| View previous topic :: View next topic |
| Author |
Message |
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
 Posted: Fri Jun 02, 2006 10:45 am Post subject: postfix / cert / problems [solved] |
 |
|
hi
since a recent upgrade of postfix i have the following error:
| Quote: | Jun 2 11:54:29 [postfix/smtpd] initializing the server-side TLS engine
Jun 2 11:54:29 [postfix/smtpd] warning: cannot get private key from file /etc/postfix/newreq.pem
Jun 2 11:54:29 [postfix/smtpd] warning: TLS library problem: 7139:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:642:$
Jun 2 11:54:29 [postfix/smtpd] warning: TLS library problem: 7139:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_r$
Jun 2 11:54:29 [postfix/smtpd] cannot load RSA certificate and key data
|
i already tried to re-emerge openssl, make new certs and delete the old ones but still the same problem.
any suggestion what else i can do that postfix can read those certs again?
thank you very much.
Teardrop
PS: I searched the forum and found somewho who posted a solution with a external CA-Organisation but i would prefer to to it the virtual mail howto-way.
Last edited by Teardrop on Mon Nov 20, 2006 9:39 pm; edited 1 time in total |
|
| Back to top |
|
 |
Shazam
Apprentice
Joined: 23 Nov 2004
Posts: 191
Location: Germany
|
| Posted: Fri Jun 02, 2006 5:03 pm Post subject: |
|
|
| are you using selfsigned certificates? how important is it to you, using them, in case you do? or do you just use the ones, delivered by emerging postfix?, maybe you could post the part of your main.conf, where you set up your TLS support |
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Fri Jun 02, 2006 8:21 pm Post subject: |
|
|
i always used the selfsigned ones. made my own as written in the virtual mail howto. it worked for years now. the most importent thing atm is that it works, after that i want my own again.
main.cf:
| Quote: |
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_recieved_header = yes
smtdp_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
masquerade_domains = $mydomain
message_size_limit = 10240000
notify_classes = policy, resource, software
content_filter=smtp-amavis:[127.0.0.1]:10024
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous
relayhost = xxx.xxx |
it always worked so i think it is something about the certificates themself. |
|
| Back to top |
|
|
Shazam
Apprentice
Joined: 23 Nov 2004
Posts: 191
Location: Germany
|
| Posted: Fri Jun 02, 2006 11:01 pm Post subject: |
|
|
if you just need it working, then simply use the certificates under /etc/ssl/postfix/
so my TLS portion of the main.cf looks as following:
| Code: |
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_CAfile = /etc/ssl/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
|
i got them by this ([https://forums.gentoo.org/viewtopic-t-56633-highlight-postfix+howto+guide.html) howto, i don't know if you already know it.
you also said, you made new certs, and remerged ssl. did you, simply remerge it, or did you unmerge and the emerge it again? have you tried unmerging ssl, then clean out /etc/ssl ? i'm not quite sure if a simple remerge updates everything there, just a guess, and probably not the professional solution, but maybe it works. |
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Fri Jun 02, 2006 11:06 pm Post subject: |
|
|
yeah you are right. i just re-emerged it. i will try the unmerge and emerge thing, or else the certs from postfix. thanks for the tips. will post my results.
Teardrop |
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Sat Jun 03, 2006 9:02 am Post subject: |
|
|
i deleted and re-emerge openssl and postfix now and i am using the postfix certs but there is an error too:
| Quote: | | TLS library problem: 26179:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate |
if i try something like
| Quote: | | openssl s_client -starttls smtp -CApath /etc/postfix/certs/ -connect localhost:25 |
everything seams to be working fine except that some where it mentions
| Quote: | Verify return code: 7 (certificate signature failure)
|
remember that these are the postfix's own certs... nothing changed!
trying to make my own ones again but have not much hope. any help appreciated.
Teardrop |
|
| Back to top |
|
|
ProPilot
n00b
Joined: 15 Aug 2005
Posts: 38
|
| Posted: Mon Jun 05, 2006 1:13 pm Post subject: |
|
|
I have the same problem.
Anyone have a solution?
Tom |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Mon Jun 05, 2006 3:49 pm Post subject: |
|
|
| Which Postfix versions are involved here? Before upgrade and now. |
|
| Back to top |
|
|
ProPilot
n00b
Joined: 15 Aug 2005
Posts: 38
|
| Posted: Mon Jun 05, 2006 4:45 pm Post subject: |
|
|
I have mail_version = 2.2.5
Tom |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Mon Jun 05, 2006 6:33 pm Post subject: |
|
|
| ProPilot wrote: | I have mail_version = 2.2.5
Tom |
And what did you have before? |
|
| Back to top |
|
|
ProPilot
n00b
Joined: 15 Aug 2005
Posts: 38
|
| Posted: Mon Jun 05, 2006 6:42 pm Post subject: |
|
|
2.2.5
Tom |
|
| Back to top |
|
|
mach.82
Tux's lil' helper
Joined: 30 Oct 2003
Posts: 75
Location: 43°N/79°W
|
| Posted: Tue Jun 06, 2006 2:02 am Post subject: |
|
|
The problem is that if you are following the Virtual Mailhosting System with Postfix Guide (the Guide) at http://www.gentoo.org/doc/en/virt-mail-howto.xml. Section 5 under the title Code Listing 5.1: Making ssl certicates is outdated. Here is a quick fix of what you have to do:
To start all over again, you can safely delete the directory /etc/ssl/misc/demoCA and remove all the certificates files in /etc/ssl/misc:
| Code: | cd /etc/ssl/misc
rm r ./demoCA
rm *.pem
rm new.cert.*
|
Example how to change the default values in /etc/ssl/opwnssl.cnf:
default_days = 3652 (this will give you a ten-year certificate)
countryName_default = CA
stateOrProvinceName_default = Ontario
localityName_default = Toronto
0.organizationName_default = example.com
organizationalUnitName_default = Root CA Validation Authority
commonName_default = example.com Root CA Validation Authority
emailAddress_default = admin@example.com
You can now follow the Guide until you get to the command line:
| Code: | cp newreq.pem /etc/postfix
|
You must replace this line with the following since newreq.pem created by ./CA.pl newreq no longer include the private key (anyone knows why?):
| Code: | cat newkey.pem newreq.pem > /etc/postfix/newreq.pem
|
You can now follow the Guide again and complete your installation.
Cheers! |
|
| Back to top |
|
|
ProPilot
n00b
Joined: 15 Aug 2005
Posts: 38
|
| Posted: Tue Jun 06, 2006 2:11 am Post subject: |
|
|
Tks mach.82
Tom |
|
| Back to top |
|
|
ProPilot
n00b
Joined: 15 Aug 2005
Posts: 38
|
| Posted: Tue Jun 06, 2006 11:26 am Post subject: |
|
|
mach.82's suggestion works for me.
Tom |
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Tue Jun 06, 2006 6:40 pm Post subject: |
|
|
hi
nope didn't work for me. i have now the same errors again as in the last post. any more ideas?
still thanks for your info and help.
TEardrop |
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Tue Jun 13, 2006 1:19 pm Post subject: |
|
|
Noone?
i am a little desperate...
Teardrop |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Tue Jun 13, 2006 3:44 pm Post subject: |
|
|
Hi.
I would suggest you addapt the following from Luc de Louw's Postfix-Cyrus-Web-cyradm-HOWTO guide. The creation of the TLS/SSL certificate can be found on the Configuring Cyrus IMAP section.
| Code: | openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999
mkdir /var/imap
cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem |
Does it work for you?
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
Teardrop
Apprentice
Joined: 21 Oct 2002
Posts: 176
|
| Posted: Mon Nov 20, 2006 9:40 pm Post subject: |
|
|
hi
sorry, my late response. just tried it and it worked. go another problem though but will post this in a new thread. thx a lot
Teardrop |
|
| Back to top |
|
|
|
Networking & Security
