Mailinglist Archive: opensuse (2778 mails)

< Previous Next >
Re: [opensuse] Help with Certs for Cyrus IMAP and TLS
  • From: Joe Sloan <joe@xxxxxxxxxx>
  • Date: Tue, 20 May 2008 23:33:17 -0700
  • Message-id: <4833C22D.4090200@xxxxxxxxxx>
Jim Flanagan wrote:

Here is an excerpt from /var/log/mail

May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get
private key from file /etc/postfix/ssl/smtpd.crt May 20 20:59:55
cammee postfix/smtpd[30058]: warning: TLS library problem:
30058:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 20 20:59:55 cammee
postfix/smtpd[30058]: warning: TLS library problem:
30058:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:669: May 20 20:59:55 cammee postfix/smtpd[30058]:
cannot load RSA certificate and key data


Definitely confirms that there is a problem with your certs.


Here is another that I really don't understand. I'm relaying thru my
ISP, but why would my cert be passed on to them?

May 20 21:00:18 cammee postfix/smtp[30055]: ADBF58BC9B: to=<opensuse@xxxxxxxxxxxx>, relay=127.0.0.1[127.0.0.1]:10024,
delay=4.4, delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0
Ok: queued as C952A8BC8D) May 20 21:00:18 cammee postfix/qmgr[29988]:
ADBF58BC9B: removed May 20 21:00:18 cammee postfix/smtp[30094]:
certificate verification failed for smtpauth.myisp.com: num=19:self
signed certificate in certificate chain May 20 21:00:20 cammee
postfix/smtp[30094]: C952A8BC8D: to=<opensuse@xxxxxxxxxxxx>,
relay=smtpauth.myisp.com[207.69.189.203]:25, delay=2.4,
delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK id=1Jydcp-0008BL-NK) May 20 21:00:20 cammee postfix/qmgr[29988]:
C952A8BC8D: removed

If your postfix is set up to always try tls, with strict certificate
checks, those log entries could make sense for a variety of scenarios.

I set up my postfix server for opportunistic tls, both sending and receiving, and see a lot of tls mail traffic as a result. But it's not mandatory, so if the tls handshake doesn't work, it falls back to conventional smtp, which is good enough for my purposes.

FWIW my setup is similar to the one described here -

http://enricozini.org/2006/etiopia/seventh-day-in-addis.html

Joe


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups