Quantcast

Fwd: Postfix SMTP server: errors from unknown[209.85.212.69]

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: Postfix SMTP server: errors from unknown[209.85.212.69]

David Benfell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Unfortunately, I'm finding this singularly unhelpful:


- -------- Original Message --------
Subject: Postfix SMTP server: errors from unknown[209.85.212.69]
Date: Thu, 22 Aug 2013 23:39:49 -0700 (PDT)
From: [hidden email] (Mail Delivery System)
To: [hidden email] (Postmaster)

Transcript of session follows.

 Out: 220 mail.parts-unknown.org ESMTP Postfix
 In:  EHLO mail-vb0-f69.google.com
 Out: 250-mail.parts-unknown.org
 Out: 250-PIPELINING
 Out: 250-SIZE 20971520
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem
 In:  QUIT
 Out: 221 2.0.0 Bye


For other details, see the local mail logfile
- ---------------------------------------------

The logfile doesn't help me either. I don't know if I've included
enough here:

Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 220 mail.parts-unknown.org ESMTP Postfix
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
unknown[209.85.212.69]: EHLO mail-vb0-f69.google.com
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_list_match: unknown: no match
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_list_match: 209.85.212.69: no match
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-mail.parts-unknown.org
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-PIPELINING
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-SIZE 20971520
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-VRFY
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-ETRN
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-STARTTLS
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-ENHANCEDSTATUSCODES
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250-8BITMIME
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 250 DSN
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
unknown[209.85.212.69]: STARTTLS
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 454 4.7.0 TLS not available due to local problem
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: <
unknown[209.85.212.69]: QUIT
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: >
unknown[209.85.212.69]: 221 2.0.0 Bye
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_hostname: unknown ~? 10.8.0.0/16
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_hostaddr: 209.85.212.69 ~? 10.8.0.0/16
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_hostname: unknown ~? 127.0.0.0/8
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_hostaddr: 209.85.212.69 ~? 127.0.0.0/8
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_list_match: unknown: no match
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
match_list_match: 209.85.212.69: no match
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: send
attr request = disconnect
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: send
attr ident = smtpd:209.85.212.69
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
private/anvil: wanted attribute: status
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute name: status
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute value: 0
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
private/anvil: wanted attribute: (list terminator)
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute name: (end)
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]:
smtpd_chat_notify: notify postmaster
Aug 22 23:39:49 munich.parts-unknown.org postfix/smtpd[3217]: connect
to subsystem public/cleanup
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]:
public/cleanup socket: wanted attribute: queue_id
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute name: queue_id
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute value: 0F01D4631E1
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]:
public/cleanup socket: wanted attribute: (list terminator)
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: input
attribute name: (end)
Aug 22 23:39:50 munich.parts-unknown.org postfix/smtpd[3217]: send
attr flags = 32

Here's my postconf -n:

address_verify_map = btree:$data_directory/verify_cache
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/bin
config_directory = /etc/postfix
content_filter = scan:127.0.0.1:10026
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
(echo cont; echo where) | gdb $daemon_directory/$process_name
$process_id 2>&1 >$config_directory/$process_name.$process_id.log &
sleep 5
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 1s
inet_interfaces = 127.0.0.1, 10.8.0.1, 91.205.174.238
inet_protocols = ipv4
local_destination_concurrency_limit = 2
mail_owner = postfix
mailbox_command_maps = hash:/etc/postfix/mailbox_commands
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20971520
mydestination = localhost, localhost.$mydomain, cybernude.org,
mail.cybernude.org, munich.cybernude.org, www.cybernude.org,
disunitedstates.com, mail.disunitedstates.com,
munich.disunitedstates.com, www.disunitedstates.com,
disunitedstates.org, mail.disunitedstates.org,
munich.disunitedstates.org, www.disunitedstates.org, greybeard95a.com,
mail.greybeard95a.com, munich.greybeard95a.com, www.greybeard95a.com,
n4rky.me, mail.n4rky.me, munich.n4rky.me, www.n4rky.me,
parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
www.parts-unknown.org
mydomain = parts-unknown.org
myhostname = mail.parts-unknown.org
mynetworks = 10.8.0.0/16, 127.0.0.0/8
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3, b.barracudacentral.org*2,
bl.spameatingmonkey.net*2, dnsbl.ahbl.org*2, bl.spamcop.net,
dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net,
swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-3,
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4,
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = *
sample_directory = /etc/postfix/sample
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated
smtpd_peername_lookup = no
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client
zen.spamhaus.org,reject_rbl_client bl.spamcop.net
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_recipient_access
hash:/etc/postfix/restrict
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
smtpd_tls_loglevel = 3
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman

What has changed are the SSL keys. But if something is wrong here, I
don't know how to tell what. This is a StartSSL.com certificate so
there's an intermediate key as well as the certificate itself and the
certificate authority key. The chain should be complete. I've just
checked my work; I think I did this right.

So how do I tell what's going wrong?

Thanks!
- --
David Benfell <[hidden email]>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSFw0dAAoJEKrN0Ha7pkCOfPUP+QHGDxtU/n46i5uLlxeWKlzz
34792Tfb4MhVZcLi2WHDR8Ce9C8Ar+qyfSuLcetxvEhfuXriIqAZhrt3u0hlJ3WC
Yx2ZRGK4dDJL4M1CqN+xqKr8pbCTb8fTSHYkHS+DqGhG1LrQUn6mwdYHmW5/BZnv
H04TGIfjZYd5MWNtLb4T3vAiLXosIy8t08efO325yqzzBDIb9jdrq279TjJeQnqW
a1GDpClukRct3OmXLsEOkFvjCVzrKVqOlm0JNC8ApBnbPMYIhyYltAIYFXFmQa6F
g9GUHRSygin3i0q8ZJuhn9fPxKCd41xDaXX08sflQA1s3HzFYyeaNYthYCx3Kkk4
50RsadyiKOnVL6s/ow4kTGb/7JRhUiERTztYObTamTpMxLmbA4xCcPsZ/7zxH8Xu
DgffJI6If8SXVHwZHFKSfYw/pHnsbOccrx9HY844t66cOy3Dhl6WIpo9ByVSFk4T
LWENelloJdJo3+wwe3ujWV5FUhatcEChg6lMo6vbLNPXgku94IAdWSwOKEivtuB3
YFB+zYG6zFK4J4dwouwexCy03xGdy/Hb9t8TFSl9SVQMYau/3aIrEGDS4cvIlrcB
CrUTwjflU8E+xZ46cv4xUSn9o0jZZo0Mb4rT3INqkjnGcRtkFjkLWDnjB8c2oVkT
rTipnKVhIbvBhU3hrWEN
=2bsJ
-----END PGP SIGNATURE-----

Attached Message Part Download Attachment
Attached Message Part.sig Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix SMTP server: errors from unknown[209.85.212.69]

DTNX Postmaster
On Aug 23, 2013, at 09:20, David Benfell <[hidden email]> wrote:

> Unfortunately, I'm finding this singularly unhelpful:
>
> - -------- Original Message --------
> Subject: Postfix SMTP server: errors from unknown[209.85.212.69]

Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield 'unknown'.

> Transcript of session follows.
>
> Out: 220 mail.parts-unknown.org ESMTP Postfix
> In:  EHLO mail-vb0-f69.google.com
> Out: 250-mail.parts-unknown.org
> Out: 250-PIPELINING
> Out: 250-SIZE 20971520
> Out: 250-VRFY
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In:  STARTTLS
> Out: 454 4.7.0 TLS not available due to local problem
> In:  QUIT
> Out: 221 2.0.0 Bye

[snip]

> Here's my postconf -n:

[snip]

> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes

Are you sure you need to specify 'smtp_tls_key_file' here? See;
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file

> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file =
> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
> smtpd_tls_loglevel = 3
> smtpd_tls_security_level = may

Does the 'smtpd_tls_cert_file' contain the key? Also, inside the 'www'
directory? Why not store it in '/etc/ssl' or '/etc/postfix'?

Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
actually a TLS problem instead of a configuration issue.

> What has changed are the SSL keys. But if something is wrong here, I
> don't know how to tell what. This is a StartSSL.com certificate so
> there's an intermediate key as well as the certificate itself and the
> certificate authority key. The chain should be complete. I've just
> checked my work; I think I did this right.
>
> So how do I tell what's going wrong?

Have you tested your server with 'openssl s_client'? This is what I am
getting;

$ openssl s_client -connect mail.parts-unknown.org:25 -starttls smtp
CONNECTED(00000003)
4851:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:

Disable debug logging, and lower your TLS log level. Restart Postfix,
and check your logs for any warnings or errors.

Check your configuration, related files, permissions, and so on. Revert
to the old certificate, see if that resolves the problem and enables
you to make a succesful connection with the openssl client. Generate a
self-signed one, see if that resolves the problem, and so on.

Mvg,
Joni

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix SMTP server: errors from unknown[209.85.212.69]

David Benfell
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/23/2013 12:55 AM, DTNX Postmaster wrote:

> On Aug 23, 2013, at 09:20, David Benfell <[hidden email]>
> wrote:
>
>> Unfortunately, I'm finding this singularly unhelpful:
>>
>> - -------- Original Message -------- Subject: Postfix SMTP
>> server: errors from unknown[209.85.212.69]
>
> Check your DNS configuration; that IP address has matching forward
> and reverse records, and should therefore not yield 'unknown'.
>
>> Transcript of session follows.
>>
>> Out: 220 mail.parts-unknown.org ESMTP Postfix In:  EHLO
>> mail-vb0-f69.google.com Out: 250-mail.parts-unknown.org Out:
>> 250-PIPELINING Out: 250-SIZE 20971520 Out: 250-VRFY Out:
>> 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out:
>> 250-8BITMIME Out: 250 DSN In:  STARTTLS Out: 454 4.7.0 TLS not
>> available due to local problem In:  QUIT Out: 221 2.0.0 Bye
>
> [snip]
>
>> Here's my postconf -n:
>
> [snip]
>
>> smtp_tls_key_file =
>> /big/www/ssl/munich/munich.parts-unknown.org.key
>> smtp_tls_note_starttls_offer = yes smtp_use_tls = yes
>
> Are you sure you need to specify 'smtp_tls_key_file' here? See;
> http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
>
>> smtpd_tls_auth_only = yes smtpd_tls_cert_file =
>> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
>> smtpd_tls_loglevel = 3 smtpd_tls_security_level = may
>
> Does the 'smtpd_tls_cert_file' contain the key? Also, inside the
> 'www' directory? Why not store it in '/etc/ssl' or '/etc/postfix'?

I use these files for several applications. Including dovecot (where
thunderbird seems to think the concatenated key is just fine). So
/etc/postfix is inappropriate.

I don't like adding files to /etc/ssl because that directory is
populated by the distribution and for me there's a lot of stuff there
that I'm not interested in looking at.
>
> Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
>  actually a TLS problem instead of a configuration issue.

Done.

>
>> What has changed are the SSL keys. But if something is wrong
>> here, I don't know how to tell what. This is a StartSSL.com
>> certificate so there's an intermediate key as well as the
>> certificate itself and the certificate authority key. The chain
>> should be complete. I've just checked my work; I think I did this
>> right.
>>
>> So how do I tell what's going wrong?
>
> Have you tested your server with 'openssl s_client'? This is what I
> am getting;
>
> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>
>
I see the word error. ;-) I assume you got, more completely, the same
thing I got after following your advice below:

CONNECTED(00000003)
139983650948752:error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
- ---
no peer certificate available
- ---
No client certificate CA names sent
- ---
SSL handshake has read 244 bytes and written 357 bytes
- ---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- ---

> Disable debug logging, and lower your TLS log level. Restart
> Postfix, and check your logs for any warnings or errors.
>
So I did this and sent a test message from gmail. It does seem to be
having a problem finding the key file:

Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: cannot get RSA private key from file
/big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
disa...LS support
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

Why is this line not working?

smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key

I've checked the file, it contains a private key.

> Check your configuration, related files, permissions, and so on.
> Revert to the old certificate, see if that resolves the problem and
> enables you to make a succesful connection with the openssl client.
> Generate a self-signed one, see if that resolves the problem, and
> so on.

Reverting to the old certificate yielded the same result. The previous
configuration has the same permissions as the current one.
>
> Mvg, Joni
>


- --
David Benfell / [hidden email]
Please see https://parts-unknown.org/node/2 for GnuPG information (or
the attachment you don't understand)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSFx7xAAoJEKrN0Ha7pkCOfZYQAJMwj6Pi5bXt5jJ57jTVW+3N
NP7U18EDjAFBKiOfDfxzZ012ksChFWIz8+vzDIwUFa0AG6Kw1Pm3Tb6AxYA3ulpc
sk/uNCA+23rKLcYbQbrYbM/b8HW6mRq5eOaP2x3tCmoCaqmfnond+6OofxTv3flP
IY9xtF5wlZHRhGSb0/yFGEysb2ocrR+U/fZiTG4nEN+OM5QMu5ePxVecjkH+vAyR
y4RMoH6kP2wqMo5H3H4iXDiLdi1yNhzn9mumgNqnhn0kKqU+knsVKvfP6mmBMP0W
McK40qTZjIzjH+BCsyDBfKnmySwAKinejWXzmO3fi/6eyCMOA9ro4bwEt8+pvek7
KuaZnJDJlYrX9SHJsnx3iOI/K9nQclbF2KQSkxsduFbdqQhRsuuA9AqY1h1WfYb+
pFgyBfazzAumRx9dwzfsuh7RD1cDkA3E87e7NWlX1sj88rmCjzMGO8emrtA+w2cz
DN/EXakoEQhrxIUqgXy8E2kB2Lg/tF4cMM9KBc87rcL8Tvqy2P5NXyubF130EZCw
iCPA3/+9d5OOuCD8UNShz9qYUTP3hP3VpnpDUSkka0rJ8UlfVSkrJATYMkFNwpDy
GrsPbsaeloxFFD5omuuy8ANH46bnisHe9AG+isyiKoSO8Lde9E/2+fz2unUz59TE
itpaN0qJ1zu68bQ4SmUA
=K5gz
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix SMTP server: errors from unknown[209.85.212.69]

Wietse Venema
David Benfell:
> Why is this line not working?
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key

http://www.postfix.org/DEBUG_README.html#no_chroot

Try turning off chroot operation in master.cf

A common mistake is to turn on chroot operation in the master.cf
file without going through all the necessary steps to set up a
chroot environment. This causes Postfix daemon processes to fail
due to all kinds of missing files.

The example below shows an SMTP server that is configured with
chroot turned off:

    /etc/postfix/master.cf:
        # =============================================================
        # service type  private unpriv  chroot  wakeup  maxproc command
        #               (yes)   (yes)   (yes)   (never) (100)
        # =============================================================
        smtp      inet  n       -       n       -       -       smtpd

Inspect master.cf for any processes that have chroot operation not
turned off. If you find any, save a copy of the master.cf file, and
edit the entries in question. After executing the command "postfix
reload", see if the problem has gone away.

If turning off chrooted operation made the problem go away, then
congratulations. Leaving Postfix running in this way is adequate
for most sites. If you prefer chrooted operation, see the Postfix
BASIC_CONFIGURATION_README file for information about how to prepare
Postfix for chrooted operation.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix SMTP server: errors from unknown[209.85.212.69]

DTNX Postmaster
In reply to this post by David Benfell
On Aug 23, 2013, at 10:36, David Benfell <[hidden email]> wrote:

>> Have you tested your server with 'openssl s_client'? This is what I
>> am getting;
>>
>> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
>> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
>> routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>>
>>
> I see the word error. ;-) I assume you got, more completely, the same
> thing I got after following your advice below:
>
> CONNECTED(00000003)
> 139983650948752:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
> - ---
> no peer certificate available
> - ---
> No client certificate CA names sent
> - ---
> SSL handshake has read 244 bytes and written 357 bytes
> - ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> - ---

No, I got a different error, look at the last number.

>> Disable debug logging, and lower your TLS log level. Restart
>> Postfix, and check your logs for any warnings or errors.
>>
> So I did this and sent a test message from gmail. It does seem to be
> having a problem finding the key file:
>
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: cannot get RSA private key from file
> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
> disa...LS support
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: TLS library problem: 18925:error:0906D06C:PEM
> routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: TLS library problem: 18925:error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
>
> Why is this line not working?
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
>
> I've checked the file, it contains a private key.

Are you sure it is correctly formatted? It is complaining about it;

"PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:"

The start and end should be marked by the following lines;

-----BEGIN RSA PRIVATE KEY-----
<key goes here>
-----END RSA PRIVATE KEY-----

And each certificate, whether it is your host certificate or an
intermediate, should be marked in a similar way;

-----BEGIN CERTIFICATE-----
<certificate goes here>
-----END CERTIFICATE-----

This is what the TLS library uses to read in the key and certificates
when Postfix starts, and it looks like they may be missing, in your
case.

It is no problem to concatenate them, as long as you have the start and
end markers for each, on their own lines.

Mvg,
Joni

Loading...