-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/23/2013 12:55 AM, DTNX Postmaster wrote: > On Aug 23, 2013, at 09:20, David Benfell <dbenf...@gmail.com> > wrote: > >> Unfortunately, I'm finding this singularly unhelpful: >> >> - -------- Original Message -------- Subject: Postfix SMTP >> server: errors from unknown[209.85.212.69] > > Check your DNS configuration; that IP address has matching forward > and reverse records, and should therefore not yield 'unknown'. > >> Transcript of session follows. >> >> Out: 220 mail.parts-unknown.org ESMTP Postfix In: EHLO >> mail-vb0-f69.google.com Out: 250-mail.parts-unknown.org Out: >> 250-PIPELINING Out: 250-SIZE 20971520 Out: 250-VRFY Out: >> 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: >> 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 454 4.7.0 TLS not >> available due to local problem In: QUIT Out: 221 2.0.0 Bye > > [snip] > >> Here's my postconf -n: > > [snip] > >> smtp_tls_key_file = >> /big/www/ssl/munich/munich.parts-unknown.org.key >> smtp_tls_note_starttls_offer = yes smtp_use_tls = yes > > Are you sure you need to specify 'smtp_tls_key_file' here? See; > http://www.postfix.org/postconf.5.html#smtp_tls_cert_file > >> smtpd_tls_auth_only = yes smtpd_tls_cert_file = >> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt >> smtpd_tls_loglevel = 3 smtpd_tls_security_level = may > > Does the 'smtpd_tls_cert_file' contain the key? Also, inside the > 'www' directory? Why not store it in '/etc/ssl' or '/etc/postfix'?
I use these files for several applications. Including dovecot (where thunderbird seems to think the concatenated key is just fine). So /etc/postfix is inappropriate. I don't like adding files to /etc/ssl because that directory is populated by the distribution and for me there's a lot of stuff there that I'm not interested in looking at. > > Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's > actually a TLS problem instead of a configuration issue. Done. > >> What has changed are the SSL keys. But if something is wrong >> here, I don't know how to tell what. This is a StartSSL.com >> certificate so there's an intermediate key as well as the >> certificate itself and the certificate authority key. The chain >> should be complete. I've just checked my work; I think I did this >> right. >> >> So how do I tell what's going wrong? > > Have you tested your server with 'openssl s_client'? This is what I > am getting; > > $ openssl s_client -connect mail.parts-unknown.org:25 -starttls > smtp CONNECTED(00000003) 4851:error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown > protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607: > > I see the word error. ;-) I assume you got, more completely, the same thing I got after following your advice below: CONNECTED(00000003) 139983650948752:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766: - --- no peer certificate available - --- No client certificate CA names sent - --- SSL handshake has read 244 bytes and written 357 bytes - --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE - --- > Disable debug logging, and lower your TLS log level. Restart > Postfix, and check your logs for any warnings or errors. > So I did this and sent a test message from gmail. It does seem to be having a problem finding the key file: Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: warning: cannot get RSA private key from file /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt: disa...LS support Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: warning: TLS library problem: 18925:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY: Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: warning: TLS library problem: 18925:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: Why is this line not working? smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key I've checked the file, it contains a private key. > Check your configuration, related files, permissions, and so on. > Revert to the old certificate, see if that resolves the problem and > enables you to make a succesful connection with the openssl client. > Generate a self-signed one, see if that resolves the problem, and > so on. Reverting to the old certificate yielded the same result. The previous configuration has the same permissions as the current one. > > Mvg, Joni > - -- David Benfell / benf...@parts-unknown.org Please see https://parts-unknown.org/node/2 for GnuPG information (or the attachment you don't understand) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSFx7xAAoJEKrN0Ha7pkCOfZYQAJMwj6Pi5bXt5jJ57jTVW+3N NP7U18EDjAFBKiOfDfxzZ012ksChFWIz8+vzDIwUFa0AG6Kw1Pm3Tb6AxYA3ulpc sk/uNCA+23rKLcYbQbrYbM/b8HW6mRq5eOaP2x3tCmoCaqmfnond+6OofxTv3flP IY9xtF5wlZHRhGSb0/yFGEysb2ocrR+U/fZiTG4nEN+OM5QMu5ePxVecjkH+vAyR y4RMoH6kP2wqMo5H3H4iXDiLdi1yNhzn9mumgNqnhn0kKqU+knsVKvfP6mmBMP0W McK40qTZjIzjH+BCsyDBfKnmySwAKinejWXzmO3fi/6eyCMOA9ro4bwEt8+pvek7 KuaZnJDJlYrX9SHJsnx3iOI/K9nQclbF2KQSkxsduFbdqQhRsuuA9AqY1h1WfYb+ pFgyBfazzAumRx9dwzfsuh7RD1cDkA3E87e7NWlX1sj88rmCjzMGO8emrtA+w2cz DN/EXakoEQhrxIUqgXy8E2kB2Lg/tF4cMM9KBc87rcL8Tvqy2P5NXyubF130EZCw iCPA3/+9d5OOuCD8UNShz9qYUTP3hP3VpnpDUSkka0rJ8UlfVSkrJATYMkFNwpDy GrsPbsaeloxFFD5omuuy8ANH46bnisHe9AG+isyiKoSO8Lde9E/2+fz2unUz59TE itpaN0qJ1zu68bQ4SmUA =K5gz -----END PGP SIGNATURE-----
