| View previous topic :: View next topic |
| Author |
Message |
pinkko
n00b
Joined: 12 Apr 2006
Posts: 7
|
 Posted: Wed Apr 12, 2006 6:44 am Post subject: TLS errors with Postfix, MySQL, and saslauthd |
 |
|
I'm running courier imap with postfix and mysql. The server will currently recieve mail over ssl with tls and send mail (without tls). What I need is for the server to use a secure method for sending as well. I followed the virtual mail hosting system with postfix faq found in the gentoo docs very closely, and I can't say I have any idea what would be causing these errors.
weird tls errors
------------------------------------------------------
Apr 12 06:41:25 moon postfix/smtpd[25166]: private/tlsmgr stream disconnect
Apr 12 06:41:47 moon postfix/smtpd[25369]: sql_select option missing
Apr 12 06:41:47 moon postfix/smtpd[25369]: auxpropfunc error no mechanism available
Apr 12 06:41:47 moon postfix/smtpd[25369]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Apr 12 06:41:47 moon postfix/smtpd[25369]: initializing the server-side TLS engine
Apr 12 06:41:47 moon postfix/smtpd[25369]: warning: need an RSA or DSA certificate/key pair
Apr 12 06:41:47 moon postfix/smtpd[25369]: connect from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: setting up TLS connection from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: Could not allocate 'TLScontext->con' with SSL_new()
Apr 12 06:41:47 moon postfix/smtpd[25369]: warning: TLS library problem: 25369:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231:
Apr 12 06:41:47 moon postfix/smtpd[25369]: lost connection after CONNECT from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: disconnect from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: connect from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: setting up TLS connection from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 06:41:47 moon postfix/smtpd[25369]: Could not allocate 'TLScontext->con' with SSL_new()
Apr 12 06:41:47 moon postfix/smtpd[25369]: warning: TLS library problem: 25369:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231:
--------------------------------------------------------------------
According to the guys on the postfix users mailing list this is caused by one of the patches that was applied by gentoo. I can't really say either way, what can I do to get this working properly?
results of postconf -n
-------------------------------------------------------
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 5
default_destination_concurrency_limit = 10
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.5/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain
mydomain = optyweb.com
myhostname = moon.optyweb.com
mynetworks = 38.99.20.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.5/readme
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/newcert.pem
smtp_tls_key_file = /etc/postfix/newreq.pem
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_gid_maps = static:1000
virtual_mailbox_base = /
virtual_mailbox_domains = moon.optyweb.com optyweb.com
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 1000
virtual_transport = virtual
virtual_uid_maps = static:1000 |
|
| Back to top |
|
 |
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Wed Apr 12, 2006 3:39 pm Post subject: |
|
|
| Quote: | | warning: need an RSA or DSA certificate/key pair |
I would say, that you have a problem with the pem files! But that's just a shoot in the blue...
I would test it with the same ssl-files...
| Code: | smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_key_file = etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem <-this is not listed at all in your postconf!!! |
Also, it seems that you have a problem with sasl...
| Quote: | | _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql |
But thats another topic.  |
|
| Back to top |
|
|
pinkko
n00b
Joined: 12 Apr 2006
Posts: 7
|
| Posted: Wed Apr 12, 2006 9:59 pm Post subject: |
|
|
Bah! Stupid typo's. . .
I fixed the certificate stuff, and now those lines are gone from the log. I am still, however, presented with this:
----------------------------------------
Apr 12 21:56:06 moon postfix/smtpd[16867]: connect from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 21:56:06 moon postfix/smtpd[16867]: setting up TLS connection from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 21:56:06 moon postfix/smtpd[16867]: Could not allocate 'TLScontext->con' with SSL_new()
Apr 12 21:56:06 moon postfix/smtpd[16867]: warning: TLS library problem: 16867:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:231:
Apr 12 21:56:06 moon postfix/smtpd[16867]: lost connection after CONNECT from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
Apr 12 21:56:06 moon postfix/smtpd[16867]: disconnect from c-67-188-41-132.hsd1.ca.comcast.net[67.188.41.132]
---------------------------------------
Is there anything I can do about this? Or do I just have to live with a server that doesn't send securely until I get a new server to use for mail?
Just for confirmation, postconf -n
---------------------------------------
postconf -n
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 5
default_destination_concurrency_limit = 10
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.2.5/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
local_transport = local
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain
mydomain = optyweb.com
myhostname = moon.optyweb.com
mynetworks = 38.99.20.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.5/readme
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_gid_maps = static:1000
virtual_mailbox_base = /
virtual_mailbox_domains = moon.optyweb.com optyweb.com
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_minimum_uid = 1000
virtual_transport = virtual
virtual_uid_maps = static:1000 |
|
| Back to top |
|
|
nativemad
Developer
Joined: 30 Aug 2004
Posts: 918
Location: Switzerland
|
| Posted: Thu Apr 13, 2006 9:32 am Post subject: |
|
|
| Quote: | | Or do I just have to live with a server that doesn't send securely until I get a new server to use for mail? |
Hopefully not...
Seems that | Code: | | Could not allocate 'TLScontext->con' with SSL_new() |
is a very general error! It still must have something to do with the pem files! They must be readable from the postfix-user and should not have a password set (-nodes)!!
Does receiving still works with TLS? (you deleted the line according to postconf...)
/edit
Perhaps this Post will help you also a bit:
https://forums.gentoo.org/viewtopic-t-356791.html
And of course this:
https://forums.gentoo.org/viewtopic-t-443709.html |
|
| Back to top |
|
|
pinkko
n00b
Joined: 12 Apr 2006
Posts: 7
|
| Posted: Tue Apr 18, 2006 9:57 pm Post subject: |
|
|
| Receiving mail works just fine with the current setup. |
|
| Back to top |
|
|
pinkko
n00b
Joined: 12 Apr 2006
Posts: 7
|
| Posted: Tue Apr 18, 2006 10:06 pm Post subject: |
|
|
| However, I've got -nodes in all of the appropriate places in CA.pl and CA.sh, but I'm still getting asked for a passphrase for the CA.pl -newca command. Could this be causing the TLS issue, and what can I do to fix it? |
|
| Back to top |
|
|
pinkko
n00b
Joined: 12 Apr 2006
Posts: 7
|
| Posted: Tue Apr 18, 2006 10:18 pm Post subject: |
|
|
Aha! I fixed this problem by using the certificates that already existed for the web server. Works just fine now. Thanks.  |
|
| Back to top |
|
|
|
Networking & Security
