Loading ...
Sorry, an error occurred while loading the content.
 

StartTLS frustrations

Expand Messages
  • Peter L. Berghold
    Hi Folks, Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom) cert. Here are the applicable lines (sanitized of course) I used to
    Message 1 of 15 , Apr 5, 2013
      Hi Folks,

      Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
      cert.

      Here are the applicable lines (sanitized of course) I used to set this
      up:
      smtpd_use_tls = yes
      smtp_use_tls = yes
      smtp_tls_note_starttls_offer = yes
      smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
      smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
      smtpd_tls_CApath=/etc/postfix/ssl
      smtp_tls_CApath=$smtpd_tls_CAPath
      smtpd_tls_certfile=/etc/postfix/ssl/server.crt
      smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
      smtpd_tls_loglevel=4
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom

      This is aping everything I've read on the topic on a variety of sites.

      The error I'm seeing in the maillog is:
      Apr 5 10:43:36 myhostname postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled


      I've double checked the files (especially the cert file) and they are all where
      I expect them to be. What in the world am I missing?


      --
      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      Peter L. Berghold peter@...
      Unix Professional, Beer Brewer, Dog Trainer and Patriot
      http://blog.berghold.net
    • Robert Schetterer
      ... debian chroot ? Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der
      Message 2 of 15 , Apr 5, 2013
        Am 05.04.2013 16:46, schrieb Peter L. Berghold:
        > Hi Folks,
        >
        > Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
        > cert.
        >
        > Here are the applicable lines (sanitized of course) I used to set this
        > up:
        > smtpd_use_tls = yes
        > smtp_use_tls = yes
        > smtp_tls_note_starttls_offer = yes
        > smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
        > smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
        > smtpd_tls_CApath=/etc/postfix/ssl
        > smtp_tls_CApath=$smtpd_tls_CAPath
        > smtpd_tls_certfile=/etc/postfix/ssl/server.crt
        > smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
        > smtpd_tls_loglevel=4
        > smtpd_tls_received_header = yes
        > smtpd_tls_session_cache_timeout = 3600s
        > tls_random_source = dev:/dev/urandom
        >
        > This is aping everything I've read on the topic on a variety of sites.
        >
        > The error I'm seeing in the maillog is:
        > Apr 5 10:43:36 myhostname postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled
        >
        >
        > I've double checked the files (especially the cert file) and they are all where
        > I expect them to be. What in the world am I missing?
        >
        >

        debian chroot ?


        Best Regards
        MfG Robert Schetterer

        --
        [*] sys4 AG

        http://sys4.de, +49 (89) 30 90 46 64
        Franziskanerstraße 15, 81669 München

        Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
        Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
        Aufsichtsratsvorsitzender: Joerg Heidrich
      • Peter L. Berghold
        ... Nope. Not running chroot. -- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Peter L. Berghold
        Message 3 of 15 , Apr 5, 2013
          On Fri, Apr 05, 2013 at 04:54:37PM +0200, Robert Schetterer wrote:
          >
          > debian chroot ?

          Nope. Not running chroot.

          --
          ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
          Peter L. Berghold peter@...
          Unix Professional, Beer Brewer, Dog Trainer and Patriot
          http://blog.berghold.net
        • Vitaly Tskhovrebov
          Include intermediary certs in your chain.
          Message 4 of 15 , Apr 5, 2013
            Include intermediary certs in your chain.


            On Fri, Apr 5, 2013 at 10:46 AM, Peter L. Berghold <peter@...> wrote:
            Hi Folks,

            Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
            cert.

            Here are the applicable lines (sanitized of course) I used to set this
            up:
            smtpd_use_tls = yes
            smtp_use_tls = yes
            smtp_tls_note_starttls_offer = yes
            smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
            smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
            smtpd_tls_CApath=/etc/postfix/ssl
            smtp_tls_CApath=$smtpd_tls_CAPath
            smtpd_tls_certfile=/etc/postfix/ssl/server.crt
            smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
            smtpd_tls_loglevel=4
            smtpd_tls_received_header = yes
            smtpd_tls_session_cache_timeout = 3600s
            tls_random_source = dev:/dev/urandom

            This is aping everything I've read on the topic on a variety of sites.

            The error I'm seeing in the maillog is:
            Apr  5 10:43:36 myhostname  postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled


            I've double checked the files (especially the cert file) and they are all where
            I expect them to be.  What in the world am I missing?


            --
            ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
            Peter L. Berghold                                 peter@...
            Unix Professional, Beer Brewer, Dog Trainer and Patriot
            http://blog.berghold.net

          • Reindl Harald
            ... we don t know because you refused to provide output of postconf -n as statet in the welcome message as well as in the documentation random snippets of a
            Message 5 of 15 , Apr 5, 2013
              Am 05.04.2013 16:46, schrieb Peter L. Berghold:
              > Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
              > cert.
              >
              > Here are the applicable lines (sanitized of course) I used to set this
              > up:
              > smtpd_use_tls = yes
              > smtp_use_tls = yes
              > smtp_tls_note_starttls_offer = yes
              > smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
              > smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
              > smtpd_tls_CApath=/etc/postfix/ssl
              > smtp_tls_CApath=$smtpd_tls_CAPath
              > smtpd_tls_certfile=/etc/postfix/ssl/server.crt
              > smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
              > smtpd_tls_loglevel=4
              > smtpd_tls_received_header = yes
              > smtpd_tls_session_cache_timeout = 3600s
              > tls_random_source = dev:/dev/urandom
              >
              > This is aping everything I've read on the topic on a variety of sites.
              >
              > The error I'm seeing in the maillog is:
              > Apr 5 10:43:36 myhostname postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled
              >
              > I've double checked the files (especially the cert file) and they are all where
              > I expect them to be. What in the world am I missing?

              we don't know because you refused to provide output of
              "postconf -n" as statet in the welcome message as well
              as in the documentation

              random snippets of a config-file are worthless because
              often enough people overwrite settings somewhere later
              and only "postconf -n" show the REALLY active config
              _____________________________________

              this a for sure working config for both incoming and outgoing

              [root@srv-rhsoft:~]$ postconf -n | grep smtpd_tls
              smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
              smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
              smtpd_tls_eecdh_grade = strong
              smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
              smtpd_tls_key_file = /etc/postfix/certs/localhost.pem
              smtpd_tls_loglevel = 1
              smtpd_tls_mandatory_ciphers = high
              smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
              smtpd_tls_received_header = yes
              smtpd_tls_security_level = may
              smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
              smtpd_tls_session_cache_timeout = 3600s

              [root@srv-rhsoft:~]$ postconf -n | grep smtp_tls
              smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
              smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
              smtp_tls_exclude_ciphers = DES-CBC3-SHA
              smtp_tls_key_file = /etc/postfix/certs/localhost.pem
              smtp_tls_loglevel = 1
              smtp_tls_note_starttls_offer = yes
              smtp_tls_security_level = may
              smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
              smtp_tls_session_cache_timeout = 3600s
            • Viktor Dukhovni
              ... Instead of aping, try: http://www.postfix.org/TLS_README.html#server_tls http://www.postfix.org/TLS_README.html#client_tls ... smtpd_tls_security_level =
              Message 6 of 15 , Apr 5, 2013
                On Fri, Apr 05, 2013 at 10:46:57AM -0400, Peter L. Berghold wrote:

                > This is aping everything I've read on the topic on a variety of sites.

                Instead of aping, try:

                http://www.postfix.org/TLS_README.html#server_tls
                http://www.postfix.org/TLS_README.html#client_tls

                > Here are the applicable lines (sanitized of course) I used to set this up:

                > smtpd_use_tls = yes
                > smtp_use_tls = yes

                smtpd_tls_security_level = may
                smtp_tls_security_level = may

                > smtp_tls_note_starttls_offer = yes

                Not needed, you've enabled TLS in the local Postfix SMTP client.

                > smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
                > smtpd_tls_CApath=/etc/postfix/ssl

                Not needed, you're not requesting client certificates.

                > smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
                > smtp_tls_CApath=$smtpd_tls_CAPath

                Not strictly needed, with opportunistic TLS, you're not verifying
                remote server certificates.

                > smtpd_tls_certfile=/etc/postfix/ssl/server.crt

                The correct parameter is smtpd_tls_cert_file, consistent with
                the below:

                > smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key

                > smtpd_tls_loglevel=4

                This is insane, loglevels higher than 2 are almost never required,
                for experts only, and can DoS your system with log files larger
                than your mail store input volume.

                > smtpd_tls_received_header = yes
                > smtpd_tls_session_cache_timeout = 3600s

                No point, unless you specify a session cache.

                > tls_random_source = dev:/dev/urandom

                Fine.

                > The error I'm seeing in the maillog is:
                > Apr 5 10:43:36 myhostname postfix/smtpd[14839]: warning: No
                > server certs available. TLS won't be enabled

                Indeed you've not specified the correct certfile parameter.

                --
                Viktor.
              • Peter L. Berghold
                ... I think I have... what I did was get their ca.cert via a wget and then I manually downloaded their Class 1 Intermediate Server CA and their Class 2
                Message 7 of 15 , Apr 5, 2013
                  On Fri, Apr 05, 2013 at 10:57:42AM -0400, Vitaly Tskhovrebov wrote:
                  > Include intermediary certs in your chain.
                  >
                  I think I have... what I did was get their ca.cert via a wget and then I
                  manually downloaded their Class 1 Intermediate Server CA and their
                  Class 2 Intermediate Server CA and added those to the bundle file.

                  Maybe I have to grab Class3 and Extended Validation as well?

                  I also wonder about the client intermediate certs but am doubtful I
                  need those as well.

                  --
                  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                  Peter L. Berghold peter@...
                  Unix Professional, Beer Brewer, Dog Trainer and Patriot
                  http://blog.berghold.net
                • Peter L. Berghold
                  ... as you wish: # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin
                  Message 8 of 15 , Apr 5, 2013
                    On Fri, Apr 05, 2013 at 04:58:14PM +0200, Reindl Harald wrote:
                    >
                    >
                    > we don't know because you refused to provide output of
                    > "postconf -n"

                    as you wish:

                    # postconf -n
                    alias_database = hash:/etc/aliases
                    alias_maps = hash:/etc/aliases
                    broken_sasl_auth_clients = yes
                    command_directory = /usr/sbin
                    config_directory = /etc/postfix
                    content_filter = scan:127.0.0.1:10025
                    daemon_directory = /usr/libexec/postfix
                    debug_peer_level = 2
                    default_destination_concurrency_limit = 30
                    disable_vrfy_command = yes
                    home_mailbox = Maildir/
                    html_directory = no
                    inet_interfaces = all
                    mail_owner = postfix
                    mailq_path = /usr/bin/mailq.postfix
                    manpage_directory = /usr/share/man
                    mydestination = mydomain.net,$myhostname,www.$mydomain, localhost.$mydomain, localhost
                    myhostname = smtp.mydomain.net
                    mynetworks = 98.158.185.135/32,127.0.0.1/32,68.38.202.165/32,206.217.196.75/32,216.119.148.53/32,137.236.241.122/32
                    mynetworks_style = host
                    newaliases_path = /usr/bin/newaliases.postfix
                    queue_directory = /var/spool/postfix
                    readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                    receive_override_options = no_address_mappings
                    relay_domains = mydomain.net,localhost
                    sample_directory = /usr/share/doc/postfix-2.3.3/samples
                    sendmail_path = /usr/sbin/sendmail.postfix
                    setgid_group = postdrop
                    smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
                    smtp_tls_CApath = $smtpd_tls_CAPath
                    smtp_tls_note_starttls_offer = yes
                    smtp_use_tls = no
                    smtpd_banner = $myhostname ESMTP $mail_name
                    smtpd_helo_required = yes
                    smtpd_helo_restrictions = reject_unknown_helo_hostname
                    smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/access, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client bl.spamcop.net permit
                    smtpd_sasl_auth_enable = yes
                    smtpd_sasl_path = private/auth
                    smtpd_sasl_type = dovecot
                    smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
                    smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
                    smtpd_tls_CApath = /etc/postfix/ssl
                    smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
                    smtpd_tls_loglevel = 4
                    smtpd_tls_received_header = yes
                    smtpd_tls_session_cache_timeout = 3600s
                    smtpd_use_tls = no
                    tls_random_source = dev:/dev/urandom
                    transport_maps = hash:/etc/postfix/transport
                    unknown_local_recipient_reject_code = 550
                    virtual_alias_maps = hash:/etc/postfix/virtual




                    --
                    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                    Peter L. Berghold peter@...
                    Unix Professional, Beer Brewer, Dog Trainer and Patriot
                    http://blog.berghold.net
                  • Viktor Dukhovni
                    ... http://www.postfix.org/TLS_README.html#server_cert_key The right place to put intermediate certificates is in the server certificate file. Not just any
                    Message 9 of 15 , Apr 5, 2013
                      On Fri, Apr 05, 2013 at 11:06:16AM -0400, Peter L. Berghold wrote:

                      > On Fri, Apr 05, 2013 at 10:57:42AM -0400, Vitaly Tskhovrebov wrote:
                      > > Include intermediary certs in your chain.
                      >
                      > I think I have... what I did was get their ca.cert via a wget and then I
                      > manually downloaded their Class 1 Intermediate Server CA and their
                      > Class 2 Intermediate Server CA and added those to the bundle file.
                      >
                      > Maybe I have to grab Class3 and Extended Validation as well?
                      >
                      > I also wonder about the client intermediate certs but am doubtful I
                      > need those as well.

                      http://www.postfix.org/TLS_README.html#server_cert_key

                      The right place to put intermediate certificates is in the server
                      certificate file. Not just any random collection of such certificates,
                      but the particular ones that issued your server certificate.

                      smtpd.pem:
                      ---BEGIN CERTIFICATE---
                      base-64 line-noise for your certificate "S"
                      ---END CERTIFICATE---
                      ---BEGIN CERTIFICATE---
                      base-64 line-noise for the issuing "I1" of your server certificate "S"
                      ---END CERTIFICATE---
                      ---BEGIN CERTIFICATE---
                      base-64 line-noise for the issuing "I2" of CA certificate "I1"
                      ---END CERTIFICATE---
                      ...
                      ---BEGIN CERTIFICATE---
                      base-64 line-noise for the issuing "I<N>" of CA certificate "I<N-1>"
                      ---END CERTIFICATE---

                      The certificate I<N> should either be a root CA, or an immediate
                      child of a root CA. With RFC 6698 (DANE TLSA) if you some day want
                      to publish the digest of your preferred root CA via DNS, you must
                      include the root CA in your trust chain. Otherwise, with legacy
                      public CA public, the verifier is expected to already have the root
                      CA certificate in hand.

                      --
                      Viktor.
                    • Reindl Harald
                      ... well, and this remains from your ACTIVE config do you notice the smtpd_use_tls = no ? [harry@srv-rhsoft:~/Desktop]$ cat postconf | grep tls | grep smtpd
                      Message 10 of 15 , Apr 5, 2013
                        Am 05.04.2013 17:13, schrieb Peter L. Berghold:
                        > On Fri, Apr 05, 2013 at 04:58:14PM +0200, Reindl Harald wrote:
                        >>
                        >> we don't know because you refused to provide output of
                        >> "postconf -n"
                        >
                        > as you wish:

                        well, and this remains from your ACTIVE config
                        do you notice the "smtpd_use_tls = no"?

                        [harry@srv-rhsoft:~/Desktop]$ cat postconf | grep tls | grep smtpd
                        smtp_tls_CApath = $smtpd_tls_CAPath
                        smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
                        smtpd_tls_CApath = /etc/postfix/ssl
                        smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
                        smtpd_tls_loglevel = 4
                        smtpd_tls_received_header = yes
                        smtpd_tls_session_cache_timeout = 3600s
                        smtpd_use_tls = no

                        > # postconf -n
                        > alias_database = hash:/etc/aliases
                        > alias_maps = hash:/etc/aliases
                        > broken_sasl_auth_clients = yes
                        > command_directory = /usr/sbin
                        > config_directory = /etc/postfix
                        > content_filter = scan:127.0.0.1:10025
                        > daemon_directory = /usr/libexec/postfix
                        > debug_peer_level = 2
                        > default_destination_concurrency_limit = 30
                        > disable_vrfy_command = yes
                        > home_mailbox = Maildir/
                        > html_directory = no
                        > inet_interfaces = all
                        > mail_owner = postfix
                        > mailq_path = /usr/bin/mailq.postfix
                        > manpage_directory = /usr/share/man
                        > mydestination = mydomain.net,$myhostname,www.$mydomain, localhost.$mydomain, localhost
                        > myhostname = smtp.mydomain.net
                        > mynetworks = 98.158.185.135/32,127.0.0.1/32,68.38.202.165/32,206.217.196.75/32,216.119.148.53/32,137.236.241.122/32
                        > mynetworks_style = host
                        > newaliases_path = /usr/bin/newaliases.postfix
                        > queue_directory = /var/spool/postfix
                        > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                        > receive_override_options = no_address_mappings
                        > relay_domains = mydomain.net,localhost
                        > sample_directory = /usr/share/doc/postfix-2.3.3/samples
                        > sendmail_path = /usr/sbin/sendmail.postfix
                        > setgid_group = postdrop
                        > smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
                        > smtp_tls_CApath = $smtpd_tls_CAPath
                        > smtp_tls_note_starttls_offer = yes
                        > smtp_use_tls = no
                        > smtpd_banner = $myhostname ESMTP $mail_name
                        > smtpd_helo_required = yes
                        > smtpd_helo_restrictions = reject_unknown_helo_hostname
                        > smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/access, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client bl.spamcop.net permit
                        > smtpd_sasl_auth_enable = yes
                        > smtpd_sasl_path = private/auth
                        > smtpd_sasl_type = dovecot
                        > smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
                        > smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
                        > smtpd_tls_CApath = /etc/postfix/ssl
                        > smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
                        > smtpd_tls_loglevel = 4
                        > smtpd_tls_received_header = yes
                        > smtpd_tls_session_cache_timeout = 3600s
                        > smtpd_use_tls = no
                        > tls_random_source = dev:/dev/urandom
                        > transport_maps = hash:/etc/postfix/transport
                        > unknown_local_recipient_reject_code = 550
                        > virtual_alias_maps = hash:/etc/postfix/virtual
                        >
                        >
                        >
                        >

                        --

                        Reindl Harald
                        the lounge interactive design GmbH
                        A-1060 Vienna, Hofmühlgasse 17
                        CTO / CISO / Software-Development
                        p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
                        icq: 154546673, http://www.thelounge.net/

                        http://www.thelounge.net/signature.asc.what.htm
                      • Peter L. Berghold
                        ... Yes. I turned it off for now while I seek out advise as to why it is not working for now. It will be turned back on when I have some idea as to why
                        Message 11 of 15 , Apr 5, 2013
                          On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
                          >
                          >
                          > well, and this remains from your ACTIVE config
                          > do you notice the "smtpd_use_tls = no"?

                          Yes. I turned it off for now while I seek out advise as to why it is not
                          working for now. It will be turned back on when I have some idea as to
                          why *else* it isn't working.

                          >



                          --
                          ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                          Peter L. Berghold peter@...
                          Unix Professional, Beer Brewer, Dog Trainer and Patriot
                          http://blog.berghold.net
                        • Viktor Dukhovni
                          ... Well, if you read my first reply, and read the postconf -n output you sent in response to Reindl s message, you d have noticed that: smtpd_tls_certfile
                          Message 12 of 15 , Apr 5, 2013
                            On Fri, Apr 05, 2013 at 11:23:33AM -0400, Peter L. Berghold wrote:

                            > On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
                            > >
                            > >
                            > > well, and this remains from your ACTIVE config
                            > > do you notice the "smtpd_use_tls = no"?
                            >
                            > Yes. I turned it off for now while I seek out advise as to why it is not
                            > working for now. It will be turned back on when I have some idea as to
                            > why *else* it isn't working.

                            Well, if you read my first reply, and read the "postconf -n" output you
                            sent in response to Reindl's message, you'd have noticed that:

                            smtpd_tls_certfile

                            is not a valid Postfix parameter and is not reported by "postconf -n".
                            It is also not documented in:

                            http://www.postfix.org/postconf.5.html#smtpd_tls_certfile

                            where-as:

                            http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file

                            yields the expected documentation. Part of the idea of requiring
                            posts of "postconf -n" is to give you a chance to read it first
                            and check for any suprises, the main reason, of course, is that
                            selective excerpts from main.cf often mask the real error and waste
                            everyone's time.

                            --
                            Viktor.
                          • Reindl Harald
                            ... what about fixing the path? you ignored this response! ... The correct parameter is smtpd_tls_cert_file and that is why you should always start to debug
                            Message 13 of 15 , Apr 5, 2013
                              Am 05.04.2013 17:23, schrieb Peter L. Berghold:
                              > On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
                              >>
                              >>
                              >> well, and this remains from your ACTIVE config
                              >> do you notice the "smtpd_use_tls = no"?
                              >
                              > Yes. I turned it off for now while I seek out advise as to why it is not
                              > working for now. It will be turned back on when I have some idea as to
                              > why *else* it isn't working

                              what about fixing the path?
                              you ignored this response!

                              > smtpd_tls_certfile=/etc/postfix/ssl/server.crt
                              The correct parameter is smtpd_tls_cert_file

                              and that is why you should always start to debug
                              with "postconf -n" and "grep" to see if you have
                              fantasy names aka typos in your config which may
                              even overseen by people trying to help
                            • Peter L. Berghold
                              ... I must have looked at that and not comprehended what I was seeing for about 100 times. That s why I was looking for another set of eyes. By the way I had
                              Message 14 of 15 , Apr 5, 2013
                                On Fri, Apr 05, 2013 at 05:29:41PM +0200, Reindl Harald wrote:
                                >
                                >
                                > > smtpd_tls_certfile=/etc/postfix/ssl/server.crt
                                > The correct parameter is smtpd_tls_cert_file
                                >


                                I must have looked at that and not comprehended what I was seeing
                                for about 100 times.

                                That's why I was looking for "another set of eyes."

                                By the way I had looked at TLS_README which is where I got the
                                majority of my info from. There are dozens of "How Tos" out
                                there as well, some of which are dead wrong.

                                It is working now.


                                Thank you all very much.




                                --
                                ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                                Peter L. Berghold peter@...
                                Unix Professional, Beer Brewer, Dog Trainer and Patriot
                                http://blog.berghold.net
                              • Matthew Hall
                                Peter, Take a peek inside the CA and cert files using openssl x509 -inform pem -in [file] -noout -text and use openssl rsa with the same arguments to peek in
                                Message 15 of 15 , Apr 5, 2013

                                  Peter,

                                  Take a peek inside the CA and cert files using openssl x509 -inform pem -in [file] -noout -text and use openssl rsa with the same arguments to peek in the private key, and make sure they contain what you expect they should contain.

                                  Let us know if you see anything peculiar inside or not.

                                  Good luck,
                                  Matthew.

                                  On Apr 5, 2013 7:47 AM, "Peter L. Berghold" <peter@...> wrote:
                                  Hi Folks,

                                  Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
                                  cert.

                                  Here are the applicable lines (sanitized of course) I used to set this
                                  up:
                                  smtpd_use_tls = yes
                                  smtp_use_tls = yes
                                  smtp_tls_note_starttls_offer = yes
                                  smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
                                  smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
                                  smtpd_tls_CApath=/etc/postfix/ssl
                                  smtp_tls_CApath=$smtpd_tls_CAPath
                                  smtpd_tls_certfile=/etc/postfix/ssl/server.crt
                                  smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
                                  smtpd_tls_loglevel=4
                                  smtpd_tls_received_header = yes
                                  smtpd_tls_session_cache_timeout = 3600s
                                  tls_random_source = dev:/dev/urandom

                                  This is aping everything I've read on the topic on a variety of sites.

                                  The error I'm seeing in the maillog is:
                                  Apr  5 10:43:36 myhostname  postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled


                                  I've double checked the files (especially the cert file) and they are all where
                                  I expect them to be.  What in the world am I missing?


                                  --
                                  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
                                  Peter L. Berghold                                 peter@...
                                  Unix Professional, Beer Brewer, Dog Trainer and Patriot
                                  http://blog.berghold.net
                                Your message has been successfully submitted and would be delivered to recipients shortly.