John Andersen wrote:
On Tue, May 20, 2008 at 8:57 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed.
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But you failed to answer the question about POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
Check your /etc/sysconfig/postfix file for this setting.
Greetings, I'm still having problems with my TLS certs. I really could use some more help here. I re-made my certs again from scratch, but still get the same error. Thurderbird gives a popup message saying "unable to connect to SMTP server xxx via STARTTLS since it doesn't offer STARTTLS in EHLO response". In an email bounce to root: Transcript of session follows. Out: 220 mail.jjfiii.com ESMTP Postfix In: EHLO [192.168.1.65] Out: 250-mail.jjfiii.com Out: 250-PIPELINING Out: 250-SIZE 10240000 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH LOGIN PLAIN Out: 250-AUTH=LOGIN PLAIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 454 4.3.0 TLS not available due to local problem In: QUIT Out: 221 2.0.0 Bye One excerpt from /var/log/mail show this: May 25 12:05:16 cammee postfix/smtpd[16955]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: May 25 12:05:16 cammee postfix/smtpd[16955]: cannot load RSA certificate and key data So at this point I think there could be 3 things going on here. 1. The certs have a permission issue, all are root-root with read by group and other. 2. There is some passphrase being required by the cert that is not being given by thunderbird. 3. I sitll have something wrong in /etc/postfix/main.cf I can confirm that the location of /etc/postfix/ssl/smtpd.crt is correct. I sure could use some more help here. FYI, I used the following from howtoforge to concoct my certs: ------------------ Afterwards we create the certificates for TLS: mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 ----------- Many thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org