2009/3/17 Security Admin (NetSec) <secad...@netsecdesign.com>: > Someday (maybe today) I will WRITE DOWN the proper way to generate and export > certificates. Getting this warning in my maillog: > > "warning: cannot get private key from file /etc/postfix/privkey.pem" > > Doesn't stop TLS from occurring, it is just annoying. TLS is used between > postfix mail gateways and external Exchange server. If someone can give the > correct steps to generate a certificate with the proper info much > appreciated. It also could be an issue with my tls config in my main.cf > (using Postfix 2.5.6):
Show us some of the log lines around it as well? Is /etc/postfix/privkey.pem indeed a private key? Postfix can't use encrypted private keys, so make sure your key file isn't protected, you'll need to rely on OS access control to stop people stealing it. This is often enough the reason for postfix to complain about your key file (though I'm sure there's other ways to fail). Start of an encrypted key file: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,1BF5D6A192E33D3A vdJx0TUlh409tymW1P9NUAJlqAOZ1CE7RI344zrV5MJAKGL0p8mov8WOF40y8/qK siV136J26hKmB/FLC0vL8MaomyTfoQbhbVSqpVd0Xhelelm5JvOuCsq2orNdcstw Start of an unencrypted key file: -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDYZX2/mBFRZpjDMDb8umeUk1HDweXhVb5A5WnfFE10LqbO2xKL 20+dgmLWS5e/spfkzbWayKXz0zFq6VfAl3dTdxnu20c1nQX3dqEZGyrKdhtMxa0D If your key is encrypted, you need to know the passphrase to decrypt it: # openssl rsa -in encrypted_key -out unencrypted_key Did you use a guide to setup your TLS and postfix, etc? If so, chances are it's wrong or poorly written. Ubuntu's docs on postfix are correct for the key/cert stuff at least: https://help.ubuntu.com/community/Postfix
