On Fri, Nov 23, 2012 at 07:55:28PM -0500, c...@lavabit.com wrote:
> > > SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
> >
> > Check the server logs.
>
> /var/log/mail.info:
>
> warning: cannot get RSA private key from file /etc/postfix/smtpd.pem:
> disabling TLS support
> warning: TLS library problem ... Expecting: ANY PRIVATE KEY
There is no usable private key in your smtpd.pem configuration file.
> I used these commands [0] to create smtpd.pem:
>
> # cd /etc/postfix
> # tmp=$(mktemp smtpd.pem.XXXXXX)
> # openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \
> -days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp
> # chmod 0600 $tmp
> # mv $tmp smtpd.pem
>
> Why Postfix fail to get a key from smtpd.pem?
Either you botched the recipe, or the use of "-keyout stdout" is
not a portable way of getting OpenSSL to output the key and
certificate back-to-back. Did the shell commands in the recipe
generate any error messages?
When I run this and check the contents of the smtpd.pem file (did
you ever look at the file contents? Why not?) I see:
$ egrep '^-----' smtpd.pem
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Which shows the expected key and certificate. Post the output for
your system. You can alsways generate the key separately:
# cd /etc/postfix
# tmp=$(mktemp smtpd.pem.XXXXXX)
# openssl genrsa -nodes -out "$tmp" 1280
# openssl req -x509 -new -key "$tmp" \
-days "$((365 * 10))" -subj "/CN=mail.example.com" >> "$tmp"
# chmod 0600 "$tmp"
# mv "$tmp" smtpd.pem
Don't be so helpless. Take some initiative to follow the clues to their
logical conclusions. If the software sees no key in the file, check the
file and figure out what's there, and perhaps why.
--
Viktor.
