[opensuse] Help with Certs for Cyrus IMAP and TLS
Greetings all, I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response. However, running telent localhost 25 returns: 220 mail.jjfiii.com ESMTP Postfix ehlo localhost 250-mail.jjfiii.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN So I think this may be an ownership issue?? postconf -n returns the following: alias_maps = hash:/etc/aliases biff = no broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 51200000 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_exceptions = root message_size_limit = 10240000 mydestination = me.com, mail.me.com localhost mydomain = me.com myhostname = mail.me.com myorigin = me.com newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relayhost = [something.somewhere.com] relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_type = cyrus smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_recipient_access hash:/etc/postfix/recipients_internal_only, check_client_access hash:/etc/postfix/client_blacklist permit_sasl_authenticated smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 Not sure where my problem is. I have a second issue now too. Where do I put the cert for cyrus IMAP, and what config file do I tell cyrus to point to? Can cyrus use the same smtpd.crt I made in /etc/postfix/ssl, or do I need to make a separate one for imap?? Many thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate. Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine? Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed. Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed.
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection. All this leads me to beleive the problem is a cert issue. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
LOL, there's no need to obscure 192.168. addresses since there is absolutely no way to tell which internal lan, out of the many millions on the planet, they might belong to.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Are there messages to that effect in /var/log/mail? Surely postfix will log something of interest in connection with the failure, feel free to share excerpts from syslog. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Jim Flanagan wrote:
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
LOL, there's no need to obscure 192.168. addresses since there is absolutely no way to tell which internal lan, out of the many millions on the planet, they might belong to.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Are there messages to that effect in /var/log/mail? Surely postfix will log something of interest in connection with the failure, feel free to share excerpts from syslog.
Here is an excerpt from /var/log/mail May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: May 20 20:59:55 cammee postfix/smtpd[30058]: cannot load RSA certificate and key data Here is another that I really don't understand. I'm relaying thru my ISP, but why would my cert be passed on to them? May 20 21:00:18 cammee postfix/smtp[30055]: ADBF58BC9B: to=<opensuse@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.4, delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C952A8BC8D) May 20 21:00:18 cammee postfix/qmgr[29988]: ADBF58BC9B: removed May 20 21:00:18 cammee postfix/smtp[30094]: certificate verification failed for smtpauth.myisp.com: num=19:self signed certificate in certificate chain May 20 21:00:20 cammee postfix/smtp[30094]: C952A8BC8D: to=<opensuse@opensuse.org>, relay=smtpauth.myisp.com[207.69.189.203]:25, delay=2.4, delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK id=1Jydcp-0008BL-NK) May 20 21:00:20 cammee postfix/qmgr[29988]: C952A8BC8D: removed Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Here is an excerpt from /var/log/mail
May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: May 20 20:59:55 cammee postfix/smtpd[30058]: cannot load RSA certificate and key data
Definitely confirms that there is a problem with your certs.
Here is another that I really don't understand. I'm relaying thru my ISP, but why would my cert be passed on to them?
May 20 21:00:18 cammee postfix/smtp[30055]: ADBF58BC9B: to=<opensuse@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.4, delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C952A8BC8D) May 20 21:00:18 cammee postfix/qmgr[29988]: ADBF58BC9B: removed May 20 21:00:18 cammee postfix/smtp[30094]: certificate verification failed for smtpauth.myisp.com: num=19:self signed certificate in certificate chain May 20 21:00:20 cammee postfix/smtp[30094]: C952A8BC8D: to=<opensuse@opensuse.org>, relay=smtpauth.myisp.com[207.69.189.203]:25, delay=2.4, delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK id=1Jydcp-0008BL-NK) May 20 21:00:20 cammee postfix/qmgr[29988]: C952A8BC8D: removed
If your postfix is set up to always try tls, with strict certificate checks, those log entries could make sense for a variety of scenarios. I set up my postfix server for opportunistic tls, both sending and receiving, and see a lot of tls mail traffic as a result. But it's not mandatory, so if the tls handshake doesn't work, it falls back to conventional smtp, which is good enough for my purposes. FWIW my setup is similar to the one described here - http://enricozini.org/2006/etiopia/seventh-day-in-addis.html Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Jim Flanagan wrote:
Here is an excerpt from /var/log/mail
May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library problem: 30058:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: May 20 20:59:55 cammee postfix/smtpd[30058]: cannot load RSA certificate and key data
Definitely confirms that there is a problem with your certs.
Here is another that I really don't understand. I'm relaying thru my ISP, but why would my cert be passed on to them?
May 20 21:00:18 cammee postfix/smtp[30055]: ADBF58BC9B: to=<opensuse@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.4, delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C952A8BC8D) May 20 21:00:18 cammee postfix/qmgr[29988]: ADBF58BC9B: removed May 20 21:00:18 cammee postfix/smtp[30094]: certificate verification failed for smtpauth.myisp.com: num=19:self signed certificate in certificate chain May 20 21:00:20 cammee postfix/smtp[30094]: C952A8BC8D: to=<opensuse@opensuse.org>, relay=smtpauth.myisp.com[207.69.189.203]:25, delay=2.4, delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK id=1Jydcp-0008BL-NK) May 20 21:00:20 cammee postfix/qmgr[29988]: C952A8BC8D: removed
If your postfix is set up to always try tls, with strict certificate checks, those log entries could make sense for a variety of scenarios.
I set up my postfix server for opportunistic tls, both sending and receiving, and see a lot of tls mail traffic as a result. But it's not mandatory, so if the tls handshake doesn't work, it falls back to conventional smtp, which is good enough for my purposes.
FWIW my setup is similar to the one described here -
http://enricozini.org/2006/etiopia/seventh-day-in-addis.html
Joe
I'll have a look thru that, thanks. I have been following one of those "Perfect Server" postings about opensuse 10.3 on Sourceforge, the part about Postfix and Cyrus Imap, at http://www.howtoforge.com/perfect_server_opensuse10.3_p5 Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, May 20, 2008 at 8:57 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed.
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But you failed to answer the question about POSTFIX_ADD_MYNETWORKS_STYLE="subnet" Check your /etc/sysconfig/postfix file for this setting. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Tue, May 20, 2008 at 8:57 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed.
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But you failed to answer the question about POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
Check your /etc/sysconfig/postfix file for this setting.
Sorry, yes mine is set as POSTFIX_ADD_MYNETWORKS_STYLE="subnet" Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Tue, May 20, 2008 at 8:57 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
On Tue, May 20, 2008 at 7:00 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in /etc/postfix/ssl. I believe I made them correctly, all are owned root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and smptd.csr are there too). On sending a test message with Thunderbird I get an error in /var/log/mail.info stating "cannot load RSA certificate and key data". Thunderbird returns a message saying "unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO response.
Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it was NOT 127.0.0.1 (localhost) which suggests you are connecting to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom) that says: POSTFIX_ADD_MYNETWORKS_STYLE="subnet" (if that says host instead of subnet then only connections from/to 127.0.0.x will be allowed.
The actual IP address was an internal 192.168.xx.xx address, local lan. Not from the email server box, but a separate box on the lan. I can connect and send using plain connection, but it fails using TLS. Both on port 25.
Also, you should have a postfix configuration line that reads smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all because the mechanisms "Not"ed out really don't work and are not necessary.
I have postfix and sasl to auth via plan text. Again this is working fine. without TLS. I'm trying to obfuscate the connection with TLS, still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
But you failed to answer the question about POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
Check your /etc/sysconfig/postfix file for this setting.
Greetings, I'm still having problems with my TLS certs. I really could use some more help here. I re-made my certs again from scratch, but still get the same error. Thurderbird gives a popup message saying "unable to connect to SMTP server xxx via STARTTLS since it doesn't offer STARTTLS in EHLO response". In an email bounce to root: Transcript of session follows. Out: 220 mail.jjfiii.com ESMTP Postfix In: EHLO [192.168.1.65] Out: 250-mail.jjfiii.com Out: 250-PIPELINING Out: 250-SIZE 10240000 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH LOGIN PLAIN Out: 250-AUTH=LOGIN PLAIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 454 4.3.0 TLS not available due to local problem In: QUIT Out: 221 2.0.0 Bye One excerpt from /var/log/mail show this: May 25 12:05:16 cammee postfix/smtpd[16955]: warning: cannot get private key from file /etc/postfix/ssl/smtpd.crt May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library problem: 16955:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: May 25 12:05:16 cammee postfix/smtpd[16955]: cannot load RSA certificate and key data So at this point I think there could be 3 things going on here. 1. The certs have a permission issue, all are root-root with read by group and other. 2. There is some passphrase being required by the cert that is not being given by thunderbird. 3. I sitll have something wrong in /etc/postfix/main.cf I can confirm that the location of /etc/postfix/ssl/smtpd.crt is correct. I sure could use some more help here. FYI, I used the following from howtoforge to concoct my certs: ------------------ Afterwards we create the certificates for TLS: mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 ----------- Many thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, May 25, 2008 at 10:22 AM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
So at this point I think there could be 3 things going on here. 1. The certs have a permission issue, all are root-root with read by group and other.
These certs do not need to be (and should not be) readable by anyone other than root.
2. There is some passphrase being required by the cert that is not being given by thunderbird.
Thunderbird never accesses these certs nor does it require any passphrases. Certs are only accessed by the smtpd (postfix). The directory structure you are using is slightly different than the one I have which was initially set up under 10.2. Therefore things in your setup don't exactly match mine. In addition, since mine has migrated to 10.3 I don't feel real confident in telling you exactly how it should be arranged, and quite frankly, it seems to me that if you specify exactly where these things are in the main.cf the structure might not matter. My ssl/ dir has a Certs dir, and a Private dir where the cakey.pem hides I also have specific lines in my main.cf telling it exactly where the keys are: smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem Again, all readable by root only.
3. I sitll have something wrong in /etc/postfix/main.cf This may be the case, and it might have to do with the structure of your directories not matching specific locations of the key related files. These are read in at startup and cached as far as I can tell.
4--- Added) I don't discount the possibility of a library problem. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Sun, May 25, 2008 at 10:22 AM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
So at this point I think there could be 3 things going on here. 1. The certs have a permission issue, all are root-root with read by group and other.
These certs do not need to be (and should not be) readable by anyone other than root.
Understood. I'll fix that once I get this thing working.
2. There is some passphrase being required by the cert that is not being given by thunderbird.
Thunderbird never accesses these certs nor does it require any passphrases. Certs are only accessed by the smtpd (postfix).
The directory structure you are using is slightly different than the one I have which was initially set up under 10.2. Therefore things in your setup don't exactly match mine. In addition, since mine has migrated to 10.3 I don't feel real confident in telling you exactly how it should be arranged, and quite frankly, it seems to me that if you specify exactly where these things are in the main.cf the structure might not matter.
My ssl/ dir has a Certs dir, and a Private dir where the cakey.pem hides I also have specific lines in my main.cf telling it exactly where the keys are:
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
Again, all readable by root only.
When I set up my ssl cert for apache, I put it in /etc/ssl. There is a CA dir in there too. My setup is 10.3, upgraded from a previously working 10.0 install. (SSL for imap was working, I did not have TLS working in that setup, but would like to get that done now). I had a few things to tweak to get my email working after the upgrade, but nothting too onerous. I think I had to set cyrus imap to start in runlevel services, not sure why as that was set before. The main issue was that SSL for imap was broken. I don't have that fixed yet, am wokring on TLS as you can tell. I got my cert file structure following the Perfect Server posting on Howtoforge.
3. I sitll have something wrong in /etc/postfix/main.cf
This may be the case, and it might have to do with the structure of your directories not matching specific locations of the key related files. These are read in at startup and cached as far as I can tell.
4--- Added) I don't discount the possibility of a library problem.
Not sure where to look here. Definately seems like a cert problem, but not sure where. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, May 25, 2008 at 2:23 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
These certs do not need to be (and should not be) readable by anyone other than root.
Understood. I'll fix that once I get this thing working.
OR fix it now just to cross all the Ts and dot all the Is. I know ssh will not work with some keys world readable, maybe ssl is the same. BTW: after I struggled to get Cyrus, postftx all working I found that you can actually use the same set of certs for both by enough hacking of config files. Also I believe I ran into problems with that Perfect Server setup, and ultimatlely found a more suse friendly doc, perhaps on the suse wiki. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Sun, May 25, 2008 at 2:23 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
John Andersen wrote:
These certs do not need to be (and should not be) readable by anyone other than root.
Understood. I'll fix that once I get this thing working.
OR fix it now just to cross all the Ts and dot all the Is.
I know ssh will not work with some keys world readable, maybe ssl is the same.
BTW: after I struggled to get Cyrus, postftx all working I found that you can actually use the same set of certs for both by enough hacking of config files.
Also I believe I ran into problems with that Perfect Server setup, and ultimatlely found a more suse friendly doc, perhaps on the suse wiki.
Ok, I changed the certs permissions to read/write by root only, no others can read. Restarted postfix and the problem still persists. I re-made the certs again using a different how-to, making sure they did not require a pass phrase, but that did not fix the problem either. I'm still stumped sorry to say. To backtrack a bit, to give another possible clue to what is going wrong, I upgraded this system from suse 10.0 to opensuse 10.3. All seemed to go fine, except for 2 noticeable things. One, I had to start cyrus in runlevel editor (it had been set for RL 3 and 5 previously) and second, my IMAP SSL was and is now broken. Not sure why, but this is still broken. The certs from previous are still there, etc/ssl/certs. For some reason the imap.pem permissions are cyrus/imap, not root/root. I'm not exactly sure, but I seem to remember making it that way when I set this up in 10.0, but not sure, that was a couple of years ago. My apache ssl cert (from the 10.0 install) is working fine. Postfix and Cyrus seem to be working fine, even my sieve scripts are working as before, only not SSL. I am still trying to get TLS working, and share those certs with Cyrus for SSL, that's my goal. But was wondering why SSL broke after the upgrade when it was working fine before? Could that be related to the problem I'm having now getting TLS to work? Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Jim Flanagan -
Joe Sloan -
John Andersen