Hello group,
I am implementing a Mail Server using postfix + dbmail. I recently
configured STARTTLS and I found that lines on my */var/log/mail.log*
Jan 29 19:59:56 correo2 postfix/smtpd[3384]: warning: TLS library
problem: 3384:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
Jan 29 20:03:42 correo2 postfix/smtpd[3495]: warning: TLS library
problem: 3495:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
I don't know what mean this lines, because when I probe the connection
with the command:
openssl s_client -connect mx10.losbichos.com:25 -starttls smtp
there is no error, I get this answer to the command:
CONNECTED(00000003)
...
...
certificate details
...
...
Start Time: 1391078882
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250 DSN
and this lines appear on the */var/log/mail.log
*
Jan 30 11:47:38 correo2 postfix/smtpd[21340]: Anonymous TLS
connection established from unknown[10.0.0.1]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
I generated my certificates with this commands:
openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
openssl x509 -in my-ca.crt -text -noout
cat my-ca.crt my-ca.key > my-ca.pem
openssl verify my-ca.pem
openssl req -new -nodes -keyout smtp-key.pem -out smtp-req.pem -days 365
openssl req -in smtp-req.pem -noout -text
openssl req -in smtp-req.pem -noout -verify -key smtp-key.pem
openssl x509 -req -out smtp.pem -in smtp-req.pem -CA my-ca.crt
-CAkey my-ca.key -CAcreateserial -days 365
I moved this files to my postfix folder and assign the next privileges:
cp smtp.pem smtp-key.pem my-ca.crt /etc/postfix
chmod 644 /etc/postfix/smtp.pem /etc/postfix/my-ca.crt
chmod 400 /etc/postfix/smtp-key.pem
I paste here my config file */etc/postfix/main.cf*:
# See /usr/share/postfix/main.cf.dist for a commented, more complete
version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_use_tls=yes
smtpd_tls_CAfile = /etc/postfix/tls/my-ca.crt
smtpd_tls_cert_file = /etc/postfix/tls/smtp.pem
smtpd_tls_key_file = /etc/postfix/tls/smtp-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
#smtpd_enforce_tls=no
smtpd_tls_loglevel=1
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc
package for
# information on enabling SSL in the smtp client.
myhostname = correo2
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = correo2, localhost.localdomain, localhost, ditecal.es
relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks =0.0.0.0
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = proxy:mysql:/etc/postfix/sql-recipients.cf
mailbox_transport = dbmail-lmtp:localhost:24
virtual_transport = dbmail-lmtp:localhost:24
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql-virtual_mailbox_maps.cf
#virtual_alias_maps =
proxy:mysql:/etc/postfix/sql-virtual_mailbox_maps.cf
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql-virtual_mailbox_domains.$
virtual_transport = dbmail-lmtp:localhost:24
#local_transport = dbmail-lmtp:
Any idea? Thanks in advance
