On Sat, Jan 31, 2015 at 01:44:41PM -0800, Dmt Ops wrote:
> 1st step, I created and installed self-signed certs & added these
> smtpd_tls_* to config
>
> -o smtpd_use_tls=yes
> -o smtpd_tls_security_level=may
> -o smtpd_tls_CApath=/etc/ssl/certs
> -o smtpd_tls_cert_file="/etc/ssl/mail/myserver.crt"
> -o smtpd_tls_key_file="/etc/ssl/mail/myserver.key"
What are those silly double-quotes doing there?
Postfix loads keys before chrooting itself (if configured) and
dropping privileges. Therefore, private keys should be owned by
"root" mode 0600, DO NOT make them readable by the "postfix" user
or group.
> 'postfix check' reports no errors and on 'start' neither do the logs.
Postfix check does not check TLS certificates.
> When the server receives a message I get an error about the RSA cert
>
> Jan 31 12:37:54 mail postfix/smtpd[8337]: warning: cannot get RSA
> certificate from file "/etc/ssl/mail/myserver.crt": disabling TLS support
The error message in question is the result of problems reading a
"chain file", containing a server certificate and additional CA
certificates:
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
msg_warn("cannot get %s certificate from file %s: "
"disabling TLS support", cert_type, cert_file);
tls_print_errors();
return (0);
}
The double-quotes are part of the filename!
> I don't see why Postfix doesn't like my crt.
>
> What have I missed or broken?
main.cf is not a shell script
--
Viktor.
