Loading ...
Sorry, an error occurred while loading the content.

Fwd: Postfix SMTP server: errors from unknown[209.85.212.69]

Expand Messages
  • David Benfell
    ... Hash: SHA1 Hi all, Unfortunately, I m finding this singularly unhelpful: - -------- Original Message -------- Subject: Postfix SMTP server: errors from
    Message 1 of 5 , Aug 23, 2013
    • 0 Attachment
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Hi all,

      Unfortunately, I'm finding this singularly unhelpful:


      - -------- Original Message --------
      Subject: Postfix SMTP server: errors from unknown[209.85.212.69]
      Date: Thu, 22 Aug 2013 23:39:49 -0700 (PDT)
      From: MAILER-DAEMON@...-unknown.org (Mail Delivery System)
      To: postmaster@...-unknown.org (Postmaster)

      Transcript of session follows.

      Out: 220 mail.parts-unknown.org ESMTP Postfix
      In: EHLO mail-vb0-f69.google.com
      Out: 250-mail.parts-unknown.org
      Out: 250-PIPELINING
      Out: 250-SIZE 20971520
      Out: 250-VRFY
      Out: 250-ETRN
      Out: 250-STARTTLS
      Out: 250-ENHANCEDSTATUSCODES
      Out: 250-8BITMIME
      Out: 250 DSN
      In: STARTTLS
      Out: 454 4.7.0 TLS not available due to local problem
      In: QUIT
      Out: 221 2.0.0 Bye


      For other details, see the local mail logfile
      - ---------------------------------------------

      The logfile doesn't help me either. I don't know if I've included
      enough here:

      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 220 mail.parts-unknown.org ESMTP Postfix
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
      unknown[209.85.212.69]: EHLO mail-vb0-f69.google.com
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_list_match: unknown: no match
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_list_match: 209.85.212.69: no match
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-mail.parts-unknown.org
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-PIPELINING
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-SIZE 20971520
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-VRFY
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-ETRN
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-STARTTLS
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-ENHANCEDSTATUSCODES
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250-8BITMIME
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 250 DSN
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
      unknown[209.85.212.69]: STARTTLS
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 454 4.7.0 TLS not available due to local problem
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
      unknown[209.85.212.69]: QUIT
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
      unknown[209.85.212.69]: 221 2.0.0 Bye
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_hostname: unknown ~? 10.8.0.0/16
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_hostaddr: 209.85.212.69 ~? 10.8.0.0/16
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_hostname: unknown ~? 127.0.0.0/8
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_hostaddr: 209.85.212.69 ~? 127.0.0.0/8
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_list_match: unknown: no match
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      match_list_match: 209.85.212.69: no match
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: send
      attr request = disconnect
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: send
      attr ident = smtpd:209.85.212.69
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      private/anvil: wanted attribute: status
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute name: status
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute value: 0
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      private/anvil: wanted attribute: (list terminator)
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute name: (end)
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
      smtpd_chat_notify: notify postmaster
      Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: connect
      to subsystem public/cleanup
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]:
      public/cleanup socket: wanted attribute: queue_id
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute name: queue_id
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute value: 0F01D4631E1
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]:
      public/cleanup socket: wanted attribute: (list terminator)
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
      attribute name: (end)
      Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: send
      attr flags = 32

      Here's my postconf -n:

      address_verify_map = btree:$data_directory/verify_cache
      alias_database = $alias_maps
      alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/bin
      config_directory = /etc/postfix
      content_filter = scan:127.0.0.1:10026
      daemon_directory = /usr/lib/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
      (echo cont; echo where) | gdb $daemon_directory/$process_name
      $process_id 2>&1 >$config_directory/$process_name.$process_id.log &
      sleep 5
      fast_flush_domains = $relay_domains
      header_checks = pcre:/etc/postfix/header_checks
      home_mailbox = Maildir/
      html_directory = no
      in_flow_delay = 1s
      inet_interfaces = 127.0.0.1, 10.8.0.1, 91.205.174.238
      inet_protocols = ipv4
      local_destination_concurrency_limit = 2
      mail_owner = postfix
      mailbox_command_maps = hash:/etc/postfix/mailbox_commands
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      message_size_limit = 20971520
      mydestination = localhost, localhost.$mydomain, cybernude.org,
      mail.cybernude.org, munich.cybernude.org, www.cybernude.org,
      disunitedstates.com, mail.disunitedstates.com,
      munich.disunitedstates.com, www.disunitedstates.com,
      disunitedstates.org, mail.disunitedstates.org,
      munich.disunitedstates.org, www.disunitedstates.org, greybeard95a.com,
      mail.greybeard95a.com, munich.greybeard95a.com, www.greybeard95a.com,
      n4rky.me, mail.n4rky.me, munich.n4rky.me, www.n4rky.me,
      parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
      www.parts-unknown.org
      mydomain = parts-unknown.org
      myhostname = mail.parts-unknown.org
      mynetworks = 10.8.0.0/16, 127.0.0.0/8
      mynetworks_style = subnet
      myorigin = $myhostname
      newaliases_path = /usr/bin/newaliases
      postscreen_access_list = permit_mynetworks,
      cidr:/etc/postfix/postscreen_access.cidr
      postscreen_bare_newline_action = enforce
      postscreen_bare_newline_enable = yes
      postscreen_blacklist_action = drop
      postscreen_dnsbl_action = enforce
      postscreen_dnsbl_reply_map =
      pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
      postscreen_dnsbl_sites = zen.spamhaus.org*3, b.barracudacentral.org*2,
      bl.spameatingmonkey.net*2, dnsbl.ahbl.org*2, bl.spamcop.net,
      dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net,
      swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2,
      list.dnswl.org=127.[0..255].[0..255].1*-3,
      list.dnswl.org=127.[0..255].[0..255].[2..255]*-4,
      postscreen_dnsbl_threshold = 3
      postscreen_greet_action = enforce
      postscreen_non_smtp_command_enable = yes
      postscreen_pipelining_enable = yes
      queue_directory = /var/spool/postfix
      readme_directory = no
      receive_override_options = no_address_mappings
      recipient_delimiter = +
      relay_domains = *
      sample_directory = /etc/postfix/sample
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
      smtp_tls_note_starttls_offer = yes
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP $mail_name
      smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated
      smtpd_peername_lookup = no
      smtpd_recipient_restrictions =
      permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client
      zen.spamhaus.org,reject_rbl_client bl.spamcop.net
      smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
      defer_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $mydomain
      smtpd_sasl_path = /var/spool/postfix/private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = check_recipient_access
      hash:/etc/postfix/restrict
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file =
      /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
      smtpd_tls_loglevel = 3
      smtpd_tls_security_level = may
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman

      What has changed are the SSL keys. But if something is wrong here, I
      don't know how to tell what. This is a StartSSL.com certificate so
      there's an intermediate key as well as the certificate itself and the
      certificate authority key. The chain should be complete. I've just
      checked my work; I think I did this right.

      So how do I tell what's going wrong?

      Thanks!
      - --
      David Benfell <benfell@...>

      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v2.0.20 (GNU/Linux)
      Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

      iQIcBAEBAgAGBQJSFw0dAAoJEKrN0Ha7pkCOfPUP+QHGDxtU/n46i5uLlxeWKlzz
      34792Tfb4MhVZcLi2WHDR8Ce9C8Ar+qyfSuLcetxvEhfuXriIqAZhrt3u0hlJ3WC
      Yx2ZRGK4dDJL4M1CqN+xqKr8pbCTb8fTSHYkHS+DqGhG1LrQUn6mwdYHmW5/BZnv
      H04TGIfjZYd5MWNtLb4T3vAiLXosIy8t08efO325yqzzBDIb9jdrq279TjJeQnqW
      a1GDpClukRct3OmXLsEOkFvjCVzrKVqOlm0JNC8ApBnbPMYIhyYltAIYFXFmQa6F
      g9GUHRSygin3i0q8ZJuhn9fPxKCd41xDaXX08sflQA1s3HzFYyeaNYthYCx3Kkk4
      50RsadyiKOnVL6s/ow4kTGb/7JRhUiERTztYObTamTpMxLmbA4xCcPsZ/7zxH8Xu
      DgffJI6If8SXVHwZHFKSfYw/pHnsbOccrx9HY844t66cOy3Dhl6WIpo9ByVSFk4T
      LWENelloJdJo3+wwe3ujWV5FUhatcEChg6lMo6vbLNPXgku94IAdWSwOKEivtuB3
      YFB+zYG6zFK4J4dwouwexCy03xGdy/Hb9t8TFSl9SVQMYau/3aIrEGDS4cvIlrcB
      CrUTwjflU8E+xZ46cv4xUSn9o0jZZo0Mb4rT3INqkjnGcRtkFjkLWDnjB8c2oVkT
      rTipnKVhIbvBhU3hrWEN
      =2bsJ
      -----END PGP SIGNATURE-----
    • DTNX Postmaster
      ... Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield unknown . ... [snip] ... [snip] ...
      Message 2 of 5 , Aug 23, 2013
      • 0 Attachment
        On Aug 23, 2013, at 09:20, David Benfell <dbenfell@...> wrote:

        > Unfortunately, I'm finding this singularly unhelpful:
        >
        > - -------- Original Message --------
        > Subject: Postfix SMTP server: errors from unknown[209.85.212.69]

        Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield 'unknown'.

        > Transcript of session follows.
        >
        > Out: 220 mail.parts-unknown.org ESMTP Postfix
        > In: EHLO mail-vb0-f69.google.com
        > Out: 250-mail.parts-unknown.org
        > Out: 250-PIPELINING
        > Out: 250-SIZE 20971520
        > Out: 250-VRFY
        > Out: 250-ETRN
        > Out: 250-STARTTLS
        > Out: 250-ENHANCEDSTATUSCODES
        > Out: 250-8BITMIME
        > Out: 250 DSN
        > In: STARTTLS
        > Out: 454 4.7.0 TLS not available due to local problem
        > In: QUIT
        > Out: 221 2.0.0 Bye

        [snip]

        > Here's my postconf -n:

        [snip]

        > smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
        > smtp_tls_note_starttls_offer = yes
        > smtp_use_tls = yes

        Are you sure you need to specify 'smtp_tls_key_file' here? See;
        http://www.postfix.org/postconf.5.html#smtp_tls_cert_file

        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file =
        > /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
        > smtpd_tls_loglevel = 3
        > smtpd_tls_security_level = may

        Does the 'smtpd_tls_cert_file' contain the key? Also, inside the 'www'
        directory? Why not store it in '/etc/ssl' or '/etc/postfix'?

        Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
        actually a TLS problem instead of a configuration issue.

        > What has changed are the SSL keys. But if something is wrong here, I
        > don't know how to tell what. This is a StartSSL.com certificate so
        > there's an intermediate key as well as the certificate itself and the
        > certificate authority key. The chain should be complete. I've just
        > checked my work; I think I did this right.
        >
        > So how do I tell what's going wrong?

        Have you tested your server with 'openssl s_client'? This is what I am
        getting;

        $ openssl s_client -connect mail.parts-unknown.org:25 -starttls smtp
        CONNECTED(00000003)
        4851:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:

        Disable debug logging, and lower your TLS log level. Restart Postfix,
        and check your logs for any warnings or errors.

        Check your configuration, related files, permissions, and so on. Revert
        to the old certificate, see if that resolves the problem and enables
        you to make a succesful connection with the openssl client. Generate a
        self-signed one, see if that resolves the problem, and so on.

        Mvg,
        Joni
      • David Benfell
        ... Hash: SHA1 ... I use these files for several applications. Including dovecot (where thunderbird seems to think the concatenated key is just fine). So
        Message 3 of 5 , Aug 23, 2013
        • 0 Attachment
          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          On 08/23/2013 12:55 AM, DTNX Postmaster wrote:
          > On Aug 23, 2013, at 09:20, David Benfell <dbenfell@...>
          > wrote:
          >
          >> Unfortunately, I'm finding this singularly unhelpful:
          >>
          >> - -------- Original Message -------- Subject: Postfix SMTP
          >> server: errors from unknown[209.85.212.69]
          >
          > Check your DNS configuration; that IP address has matching forward
          > and reverse records, and should therefore not yield 'unknown'.
          >
          >> Transcript of session follows.
          >>
          >> Out: 220 mail.parts-unknown.org ESMTP Postfix In: EHLO
          >> mail-vb0-f69.google.com Out: 250-mail.parts-unknown.org Out:
          >> 250-PIPELINING Out: 250-SIZE 20971520 Out: 250-VRFY Out:
          >> 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out:
          >> 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 454 4.7.0 TLS not
          >> available due to local problem In: QUIT Out: 221 2.0.0 Bye
          >
          > [snip]
          >
          >> Here's my postconf -n:
          >
          > [snip]
          >
          >> smtp_tls_key_file =
          >> /big/www/ssl/munich/munich.parts-unknown.org.key
          >> smtp_tls_note_starttls_offer = yes smtp_use_tls = yes
          >
          > Are you sure you need to specify 'smtp_tls_key_file' here? See;
          > http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
          >
          >> smtpd_tls_auth_only = yes smtpd_tls_cert_file =
          >> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
          >> smtpd_tls_loglevel = 3 smtpd_tls_security_level = may
          >
          > Does the 'smtpd_tls_cert_file' contain the key? Also, inside the
          > 'www' directory? Why not store it in '/etc/ssl' or '/etc/postfix'?

          I use these files for several applications. Including dovecot (where
          thunderbird seems to think the concatenated key is just fine). So
          /etc/postfix is inappropriate.

          I don't like adding files to /etc/ssl because that directory is
          populated by the distribution and for me there's a lot of stuff there
          that I'm not interested in looking at.
          >
          > Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
          > actually a TLS problem instead of a configuration issue.

          Done.
          >
          >> What has changed are the SSL keys. But if something is wrong
          >> here, I don't know how to tell what. This is a StartSSL.com
          >> certificate so there's an intermediate key as well as the
          >> certificate itself and the certificate authority key. The chain
          >> should be complete. I've just checked my work; I think I did this
          >> right.
          >>
          >> So how do I tell what's going wrong?
          >
          > Have you tested your server with 'openssl s_client'? This is what I
          > am getting;
          >
          > $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
          > smtp CONNECTED(00000003) 4851:error:140770FC:SSL
          > routines:SSL23_GET_SERVER_HELLO:unknown
          > protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
          >
          >
          I see the word error. ;-) I assume you got, more completely, the same
          thing I got after following your advice below:

          CONNECTED(00000003)
          139983650948752:error:140770FC:SSL
          routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
          - ---
          no peer certificate available
          - ---
          No client certificate CA names sent
          - ---
          SSL handshake has read 244 bytes and written 357 bytes
          - ---
          New, (NONE), Cipher is (NONE)
          Secure Renegotiation IS NOT supported
          Compression: NONE
          Expansion: NONE
          - ---

          > Disable debug logging, and lower your TLS log level. Restart
          > Postfix, and check your logs for any warnings or errors.
          >
          So I did this and sent a test message from gmail. It does seem to be
          having a problem finding the key file:

          Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
          warning: cannot get RSA private key from file
          /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
          disa...LS support
          Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
          warning: TLS library problem: 18925:error:0906D06C:PEM
          routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
          Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
          warning: TLS library problem: 18925:error:140B0009:SSL
          routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

          Why is this line not working?

          smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key

          I've checked the file, it contains a private key.

          > Check your configuration, related files, permissions, and so on.
          > Revert to the old certificate, see if that resolves the problem and
          > enables you to make a succesful connection with the openssl client.
          > Generate a self-signed one, see if that resolves the problem, and
          > so on.

          Reverting to the old certificate yielded the same result. The previous
          configuration has the same permissions as the current one.
          >
          > Mvg, Joni
          >


          - --
          David Benfell / benfell@...
          Please see https://parts-unknown.org/node/2 for GnuPG information (or
          the attachment you don't understand)
          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v2.0.20 (GNU/Linux)
          Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

          iQIcBAEBAgAGBQJSFx7xAAoJEKrN0Ha7pkCOfZYQAJMwj6Pi5bXt5jJ57jTVW+3N
          NP7U18EDjAFBKiOfDfxzZ012ksChFWIz8+vzDIwUFa0AG6Kw1Pm3Tb6AxYA3ulpc
          sk/uNCA+23rKLcYbQbrYbM/b8HW6mRq5eOaP2x3tCmoCaqmfnond+6OofxTv3flP
          IY9xtF5wlZHRhGSb0/yFGEysb2ocrR+U/fZiTG4nEN+OM5QMu5ePxVecjkH+vAyR
          y4RMoH6kP2wqMo5H3H4iXDiLdi1yNhzn9mumgNqnhn0kKqU+knsVKvfP6mmBMP0W
          McK40qTZjIzjH+BCsyDBfKnmySwAKinejWXzmO3fi/6eyCMOA9ro4bwEt8+pvek7
          KuaZnJDJlYrX9SHJsnx3iOI/K9nQclbF2KQSkxsduFbdqQhRsuuA9AqY1h1WfYb+
          pFgyBfazzAumRx9dwzfsuh7RD1cDkA3E87e7NWlX1sj88rmCjzMGO8emrtA+w2cz
          DN/EXakoEQhrxIUqgXy8E2kB2Lg/tF4cMM9KBc87rcL8Tvqy2P5NXyubF130EZCw
          iCPA3/+9d5OOuCD8UNShz9qYUTP3hP3VpnpDUSkka0rJ8UlfVSkrJATYMkFNwpDy
          GrsPbsaeloxFFD5omuuy8ANH46bnisHe9AG+isyiKoSO8Lde9E/2+fz2unUz59TE
          itpaN0qJ1zu68bQ4SmUA
          =K5gz
          -----END PGP SIGNATURE-----
        • Wietse Venema
          ... http://www.postfix.org/DEBUG_README.html#no_chroot Try turning off chroot operation in master.cf A common mistake is to turn on chroot operation in the
          Message 4 of 5 , Aug 23, 2013
          • 0 Attachment
            David Benfell:
            > Why is this line not working?
            >
            > smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key

            http://www.postfix.org/DEBUG_README.html#no_chroot

            Try turning off chroot operation in master.cf

            A common mistake is to turn on chroot operation in the master.cf
            file without going through all the necessary steps to set up a
            chroot environment. This causes Postfix daemon processes to fail
            due to all kinds of missing files.

            The example below shows an SMTP server that is configured with
            chroot turned off:

            /etc/postfix/master.cf:
            # =============================================================
            # service type private unpriv chroot wakeup maxproc command
            # (yes) (yes) (yes) (never) (100)
            # =============================================================
            smtp inet n - n - - smtpd

            Inspect master.cf for any processes that have chroot operation not
            turned off. If you find any, save a copy of the master.cf file, and
            edit the entries in question. After executing the command "postfix
            reload", see if the problem has gone away.

            If turning off chrooted operation made the problem go away, then
            congratulations. Leaving Postfix running in this way is adequate
            for most sites. If you prefer chrooted operation, see the Postfix
            BASIC_CONFIGURATION_README file for information about how to prepare
            Postfix for chrooted operation.
          • DTNX Postmaster
            ... No, I got a different error, look at the last number. ... Are you sure it is correctly formatted? It is complaining about it; PEM_read_bio:no start
            Message 5 of 5 , Aug 23, 2013
            • 0 Attachment
              On Aug 23, 2013, at 10:36, David Benfell <dbenfell@...> wrote:

              >> Have you tested your server with 'openssl s_client'? This is what I
              >> am getting;
              >>
              >> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
              >> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
              >> routines:SSL23_GET_SERVER_HELLO:unknown
              >> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
              >>
              >>
              > I see the word error. ;-) I assume you got, more completely, the same
              > thing I got after following your advice below:
              >
              > CONNECTED(00000003)
              > 139983650948752:error:140770FC:SSL
              > routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
              > - ---
              > no peer certificate available
              > - ---
              > No client certificate CA names sent
              > - ---
              > SSL handshake has read 244 bytes and written 357 bytes
              > - ---
              > New, (NONE), Cipher is (NONE)
              > Secure Renegotiation IS NOT supported
              > Compression: NONE
              > Expansion: NONE
              > - ---

              No, I got a different error, look at the last number.

              >> Disable debug logging, and lower your TLS log level. Restart
              >> Postfix, and check your logs for any warnings or errors.
              >>
              > So I did this and sent a test message from gmail. It does seem to be
              > having a problem finding the key file:
              >
              > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
              > warning: cannot get RSA private key from file
              > /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
              > disa...LS support
              > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
              > warning: TLS library problem: 18925:error:0906D06C:PEM
              > routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
              > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
              > warning: TLS library problem: 18925:error:140B0009:SSL
              > routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
              >
              > Why is this line not working?
              >
              > smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
              >
              > I've checked the file, it contains a private key.

              Are you sure it is correctly formatted? It is complaining about it;

              "PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:"

              The start and end should be marked by the following lines;

              -----BEGIN RSA PRIVATE KEY-----
              <key goes here>
              -----END RSA PRIVATE KEY-----

              And each certificate, whether it is your host certificate or an
              intermediate, should be marked in a similar way;

              -----BEGIN CERTIFICATE-----
              <certificate goes here>
              -----END CERTIFICATE-----

              This is what the TLS library uses to read in the key and certificates
              when Postfix starts, and it looks like they may be missing, in your
              case.

              It is no problem to concatenate them, as long as you have the start and
              end markers for each, on their own lines.

              Mvg,
              Joni
            Your message has been successfully submitted and would be delivered to recipients shortly.