SSL_accept error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_accept error

Ebbe Hjorth-4
Hi,
 
I just installed FreeBSD, postfix and dovecot.
 
I tried to do the setup from purplehat.org, but i keep getting the following error, please help.
 
 
Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from mail-ew0-f224.google.com[209.85.219.224]: -1
Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from bzq-79-182-42-58.red.bezeqint.net[79.182.42.58]
Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after CONNECT from mail-ew0-f224.google.com[209.85.219.224]
 
 
mail02# postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = localhost.$mydomain, localhost
mydomain = apz.dk
myhostname = mail02.apz.dk
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains = proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks,  permit_sasl_authenticated,  reject_non_fqdn_hostname,  reject_non_fqdn_sender,  reject_non_fqdn_recipient,  reject_unauth_destination,  reject_unauth_pipelining,  reject_invalid_hostname,  reject_rbl_client list.dsbl.org,  reject_rbl_client bl.spamcop.net,  reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:125
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 125
virtual_transport = virtual
virtual_uid_maps = static:125
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Brian Evans - Postfix List
Ebbe Hjorth wrote:

> Hi,
>  
> I just installed FreeBSD, postfix and dovecot.
>  
> I tried to do the setup from purplehat.org <http://purplehat.org>, but
> i keep getting the following error, please help.
>  
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
> mail-ew0-f224.google.com
> <http://mail-ew0-f224.google.com>[209.85.219.224]: -1
> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
> bzq-79-182-42-58.red.bezeqint.net
> <http://bzq-79-182-42-58.red.bezeqint.net>[79.182.42.58]
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
> CONNECT from mail-ew0-f224.google.com
> <http://mail-ew0-f224.google.com>[209.85.219.224]

See comments below.

>  
>  
> mail02# postconf -n
[snip]
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,  reject_non_fqdn_hostname,
> reject_non_fqdn_sender,  reject_non_fqdn_recipient,
> reject_unauth_destination,  reject_unauth_pipelining,
> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
> <http://list.dsbl.org>,  reject_rbl_client bl.spamcop.net
> <http://bl.spamcop.net>,  reject_rbl_client sbl-xbl.spamhaus.org
> <http://sbl-xbl.spamhaus.org>
>
reject_unauth_pipelining has little value here.
dsbl.org is dead.  You should remove it.
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
Worthless, suggest removing it to reduce confusion.

> smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
This doesn't seem right.
The CA, cert and key files should NOT be the same.
Google is your friend.
A great guide by a frequent poster here is
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
> smtpd_use_tls = yes
This is depreciated as of Postfix 2.3 (though still works).
Preferred is "smtpd_tls_security_level=may"
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Sahil Tandon
On Aug 10, 2009, at 1:16 PM, Brian Evans - Postfix List <[hidden email]
 > wrote:

> Ebbe Hjorth wrote:
>> Hi,
>>
>> I just installed FreeBSD, postfix and dovecot.
>>
>> I tried to do the setup from purplehat.org <http://purplehat.org>,  
>> but
>> i keep getting the following error, please help.
>>
>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
>> mail-ew0-f224.google.com
>> <http://mail-ew0-f224.google.com>[209.85.219.224]: -1
>> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
>> bzq-79-182-42-58.red.bezeqint.net
>> <http://bzq-79-182-42-58.red.bezeqint.net>[79.182.42.58]
>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
>> CONNECT from mail-ew0-f224.google.com
>> <http://mail-ew0-f224.google.com>[209.85.219.224]
>
> See comments below.
>
>>
>>
>> mail02# postconf -n
> [snip]
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,  reject_non_fqdn_hostname,
>> reject_non_fqdn_sender,  reject_non_fqdn_recipient,
>> reject_unauth_destination,  reject_unauth_pipelining,
>> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
>> <http://list.dsbl.org>,  reject_rbl_client bl.spamcop.net
>> <http://bl.spamcop.net>,  reject_rbl_client sbl-xbl.spamhaus.org
>> <http://sbl-xbl.spamhaus.org>
>>
> reject_unauth_pipelining has little value here.

If the OP installed postfix from FreeBSD ports, then it's likely 2.6+,  
in which case this is OK here.  See postconf(5) and 2.6.3 release notes.

> dsbl.org is dead.  You should remove it.
>> smtpd_sender_restrictions = permit_sasl_authenticated,  
>> permit_mynetworks
> Worthless, suggest removing it to reduce confusion.
>
>> smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
>> smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
>> smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
> This doesn't seem right.
> The CA, cert and key files should NOT be the same.
> Google is your friend.
> A great guide by a frequent poster here is
> http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>> smtpd_use_tls = yes
> This is depreciated as of Postfix 2.3 (though still works).
> Preferred is "smtpd_tls_security_level=may"
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Sahil Tandon
On Mon, 10 Aug 2009, Ebbe Hjorth wrote:

> 2009/8/10 Sahil Tandon <[hidden email]>
>
> >  On Aug 10, 2009, at 1:16 PM, Brian Evans - Postfix List <
> > [hidden email]> wrote:
> >
> > Ebbe Hjorth wrote:
> >>
> >>> Hi,
> >>>
> >>> I just installed FreeBSD, postfix and dovecot.
> >>>
> >>> I tried to do the setup from purplehat.org <http://purplehat.org>, but
> >>> i keep getting the following error, please help.
> >>>
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
> >>> mail-ew0-f224.google.com
> >>> <http://mail-ew0-f224.google.com>[209.85.219.224]: -1
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
> >>> bzq-79-182-42-58.red.bezeqint.net
> >>> <http://bzq-79-182-42-58.red.bezeqint.net>[79.182.42.58]
> >>> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
> >>> CONNECT from mail-ew0-f224.google.com
> >>> <http://mail-ew0-f224.google.com>[209.85.219.224]
> >>>
> >>
> >> See comments below.
> >>
> >>
> >>>
> >>> mail02# postconf -n
> >>>
> >> [snip]
> >>
> >>> smtpd_recipient_restrictions = permit_mynetworks,
> >>> permit_sasl_authenticated,  reject_non_fqdn_hostname,
> >>> reject_non_fqdn_sender,  reject_non_fqdn_recipient,
> >>> reject_unauth_destination,  reject_unauth_pipelining,
> >>> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
> >>> <http://list.dsbl.org>,  reject_rbl_client bl.spamcop.net
> >>> <http://bl.spamcop.net>,  reject_rbl_client sbl-xbl.spamhaus.org
> >>> <http://sbl-xbl.spamhaus.org>
> >>>
> >>> reject_unauth_pipelining has little value here.
> >>
> >
> > If the OP installed postfix from FreeBSD ports, then it's likely 2.6+, in
> > which case this is OK here.  See postconf(5) and 2.6.3 release notes.
> >
>
> OP?

Original Poster.

> The postfix installed is postfix-2.6.2_1 - Im not sure which part what you
> mean about "this is OK"?

The part which is quoted directly above my response.  Specifically the
reference to reject_unauth_pipelining.

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4
In reply to this post by Brian Evans - Postfix List


2009/8/10 Brian Evans - Postfix List <[hidden email]>
Ebbe Hjorth wrote:
> Hi,
>
> I just installed FreeBSD, postfix and dovecot.
>
> I tried to do the setup from purplehat.org <http://purplehat.org>, but
> i keep getting the following error, please help.
>
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: SSL_accept error from
> mail-ew0-f224.google.com
> <http://mail-ew0-f224.google.com>[209.85.219.224]: -1
> Aug  9 14:22:55 mail02 postfix/smtpd[1855]: connect from
> bzq-79-182-42-58.red.bezeqint.net
> <http://bzq-79-182-42-58.red.bezeqint.net>[79.182.42.58]
> Aug  9 14:22:55 mail02 postfix/smtpd[1969]: lost connection after
> CONNECT from mail-ew0-f224.google.com
> <http://mail-ew0-f224.google.com>[209.85.219.224]

See comments below.

>
>
> mail02# postconf -n
[snip]
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,  reject_non_fqdn_hostname,
> reject_non_fqdn_sender,  reject_non_fqdn_recipient,
> reject_unauth_destination,  reject_unauth_pipelining,
> reject_invalid_hostname,  reject_rbl_client list.dsbl.org
> <http://list.dsbl.org>,  reject_rbl_client bl.spamcop.net
> <http://bl.spamcop.net>,  reject_rbl_client sbl-xbl.spamhaus.org
> <http://sbl-xbl.spamhaus.org>
>
reject_unauth_pipelining has little value here.
dsbl.org is dead.  You should remove it.
> smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
Worthless, suggest removing it to reduce confusion.

> smtpd_tls_CAfile = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_cert_file = /etc/ssl/postfix/smtpd.pem
> smtpd_tls_key_file = /etc/ssl/postfix/smtpd.pem
This doesn't seem right.
The CA, cert and key files should NOT be the same.
Google is your friend.
A great guide by a frequent poster here is
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
 
That is a briliant link, i have read it all and love it, but i have a question regarding FreeBSD
 
It says:
 
[[hidden email]]# cd misc/
[[hidden email]]# cp CA CA_nodes
[[hidden email]]# edit CA_nodes
 
But i have no CA - I have searched the harddrive but nothing like that - Do you know what or were ?
 
> smtpd_use_tls = yes
This is depreciated as of Postfix 2.3 (though still works).
Preferred is "smtpd_tls_security_level=may"

Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Brian Evans - Postfix List
Ebbe Hjorth wrote:

> 2009/8/10 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     A great guide by a frequent poster here is
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>
>  
> That is a briliant link, i have read it all and love it, but i have a
> question regarding FreeBSD
>  
> It says:
>  
> [[hidden email] <mailto:[hidden email]>]# cd misc/
> [[hidden email] <mailto:[hidden email]>]# cp CA CA_nodes
> [[hidden email] <mailto:[hidden email]>]# edit CA_nodes
>  
> But i have no CA - I have searched the harddrive but nothing like that
> - Do you know what or were ?

On my mailserver (Gentoo based), it was called CA.sh in a recent openssl
version.
There are small nuances that have changed since that document was made.
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4


2009/8/11 Brian Evans - Postfix List <[hidden email]>
Ebbe Hjorth wrote:
> 2009/8/10 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     A great guide by a frequent poster here is
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>
>
> That is a briliant link, i have read it all and love it, but i have a
> question regarding FreeBSD
>
> It says:
>
> [[hidden email] <mailto:[hidden email]>]# cd misc/
> [[hidden email] <mailto:[hidden email]>]# cp CA CA_nodes
> [[hidden email] <mailto:[hidden email]>]# edit CA_nodes
>
> But i have no CA - I have searched the harddrive but nothing like that
> - Do you know what or were ?

On my mailserver (Gentoo based), it was called CA.sh in a recent openssl
version.
There are small nuances that have changed since that document was made.
 
Hi Brian,
 
I love your feedback, after a reinstall of openssl, the CA.pl is there, i did the editing, and created the certificates, and got it signed, changed the group of the 3 files to postfix, so i should be able to read them, changed the path in the main.conf file but...
 
Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started -- version 2.6.2, configuration /usr/local/etc/postfix
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the server-side TLS engine
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS support
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from localhost[127.0.0.1]
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode request dropped from localhost[127.0.0.1] for service smtp. TLS context initialization failed. For details see earlier warnings in your logs.
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from localhost[127.0.0.1]
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Brian Evans - Postfix List
Ebbe Hjorth wrote:

>
>
> 2009/8/11 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     Ebbe Hjorth wrote:
>     > 2009/8/10 Brian Evans - Postfix List <[hidden email]
>     <mailto:[hidden email]>
>     > <mailto:[hidden email] <mailto:[hidden email]>>>
>     >
>     >     A great guide by a frequent poster here is
>     >    
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>     >
>     >
>     > That is a briliant link, i have read it all and love it, but i
>     have a
>     > question regarding FreeBSD
>     >
>     > It says:
>     >
>     > [[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>]# cd misc/
>     > [[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>]# cp CA CA_nodes
>     > [[hidden email] <mailto:[hidden email]>
>     <mailto:[hidden email] <mailto:[hidden email]>>]# edit CA_nodes
>     >
>     > But i have no CA - I have searched the harddrive but nothing
>     like that
>     > - Do you know what or were ?
>
>     On my mailserver (Gentoo based), it was called CA.sh in a recent
>     openssl
>     version.
>     There are small nuances that have changed since that document was
>     made.
>
>  
> Hi Brian,
>  
> I love your feedback, after a reinstall of openssl, the CA.pl is
> there, i did the editing, and created the certificates, and got it
> signed, changed the group of the 3 files to postfix, so i should be
> able to read them, changed the path in the main.conf file but...
>  
> Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started --
> version 2.6.2, configuration /usr/local/etc/postfix
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the
> server-side TLS engine
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA
> private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS
> support
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
> problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
> problem: 34018:error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM
> lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from
> localhost[127.0.0.1]
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode
> request dropped from localhost[127.0.0.1] for service smtp. TLS
> context initialization failed. For details see earlier warnings in
> your logs.
> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from
> localhost[127.0.0.1]

Fun debugging this stuff.
Again, the document is slightly out of date.
All openssl files are text and you should be able to cat/less them.

It seems the right tool for the job is newkey.pem not newreq.pem in the
latest generation scripts.
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Brian Evans - Postfix List
Brian Evans - Postfix List wrote:

> Ebbe Hjorth wrote:
>  
>> 2009/8/11 Brian Evans - Postfix List <[hidden email]
>> <mailto:[hidden email]>>
>>
>>     Ebbe Hjorth wrote:
>>     > 2009/8/10 Brian Evans - Postfix List <[hidden email]
>>     <mailto:[hidden email]>
>>     > <mailto:[hidden email] <mailto:[hidden email]>>>
>>     >
>>     >     A great guide by a frequent poster here is
>>     >    
>>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>>     >
>>     >
>>     > That is a briliant link, i have read it all and love it, but i
>>     have a
>>     > question regarding FreeBSD
>>     >
>>     > It says:
>>     >
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# cd misc/
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# cp CA CA_nodes
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# edit CA_nodes
>>     >
>>     > But i have no CA - I have searched the harddrive but nothing
>>     like that
>>     > - Do you know what or were ?
>>
>>     On my mailserver (Gentoo based), it was called CA.sh in a recent
>>     openssl
>>     version.
>>     There are small nuances that have changed since that document was
>>     made.
>>
>>  
>> Hi Brian,
>>  
>> I love your feedback, after a reinstall of openssl, the CA.pl is
>> there, i did the editing, and created the certificates, and got it
>> signed, changed the group of the 3 files to postfix, so i should be
>> able to read them, changed the path in the main.conf file but...
>>  
>> Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started --
>> version 2.6.2, configuration /usr/local/etc/postfix
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the
>> server-side TLS engine
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA
>> private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS
>> support
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
>> problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
>> problem: 34018:error:140B0009:SSL
>> routines:SSL_CTX_use_PrivateKey_file:PEM
>> lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from
>> localhost[127.0.0.1]
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode
>> request dropped from localhost[127.0.0.1] for service smtp. TLS
>> context initialization failed. For details see earlier warnings in
>> your logs.
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from
>> localhost[127.0.0.1]
>>    
>
> Fun debugging this stuff.
> Again, the document is slightly out of date.
> All openssl files are text and you should be able to cat/less them.
>
> It seems the right tool for the job is newkey.pem not newreq.pem in the
> latest generation scripts.
>  
This could also be my mistake as well.

You definitely need to see "RSA Private Key" in the file listed as the key
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4

2009/8/11 Brian Evans - Postfix List <[hidden email]>
Brian Evans - Postfix List wrote:
> Ebbe Hjorth wrote:
>
>> 2009/8/11 Brian Evans - Postfix List <[hidden email]
>> <mailto:[hidden email]>>
>>
>>     Ebbe Hjorth wrote:
>>     > 2009/8/10 Brian Evans - Postfix List <[hidden email]
>>     <mailto:[hidden email]>
>>     > <mailto:[hidden email] <mailto:[hidden email]>>>
>>     >
>>     >     A great guide by a frequent poster here is
>>     >
>>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>>     >
>>     >
>>     > That is a briliant link, i have read it all and love it, but i
>>     have a
>>     > question regarding FreeBSD
>>     >
>>     > It says:
>>     >
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# cd misc/
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# cp CA CA_nodes
>>     > [[hidden email] <mailto:[hidden email]>
>>     <mailto:[hidden email] <mailto:[hidden email]>>]# edit CA_nodes
>>     >
>>     > But i have no CA - I have searched the harddrive but nothing
>>     like that
>>     > - Do you know what or were ?
>>
>>     On my mailserver (Gentoo based), it was called CA.sh in a recent
>>     openssl
>>     version.
>>     There are small nuances that have changed since that document was
>>     made.
>>
>>
>> Hi Brian,
>>
>> I love your feedback, after a reinstall of openssl, the CA.pl is
>> there, i did the editing, and created the certificates, and got it
>> signed, changed the group of the 3 files to postfix, so i should be
>> able to read them, changed the path in the main.conf file but...
>>
>> Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started --
>> version 2.6.2, configuration /usr/local/etc/postfix
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the
>> server-side TLS engine
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA
>> private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS
>> support
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
>> problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start
>> line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library
>> problem: 34018:error:140B0009:SSL
>> routines:SSL_CTX_use_PrivateKey_file:PEM
>> lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from
>> localhost[127.0.0.1]
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode
>> request dropped from localhost[127.0.0.1] for service smtp. TLS
>> context initialization failed. For details see earlier warnings in
>> your logs.
>> Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from
>> localhost[127.0.0.1]
>>
>
> Fun debugging this stuff.
> Again, the document is slightly out of date.
> All openssl files are text and you should be able to cat/less them.
>
> It seems the right tool for the job is newkey.pem not newreq.pem in the
> latest generation scripts.
>
This could also be my mistake as well.

You definitely need to see "RSA Private Key" in the file listed as the key
 
Maybe you dont know it, but im totally openssl newbie, so you have kind of lost me ;) I hate debugging when google cant help me, then im really lost ;) And that + newbie = damn
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Zaeem Arshad-2
In reply to this post by Ebbe Hjorth-4


On Tue, Aug 11, 2009 at 11:27 PM, Ebbe Hjorth <[hidden email]> wrote:


2009/8/11 Brian Evans - Postfix List <[hidden email]>
Ebbe Hjorth wrote:
> 2009/8/10 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     A great guide by a frequent poster here is
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>
>
> That is a briliant link, i have read it all and love it, but i have a
> question regarding FreeBSD
>
> It says:
>
> [[hidden email] <mailto:[hidden email]>]# cd misc/
> [[hidden email] <mailto:[hidden email]>]# cp CA CA_nodes
> [[hidden email] <mailto:[hidden email]>]# edit CA_nodes
>
> But i have no CA - I have searched the harddrive but nothing like that
> - Do you know what or were ?

On my mailserver (Gentoo based), it was called CA.sh in a recent openssl
version.
There are small nuances that have changed since that document was made.
 
Hi Brian,
 
I love your feedback, after a reinstall of openssl, the CA.pl is there, i did the editing, and created the certificates, and got it signed, changed the group of the 3 files to postfix, so i should be able to read them, changed the path in the main.conf file but...
 
Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started -- version 2.6.2, configuration /usr/local/etc/postfix
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the server-side TLS engine
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS support
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from localhost[127.0.0.1]
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode request dropped from localhost[127.0.0.1] for service smtp. TLS context initialization failed. For details see earlier warnings in your logs.
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from localhost[127.0.0.1]


smtpd_tls_key_file = /etc/postfix-corp/newkey.pem
smtpd_tls_cert_file = /etc/postfix-corp/newcert.pem
smtpd_tls_CAfile = /etc/postfix-corp/cacert.pem


Use newkey.pem instead of newreq.pem

Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4


2009/8/12 Zaeem Arshad <[hidden email]>


On Tue, Aug 11, 2009 at 11:27 PM, Ebbe Hjorth <[hidden email]> wrote:


2009/8/11 Brian Evans - Postfix List <[hidden email]>
Ebbe Hjorth wrote:
> 2009/8/10 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     A great guide by a frequent poster here is
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>
>
> That is a briliant link, i have read it all and love it, but i have a
> question regarding FreeBSD
>
> It says:
>
> [[hidden email] <mailto:[hidden email]>]# cd misc/
> [[hidden email] <mailto:[hidden email]>]# cp CA CA_nodes
> [[hidden email] <mailto:[hidden email]>]# edit CA_nodes
>
> But i have no CA - I have searched the harddrive but nothing like that
> - Do you know what or were ?

On my mailserver (Gentoo based), it was called CA.sh in a recent openssl
version.
There are small nuances that have changed since that document was made.
 
Hi Brian,
 
I love your feedback, after a reinstall of openssl, the CA.pl is there, i did the editing, and created the certificates, and got it signed, changed the group of the 3 files to postfix, so i should be able to read them, changed the path in the main.conf file but...
 
Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started -- version 2.6.2, configuration /usr/local/etc/postfix
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the server-side TLS engine
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS support
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from localhost[127.0.0.1]
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode request dropped from localhost[127.0.0.1] for service smtp. TLS context initialization failed. For details see earlier warnings in your logs.
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from localhost[127.0.0.1]


smtpd_tls_key_file = /etc/postfix-corp/newkey.pem
smtpd_tls_cert_file = /etc/postfix-corp/newcert.pem
smtpd_tls_CAfile = /etc/postfix-corp/cacert.pem


Use newkey.pem instead of newreq.pem

 
Ahh, now we are talkin, i have followed the guide on : http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html and that doesnt produce a newkey.pem, that why i got a little ekstra confused ;)
 
From the guide:

Let's review what we have generated:

newreq.pem

This is the private SERVER CERT. We generated it in order to request an CA to sign it. It contains our private key.

newcert.pem

That is your public SERVER CERT. It has been signed by a CA in this case ourselves.

demoCA/cacert.pem

This is the CERT of the CA Authority. We created it when we made ourselves a CA.

 
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4


2009/8/12 Ebbe Hjorth <[hidden email]>


2009/8/12 Zaeem Arshad <[hidden email]>



On Tue, Aug 11, 2009 at 11:27 PM, Ebbe Hjorth <[hidden email]> wrote:


2009/8/11 Brian Evans - Postfix List <[hidden email]>
Ebbe Hjorth wrote:
> 2009/8/10 Brian Evans - Postfix List <[hidden email]
> <mailto:[hidden email]>>
>
>     A great guide by a frequent poster here is
>     http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html
>
>
> That is a briliant link, i have read it all and love it, but i have a
> question regarding FreeBSD
>
> It says:
>
> [[hidden email] <mailto:[hidden email]>]# cd misc/
> [[hidden email] <mailto:[hidden email]>]# cp CA CA_nodes
> [[hidden email] <mailto:[hidden email]>]# edit CA_nodes
>
> But i have no CA - I have searched the harddrive but nothing like that
> - Do you know what or were ?

On my mailserver (Gentoo based), it was called CA.sh in a recent openssl
version.
There are small nuances that have changed since that document was made.
 
Hi Brian,
 
I love your feedback, after a reinstall of openssl, the CA.pl is there, i did the editing, and created the certificates, and got it signed, changed the group of the 3 files to postfix, so i should be able to read them, changed the path in the main.conf file but...
 
Aug 11 19:21:24 mail02 postfix/master[34007]: daemon started -- version 2.6.2, configuration /usr/local/etc/postfix
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: initializing the server-side TLS engine
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: cannot get RSA private key from file /usr/local/etc/postfix/newreq.pem: disabling TLS support
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: ANY PRIVATE KEY:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: TLS library problem: 34018:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:669:
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: connect from localhost[127.0.0.1]
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: warning: Wrapper-mode request dropped from localhost[127.0.0.1] for service smtp. TLS context initialization failed. For details see earlier warnings in your logs.
Aug 11 19:21:30 mail02 postfix/smtpd[34018]: disconnect from localhost[127.0.0.1]


smtpd_tls_key_file = /etc/postfix-corp/newkey.pem
smtpd_tls_cert_file = /etc/postfix-corp/newcert.pem
smtpd_tls_CAfile = /etc/postfix-corp/cacert.pem


Use newkey.pem instead of newreq.pem

 
Ahh, now we are talkin, i have followed the guide on : http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html and that doesnt produce a newkey.pem, that why i got a little ekstra confused ;)
 
From the guide:

Let's review what we have generated:

newreq.pem

This is the private SERVER CERT. We generated it in order to request an CA to sign it. It contains our private key.

newcert.pem

That is your public SERVER CERT. It has been signed by a CA in this case ourselves.

demoCA/cacert.pem

This is the CERT of the CA Authority. We created it when we made ourselves a CA.

 
 
No more hints? :-(
 
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Barney Desmond
2009/8/14 Ebbe Hjorth <[hidden email]>:
> No more hints? :-(

Do you still have a problem? You said, "Ahh, now we are talkin", which
sounds like you were successful.

Patrick's docs (http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html)
are great, but I think they're a little misleading in this case. You
don't need to create a full CA, you (probably) just want a self-signed
certificate.

Do you need a CA-signed certificate?
No: most of the time, so just use a self-signed certificate
Yes: if SMTP clients *require* encryption, *and* will perform
verification of the server's certificate for trust. Note that this
applies to controlled conditions, like an enterprise; SMTP clients
from the internet should not care about verification.

Want to use a self-signed certificate?

1. Make the key:
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key

2. Make the cert, answering the questions when asked:
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt

3. Add them to your postfix config as appropriate
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/smtpd.crt
Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error

Ebbe Hjorth-4


2009/8/14 Barney Desmond <[hidden email]>
2009/8/14 Ebbe Hjorth <[hidden email]>:
> No more hints? :-(

Do you still have a problem? You said, "Ahh, now we are talkin", which
sounds like you were successful.

Patrick's docs (http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html)
are great, but I think they're a little misleading in this case. You
don't need to create a full CA, you (probably) just want a self-signed
certificate.

Do you need a CA-signed certificate?
No: most of the time, so just use a self-signed certificate
Yes: if SMTP clients *require* encryption, *and* will perform
verification of the server's certificate for trust. Note that this
applies to controlled conditions, like an enterprise; SMTP clients
from the internet should not care about verification.

Want to use a self-signed certificate?

1. Make the key:
touch smtpd.key
chmod 600 smtpd.key
openssl genrsa 1024 > smtpd.key

2. Make the cert, answering the questions when asked:
openssl req -new -key smtpd.key -x509 -days 3650 -out smtpd.crt

3. Add them to your postfix config as appropriate
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/smtpd.crt
 
Hi,
 
I did the above 3 steps, stilling getting errors - so now i have disabled tls in main and master, and now it is working ;)
 
Thanks you for all your help and inputs, it is very much appreciated!!!
 
/ Ebbe