2. Please enlighten me

    Cheers
     
  14. paolo

    paolo New Member

    That didn't work for me:
    Code:
    # openssl rsa -in newreq.pem -out newreq.pem.out
    unable to load Private Key
    2627:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:Expecting: ANY PRIVATE KEY
    So it's not a mail.cf issue, as I copied it from the tutorial :\
     
  15. falko

    falko Super Moderator ISPConfig Developer

    You can try to regenerate the cert exactly as shown in the tutorial.
     
  16. dabro

    dabro New Member

    Any Solutions Yet?

    I'm having the same problems, these errors show up repeatedly in the mail log:

    warning: cannot get certificate from file /etc/postfix/ssl/smtpd.cert
    warning: TLS library problem: 718:error:02001002:system library:fopen:No such file or directory:bss_file.c:349:fopen('/etc/postfix/ssl/smtpd.cert','r'):
    warning: TLS library problem: 718:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
    warning: TLS library problem: 718:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720:
    cannot load RSA certificate and key data

    Any help in corecting this would be appreciated.
    BTW I'm using ISPConfig ver 2.2 on Fed Core 5 Perfect Install
    Thanks
     
  17. falko

    falko Super Moderator ISPConfig Developer

    Have a look at my previous post.
     
  18. wapa17

    wapa17 New Member

    Hi all,

    sometimes it seems we dont see the wood because of a lot of trees ;-)
    I searched days and nights to solve the TLS-library problem too - although Postfix is running well.
    Ok.. and here is the solution:

    1.) rebuild the key as falko and the tutorial said.
    2.) send and receive one mail.
    2.) the warning-message says:
    Mar 2 19:25:53 mail postfix/smtpd[28338]: warning: cannot get certificate from file /etc/postfix/ssl/smtpd.crt
    Mar 2 19:25:53 mail postfix/smtpd[28338]: warning: TLS library problem: 28338:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('/etc/postfix/ssl/smtpd.crt','r'):

    3.) cd /etc/postfix/ssl
    4.) have a look on the file-names: You have a smtp.crt AND NOT a smtpd.crt !!
    Solution quick and dirty: cp smtp.crt smtpd.crt

    ..and you are done...

    ..by the way: congratulations for the great work of falko & co !
     

Share This Page