On Aug 23, 2013, at 10:36, David Benfell <dbenf...@gmail.com> wrote: >> Have you tested your server with 'openssl s_client'? This is what I >> am getting; >> >> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls >> smtp CONNECTED(00000003) 4851:error:140770FC:SSL >> routines:SSL23_GET_SERVER_HELLO:unknown >> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607: >> >> > I see the word error. ;-) I assume you got, more completely, the same > thing I got after following your advice below: > > CONNECTED(00000003) > 139983650948752:error:140770FC:SSL > routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766: > - --- > no peer certificate available > - --- > No client certificate CA names sent > - --- > SSL handshake has read 244 bytes and written 357 bytes > - --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > - ---
No, I got a different error, look at the last number. >> Disable debug logging, and lower your TLS log level. Restart >> Postfix, and check your logs for any warnings or errors. >> > So I did this and sent a test message from gmail. It does seem to be > having a problem finding the key file: > > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: > warning: cannot get RSA private key from file > /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt: > disa...LS support > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: > warning: TLS library problem: 18925:error:0906D06C:PEM > routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY: > Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]: > warning: TLS library problem: 18925:error:140B0009:SSL > routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669: > > Why is this line not working? > > smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key > > I've checked the file, it contains a private key. Are you sure it is correctly formatted? It is complaining about it; "PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:" The start and end should be marked by the following lines; -----BEGIN RSA PRIVATE KEY----- <key goes here> -----END RSA PRIVATE KEY----- And each certificate, whether it is your host certificate or an intermediate, should be marked in a similar way; -----BEGIN CERTIFICATE----- <certificate goes here> -----END CERTIFICATE----- This is what the TLS library uses to read in the key and certificates when Postfix starts, and it looks like they may be missing, in your case. It is no problem to concatenate them, as long as you have the start and end markers for each, on their own lines. Mvg, Joni
