StartTLS frustrations

Hi Folks,

Gettting very frustrated with trying to set up TLS using a StartSSL (StartCom)
cert.

Here are the applicable lines (sanitized of course) I used to set this
up:
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
smtpd_tls_CApath=/etc/postfix/ssl
smtp_tls_CApath=$smtpd_tls_CAPath
smtpd_tls_certfile=/etc/postfix/ssl/server.crt
smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key
smtpd_tls_loglevel=4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

This is aping everything I've read on the topic on a variety of sites.

The error I'm seeing in the maillog is:
Apr  5 10:43:36 myhostname  postfix/smtpd[14839]: warning: No server certs available. TLS won't be enabled


I've double checked the files (especially the cert file) and they are all where
I expect them to be.  What in the world am I missing?


--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

Am 05.04.2013 16:46, schrieb Peter L. Berghold:
debian chroot ?


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

On Fri, Apr 05, 2013 at 04:54:37PM +0200, Robert Schetterer wrote:
>
> debian chroot ?

Nope.  Not running chroot.

--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

Am 05.04.2013 16:46, schrieb Peter L. Berghold: we don't know because you refused to provide output of
"postconf -n" as statet in the welcome message as well
as in the documentation

random snippets of a config-file are worthless because
often enough people overwrite settings somewhere later
and only "postconf -n" show the REALLY active config
_____________________________________

this a for sure working config for both incoming and outgoing

[root@srv-rhsoft:~]$ postconf -n | grep smtpd_tls
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file = /etc/postfix/certs/localhost.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

[root@srv-rhsoft:~]$ postconf -n | grep smtp_tls
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
smtp_tls_exclude_ciphers = DES-CBC3-SHA
smtp_tls_key_file = /etc/postfix/certs/localhost.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s

On Fri, Apr 05, 2013 at 10:46:57AM -0400, Peter L. Berghold wrote:

> This is aping everything I've read on the topic on a variety of sites.

Instead of aping, try:

        http://www.postfix.org/TLS_README.html#server_tls
        http://www.postfix.org/TLS_README.html#client_tls

> Here are the applicable lines (sanitized of course) I used to set this up:

> smtpd_use_tls = yes
> smtp_use_tls = yes

        smtpd_tls_security_level = may
        smtp_tls_security_level = may

> smtp_tls_note_starttls_offer = yes

Not needed, you've enabled TLS in the local Postfix SMTP client.

> smtpd_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtpd_tls_CApath=/etc/postfix/ssl

Not needed, you're not requesting client certificates.

> smtp_tls_CAfile=/etc/postfix/ssl/ca-bundle.pem
> smtp_tls_CApath=$smtpd_tls_CAPath

Not strictly needed, with opportunistic TLS, you're not verifying
remote server certificates.

> smtpd_tls_certfile=/etc/postfix/ssl/server.crt

The correct parameter is smtpd_tls_cert_file, consistent with
the below:

> smtpd_tls_key_file=/etc/postfix/ssl/mydomain.key

> smtpd_tls_loglevel=4

This is insane, loglevels higher than 2 are almost never required,
for experts only, and can DoS your system with log files larger
than your mail store input volume.

> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s

No point, unless you specify a session cache.

> tls_random_source = dev:/dev/urandom

Fine.

> The error I'm seeing in the maillog is:
> Apr  5 10:43:36 myhostname  postfix/smtpd[14839]: warning: No
> server certs available. TLS won't be enabled

Indeed you've not specified the correct certfile parameter.

--
        Viktor.

On Fri, Apr 05, 2013 at 10:57:42AM -0400, Vitaly Tskhovrebov wrote:
>    Include intermediary certs in your chain.
>
I think I have... what I did was get their ca.cert via a wget and then I
manually downloaded their Class 1 Intermediate Server CA and their
Class 2 Intermediate Server CA and added those to the bundle file.

Maybe I have to grab Class3 and Extended Validation as well?

I also wonder about the client intermediate certs but am doubtful I
need those as well.

--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

On Fri, Apr 05, 2013 at 04:58:14PM +0200, Reindl Harald wrote:
>
>
> we don't know because you refused to provide output of
> "postconf -n"

as you wish:

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = scan:127.0.0.1:10025
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 30
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = mydomain.net,$myhostname,www.$mydomain, localhost.$mydomain, localhost
myhostname = smtp.mydomain.net
mynetworks = 98.158.185.135/32,127.0.0.1/32,68.38.202.165/32,206.217.196.75/32,216.119.148.53/32,137.236.241.122/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
relay_domains = mydomain.net,localhost
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtp_tls_CApath = $smtpd_tls_CAPath
smtp_tls_note_starttls_offer = yes
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_sender_login_mismatch,    permit_sasl_authenticated,    permit_mynetworks,    check_sender_access hash:/etc/postfix/access,    reject_invalid_hostname,     reject_non_fqdn_sender,     reject_non_fqdn_recipient,     reject_unknown_sender_domain,     reject_unknown_recipient_domain,     reject_unauth_pipelining,     permit_mynetworks,     reject_unauth_destination,     reject_rbl_client bl.spamcop.net     permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual




--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

On Fri, Apr 05, 2013 at 11:06:16AM -0400, Peter L. Berghold wrote:

    http://www.postfix.org/TLS_README.html#server_cert_key

The right place to put intermediate certificates is in the server
certificate file.  Not just any random collection of such certificates,
but the particular ones that issued your server certificate.

    smtpd.pem:
        ---BEGIN CERTIFICATE---
        base-64 line-noise for your certificate "S"
        ---END CERTIFICATE---
        ---BEGIN CERTIFICATE---
        base-64 line-noise for the issuing "I1" of your server certificate "S"
        ---END CERTIFICATE---
        ---BEGIN CERTIFICATE---
        base-64 line-noise for the issuing "I2" of CA certificate "I1"
        ---END CERTIFICATE---
        ...
        ---BEGIN CERTIFICATE---
        base-64 line-noise for the issuing "I<N>" of CA certificate "I<N-1>"
        ---END CERTIFICATE---

The certificate I<N> should either be a root CA, or an immediate
child of a root CA.  With RFC 6698 (DANE TLSA) if you some day want
to publish the digest of your preferred root CA via DNS, you must
include the root CA in your trust chain.  Otherwise, with legacy
public CA public, the verifier is expected to already have the root
CA certificate in hand.

--
        Viktor.

Am 05.04.2013 17:13, schrieb Peter L. Berghold:
> On Fri, Apr 05, 2013 at 04:58:14PM +0200, Reindl Harald wrote:
>>
>> we don't know because you refused to provide output of
>> "postconf -n"
>
> as you wish:

well, and this remains from your ACTIVE config
do you notice the "smtpd_use_tls = no"?

[harry@srv-rhsoft:~/Desktop]$ cat postconf | grep tls | grep smtpd
smtp_tls_CApath = $smtpd_tls_CAPath
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_key_file = /etc/postfix/ssl/mydomain.key
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no
--

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm

On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
>
>
> well, and this remains from your ACTIVE config
> do you notice the "smtpd_use_tls = no"?

Yes.  I turned it off for now while I seek out advise as to why it is not
working for now.  It will be turned back on when I have some idea as to
why *else* it isn't working.

>



--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

On Fri, Apr 05, 2013 at 11:23:33AM -0400, Peter L. Berghold wrote:

> On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
> >
> >
> > well, and this remains from your ACTIVE config
> > do you notice the "smtpd_use_tls = no"?
>
> Yes.  I turned it off for now while I seek out advise as to why it is not
> working for now.  It will be turned back on when I have some idea as to
> why *else* it isn't working.

Well, if you read my first reply, and read the "postconf -n" output you
sent in response to Reindl's message, you'd have noticed that:

        smtpd_tls_certfile

is not a valid Postfix parameter and is not reported by "postconf -n".
It is also not documented in:

        http://www.postfix.org/postconf.5.html#smtpd_tls_certfile

where-as:

        http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file

yields the expected documentation.  Part of the idea of requiring
posts of "postconf -n" is to give you a chance to read it first
and check for any suprises, the main reason, of course, is that
selective excerpts from main.cf often mask the real error and waste
everyone's time.

--
        Viktor.

Am 05.04.2013 17:23, schrieb Peter L. Berghold:
> On Fri, Apr 05, 2013 at 05:19:36PM +0200, Reindl Harald wrote:
>>
>>
>> well, and this remains from your ACTIVE config
>> do you notice the "smtpd_use_tls = no"?
>
> Yes.  I turned it off for now while I seek out advise as to why it is not
> working for now.  It will be turned back on when I have some idea as to
> why *else* it isn't working

what about fixing the path?
you ignored this response!

> smtpd_tls_certfile=/etc/postfix/ssl/server.crt
The correct parameter is smtpd_tls_cert_file

and that is why you should always start to debug
with "postconf -n" and "grep" to see if you have
fantasy names aka typos in your config which may
even overseen by people trying to help

On Fri, Apr 05, 2013 at 05:29:41PM +0200, Reindl Harald wrote:
>
>
> > smtpd_tls_certfile=/etc/postfix/ssl/server.crt
> The correct parameter is smtpd_tls_cert_file
>


I must have looked at that and not comprehended what I was seeing
for about 100 times.

That's why I was looking for "another set of eyes."

By the way I had looked at TLS_README which is where I got the
majority of my info from.  There are dozens of "How Tos" out
there as well, some of which are dead wrong.

It is working now.


Thank you all very much.




--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Peter L. Berghold                                 [hidden email]
Unix Professional, Beer Brewer, Dog Trainer and Patriot
http://blog.berghold.net

Peter,

Take a peek inside the CA and cert files using openssl x509 -inform pem -in [file] -noout -text and use openssl rsa with the same arguments to peek in the private key, and make sure they contain what you expect they should contain.

Let us know if you see anything peculiar inside or not.

Good luck,
Matthew.