Mailinglist Archive: opensuse (2778 mails)

< Previous Next >
Re: [opensuse] Help with Certs for Cyrus IMAP and TLS
  • From: Jim Flanagan <linuxjim@xxxxxxxxxx>
  • Date: Sun, 25 May 2008 12:22:36 -0500
  • Message-id: <4839A05C.1020102@xxxxxxxxxx>
John Andersen wrote:
On Tue, May 20, 2008 at 8:57 PM, Jim Flanagan <linuxjim@xxxxxxxxxx> wrote:
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@xxxxxxxxxx> wrote:

Greetings all,

I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned
root-root.
They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and
smptd.csr are there too). On sending a test message with Thunderbird I
get
an error in /var/log/mail.info stating "cannot load RSA certificate and
key
data". Thunderbird returns a message saying "unable to connect to SMTP
server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in
EHLO
response.


Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.

Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?


Check your /etc/sysconfig/postfix file for the line (near bottom)
that says:
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.


The actual IP address was an internal 192.168.xx.xx address, local lan. Not
from the email server box, but a separate box on the lan. I can connect and
send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads
smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all
because the mechanisms "Not"ed out really don't work and are
not necessary.



I have postfix and sasl to auth via plan text. Again this is working fine.
without TLS. I'm trying to obfuscate the connection with TLS, still using
plain text, only inside the TLS connection.

All this leads me to beleive the problem is a cert issue.

Jim F
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx



But you failed to answer the question about
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"

Check your /etc/sysconfig/postfix file for this setting.

Greetings,

I'm still having problems with my TLS certs. I really could use some more help here.

I re-made my certs again from scratch, but still get the same error. Thurderbird gives a popup message saying "unable to connect to SMTP server xxx via STARTTLS since it doesn't offer STARTTLS in EHLO response". In an email bounce to root:

Transcript of session follows.

Out: 220 mail.jjfiii.com ESMTP Postfix
In: EHLO [192.168.1.65]
Out: 250-mail.jjfiii.com
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH LOGIN PLAIN
Out: 250-AUTH=LOGIN PLAIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.3.0 TLS not available due to local problem
In: QUIT

Out: 221 2.0.0 Bye


One excerpt from /var/log/mail show this:

May 25 12:05:16 cammee postfix/smtpd[16955]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt
May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY:
May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
May 25 12:05:16 cammee postfix/smtpd[16955]: cannot load RSA certificate and key data


So at this point I think there could be 3 things going on here.
1. The certs have a permission issue, all are root-root with read by group and other.
2. There is some passphrase being required by the cert that is not being given by thunderbird.
3. I sitll have something wrong in /etc/postfix/main.cf

I can confirm that the location of /etc/postfix/ssl/smtpd.crt is correct.

I sure could use some more help here.

FYI, I used the following from howtoforge to concoct my certs:

------------------
Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

-----------
Many thanks,

Jim


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups