On Fri, Apr 05, 2013 at 10:46:57AM -0400, Peter L. Berghold wrote:
> This is aping everything I've read on the topic on a variety of sites.
Instead of aping, try:
http://www.postfix.org/TLS_README.html#server_tls
http://www.postfix.org/TLS_README.html#client_tls
> Here are the applicable lines (sanitized of course) I used to set this up:
> smtpd_use_tls = yes
> smtp_use_tls = yes
smtpd_tls_security_level = may
smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes
Not needed, you've enabled TLS in the local Postfix SMTP client.
> smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtpd_tls_CApath=/etc/postfix/ssl
Not needed, you're not requesting client certificates.
> smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtp_tls_CApath=$smtpd_tls_CAPath
Not strictly needed, with opportunistic TLS, you're not verifying
remote server certificates.
> smtpd_tls_certfile=/etc/postfix/ssl/server.crt
The correct parameter is smtpd_tls_cert_file, consistent with
the below:
> smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
> smtpd_tls_loglevel=4
This is insane, loglevels higher than 2 are almost never required,
for experts only, and can DoS your system with log files larger
than your mail store input volume.
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
No point, unless you specify a session cache.
> tls_random_source = dev:/dev/urandom
Fine.
> The error I'm seeing in the maillog is:
> Apr 5 10:43:36 myhostname postfix/smtpd[14839]: warning: No
> server certs available. TLS won't be enabled
Indeed you've not specified the correct certfile parameter.
--
Viktor.
