Sorry this hit my junkmail folder…
The fix to this was to turn off SELinux. Everytime the smtpd daemon tried to read the cert, it would get denied. Once I turned off SELinux… it was happy. (Of course the cert is 8192 which may be a bit excessive over 2048) -Mike > On Apr 20, 2017, at 2:41 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > >> On Apr 20, 2017, at 2:48 PM, Michael Segel <dovecot_...@hotmail.com> wrote: >> >> warning: cannot get RSA certificate from file /etc/pki/dovecot/mailCert.pem: >> disabling TLS support > > That means that the file contained no certificate and/or was corrupted. > Additional messages may be logged following that one with more detail if > the file could not be parsed. > > There are many certificate formats, when you say "cert", what format are > you using? > > If you have SELinux or similar, the security software may be preventing > Postfix (even when running as "root") from reading the file. > >> The first time I tried this was to set up the cert and key (private) in to >> two different files and then place them in the /etc/pki/dovecot/certs and >> ../private folders. Both were 644 and I had this error. > > The private key should not be world-readable. > >> I tried to follow some of the advice online, and one of them suggested that >> I combine the two in to a single file, and then check them (I did) and then >> have postfix point to that file for either the cert or the key. > > A single mode 0600 file is sometimes simpler, but separate files are equally > well supported. > >> I tested the three files to ensure that the key and the cert were valid >> and ran both tests on the combined file. > > That means nothing when you don't explain in detail what tests you ran. > >> Is there a maximum size to the key? > > Some TLS implementations limit the key size. And ridiculously large keys > may therefore not interoperate. > >> I know it defaults to 2048, but I bumped it up to 8192. > > 8192 is ridiculously large. You get less security when remote senders > can't use the key, and fall back to cleartext. Stick to 2048, and of > course if you change the key you need a corresponding new certificate. > > -- > Viktor. >
