Hi All,
Hoping someone can point me in the correct direction to solve this one
(ie why is postfix "not playing well" with our TLS Certs) 🙂
This is all internal (ie NOT on the Internet), so the below logs, etc,
have NOT been "edited" or obscured.
We're running two (internal) email domains: me.local and me2.local on
the one (Postfix v3.8.1) server (Rocky Linux v9.1). Dovecot is our MDA
and we're using MariaDB for our backend. Everything *seems* to be
working except for some TLS "stuff" (see below).
Each/Both email domains have an appropriate ECC Wildcard Certificate
from our internal CA (Step-CA, if it makes a difference), with the Key,
Hostname (ie "me.local" & "*.me.local"), the Intermediate CA & the Root
CA Certificates included, in that order. These Certificates also work on
our (internal) NginX Server for our internal websites - so that's all
good (as far as I can determine).
These Certificates (in .pem format) are placed in the
"/etc/postfix/certs/" folder. The folder and the certificates have
ownership of root:root and permissions of 0755/0600 respectively.
The sni_maps file (see next) has been hashed with "postmap -F
/etc/postfix/sni_maps".
~~~
me.local  /etc/postfix/certs/me.local.pem
me2.local /etc/postfix/certs/me2.local.pem
~~~
We're getting the following warnings/errors on postfix start when we do
a "journalctl -u postfix" (which the postfix log file confirms):
~~~
Oct 11 17:33:05 mail.me.local systemd[1]: Starting Postfix Mail
Transport Agent...
Oct 11 17:33:05 mail.me.local email_postfix[2038]: find:
'/etc/postfix/./certs/me.local.pem': Permission denied
Oct 11 17:33:05 mail.me.local email_postfix[2039]: postfix/postlog:
warning: not owned by root: /etc/postfix/./certs/me.local.pem
Oct 11 17:33:05 mail.me.local postfix/postfix-script[2039]: warning: not
owned by root: /etc/postfix/./certs/me.local.pem
Oct 11 17:33:05 mail.me.local email_postfix[2038]: find:
'/etc/postfix/./certs/me2.local.pem': Permission denied
Oct 11 17:33:05 mail.me.local email_postfix[2040]: postfix/postlog:
warning: not owned by root: /etc/postfix/./certs/me2.local.pem
Oct 11 17:33:05 mail.me.local postfix/postfix-script[2040]: warning: not
owned by root: /etc/postfix/./certs/me2.local.pem
Oct 11 17:33:05 mail.me.local email_postfix[2044]: find:
'/etc/postfix/./certs/me.local.pem': Permission denied
Oct 11 17:33:05 mail.me.local email_postfix[2044]: find:
'/etc/postfix/./certs/me2.local.pem': Permission denied
Oct 11 17:33:05 mail.me.local email_postfix[2056]: postfix/postlog:
starting the Postfix mail system
Oct 11 17:33:05 mail.me.local postfix/postfix-script[2056]: starting the
Postfix mail system
Oct 11 17:33:05 mail.me.local postfix/master[2058]: daemon started --
version 3.8.1, configuration /etc/postfix
Oct 11 17:33:05 mail.me.local systemd[1]: Started Postfix Mail Transport
Agent.
~~~
Our "postconf -n" output is:
~~~
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
biff = no
command_directory = /usr/sbin
compatibility_level = 3.8
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_list = 192.168.1.0/24 192.168.2.0/24
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_destination_concurrency_limit = 20
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
fallback_transport =
header_size_limit = 4096000
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 104857600
meta_directory = /etc/postfix
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = accept
milter_protocol = 6
my_domain = me.local
my_external_ip =
my_hostname = mail.$my_domain
my_networks = 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24
my_origin = $my_domain
my_relayhost =
mydestination = $myhostname localhost.$mydomain localhost
mydomain = $my_domain
myhostname = $my_hostname
mynetworks = $my_networks
myorigin = $my_origin
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org bl.spamcop.net
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_non_smtp_command_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = enforce
postscreen_pipelining_enable = yes
postscreen_upstream_proxy_protocol =
postscreen_upstream_proxy_timeout = 5s
proxy_interfaces = $my_external_ip
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.8.1/README_FILES
recipient_delimiter = +
relay_destination_concurrency_limit = 1
relay_domains = $mydestination
relayhost = $my_relayhost
sample_directory = /usr/share/doc/postfix3-3.8.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = dovecot
smtp_tls_chain_files = /etc/postfix/certs/me.local.pem
smtp_tls_connection_reuse = yes
smtp_tls_loglevel = 2
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = >=TLSv1.2
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
reject
smtpd_discard_ehlo_keywords = silent-discard dsn
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
reject_non_fqdn_helo_hostname reject_invalid_helo_hostname
reject_unknown_helo_hostname permit
smtpd_milters =
smtpd_recipient_restrictions = reject_invalid_hostname
reject_non_fqdn_hostname reject_non_fqdn_sender
reject_non_fqdn_recipient permit_mynetworks
reject_unknown_client_hostname reject_unknown_sender_domain
reject_unknown_recipient_domain reject_unauth_pipelining
reject_unauth_destination reject_unverified_recipient
check_policy_service unix:private/quota-status reject_rbl_client
bl.spamcop.net reject_rbl_client cbl.abuseat.org permit
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth-dovecot
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_mailbox_maps
smtpd_sender_restrictions = reject_unknown_sender_domain
reject_sender_login_mismatch permit
smtpd_starttls_timeout = 300s
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /etc/postfix/certs/me.local.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
soft_bounce = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
tls_server_sni_maps = hash:/etc/postfix/sni_maps
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_reason = Address lookup failed
virtual_alias_maps = proxy:mysql:/etc/postfix/sql_virt_aliases.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql_virt_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql_virt_mailboxes.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
~~~
If any further info, etc, is required please ask 🙂
Thanks in advance /
/
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
