TLS support

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS support

Alex Feldman-3
OK, let me give this another try.  I'm trying to follow the
instructions, which call for lots of output, so this letter is kind of
long.  I have put $$ in front of my own comments to make it easy to skip
around the output. Thanks in advance.

I have installed Postfix and SASL in my Fedora 9 distribution, two
different ways.  I get the same problem either way:

I believe I have sasl support compiled in to postfix - I believe this
because of both the output from saslfinger, which I will give at the end
(it is long), and from ldd, which I will paste right here:

[root@XXX ssl]# ldd /usr/libexec/postfix/smtpd
    linux-gate.so.1 =>  (0x0012e000)
    libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0012f000)
    liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00171000)
    libpcre.so.0 => /lib/libpcre.so.0 (0x00180000)
    libmysqlclient.so.15 => /usr/lib/mysql/libmysqlclient.so.15 (0x001aa000)
    libm.so.6 => /lib/libm.so.6 (0x00310000)
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)
    libssl.so.7 => /lib/libssl.so.7 (0x00352000)
    libcrypto.so.7 => /lib/libcrypto.so.7 (0x0039d000)
    libdl.so.2 => /lib/libdl.so.2 (0x004eb000)
    libz.so.1 => /lib/libz.so.1 (0x004f0000)
    libdb-4.6.so => /lib/libdb-4.6.so (0x00504000)
    libnsl.so.1 => /lib/libnsl.so.1 (0x0064c000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x00666000)
    libc.so.6 => /lib/libc.so.6 (0x0067b000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x007e4000)
    /lib/ld-linux.so.2 (0x00110000)
    libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00816000)
    libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00845000)
    libcom_err.so.2 => /lib/libcom_err.so.2 (0x008e5000)
    libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x008e8000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x0090d000)
    libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00926000)
    libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0092f000)
    libselinux.so.1 => /lib/libselinux.so.1 (0x00932000)

$$ I have added the lines to main.cf that were recommended in several
howtos (one at a time), including the "Getting started, quick and dirty"
TLS documentation on the Postfix site.  Here is the output from postconf -n:

[root@XXX ssl]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/alexcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/alexkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


$$ It is that fifth to last line, smtpd_tls_security_level = may that
seems to break things.  Without that line, there I can have a "normal"
telnet conversation with postfix, viz:

[root@XXX ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 XXX.org ESMTP Postfix
EHLO x.com
250-XXX.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]

telnet> q
Connection closed.

$$ However, with that line, I get no response, either to the initial
connection or to my EHLO request:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
EHLO co.com
^]

telnet> quit
Connection closed.

$$ I did run saslfinger both on the client side and the server side.  
The client side objected to
smtp_sasl_password_maps not being in main.cf, but that line didn't
appear in the howtos I looked at.  The server side didn't seem to object
to anything.  I am appending all the saslfinger output.

[root@XXX ssl]# saslfinger -c
saslfinger - postfix Cyrus sasl configuration Wed May 21 15:58:05 MDT 2008
version: 1.0.2
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Fedora release 9 (Sulphur)

-- smtp is linked to --
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)

-- active SMTP AUTH and TLS parameters for smtp --
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache


-- listing of /usr/lib/sasl --
total 128
drwxr-xr-x   2 root root   4096 2008-05-18 16:59 .
drwxr-xr-x 166 root root 118784 2008-05-21 04:21 ..
-rw-r--r--   1 root root     70 2008-03-12 06:21 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 4140
drwxr-xr-x   2 root root    4096 2008-05-21 11:47 .
drwxr-xr-x 166 root root  118784 2008-05-21 04:21 ..
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so.2
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so.2.0.22
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so.2
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so.2.0.22
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so.2
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so.2.0.22
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so.2
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so.2.0.22
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so.2
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so.2.0.22
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so.2
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so.2.0.22
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so.2
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so.2.0.22
-rw-r--r--   1 root root      25 2008-03-29 06:27 Sendmail.conf
-rw-r--r--   1 root root      49 2008-03-12 06:21 smtpd.conf

-- listing of /etc/sasl2 --
total 20
drwxr-xr-x   2 root root  4096 2008-05-18 06:11 .
drwxr-xr-x 128 root root 12288 2008-05-21 07:12 ..
-rw-r--r--   1 root root  1161 2008-04-08 11:01 libvirt.conf


Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!
[root@XXX ssl]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed May 21 15:58:38 MDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Fedora release 9 (Sulphur)

-- smtpd is linked to --
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/alexcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/alexkey.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache


-- listing of /usr/lib/sasl --
total 128
drwxr-xr-x   2 root root   4096 2008-05-18 16:59 .
drwxr-xr-x 166 root root 118784 2008-05-21 04:21 ..
-rw-r--r--   1 root root     70 2008-03-12 06:21 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 4140
drwxr-xr-x   2 root root    4096 2008-05-21 11:47 .
drwxr-xr-x 166 root root  118784 2008-05-21 04:21 ..
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so.2
-rwxr-xr-x   1 root root   14688 2008-02-21 01:18 libanonymous.so.2.0.22
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so.2
-rwxr-xr-x   1 root root   17276 2008-02-21 01:18 libcrammd5.so.2.0.22
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so.2
-rwxr-xr-x   1 root root   47584 2008-02-21 01:18 libdigestmd5.so.2.0.22
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so.2
-rwxr-xr-x   1 root root   27452 2008-02-21 01:18 libgssapiv2.so.2.0.22
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so.2
-rwxr-xr-x   1 root root   14972 2008-02-21 01:18 liblogin.so.2.0.22
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so.2
-rwxr-xr-x   1 root root   15100 2008-02-21 01:18 libplain.so.2.0.22
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so.2
-rwxr-xr-x   1 root root 1213728 2008-02-21 01:18 libsasldb.so.2.0.22
-rw-r--r--   1 root root      25 2008-03-29 06:27 Sendmail.conf
-rw-r--r--   1 root root      49 2008-03-12 06:21 smtpd.conf

-- listing of /etc/sasl2 --
total 20
drwxr-xr-x   2 root root  4096 2008-05-18 06:11 .
drwxr-xr-x 128 root root 12288 2008-05-21 07:12 ..
-rw-r--r--   1 root root  1161 2008-04-08 11:01 libvirt.conf




-- content of /usr/lib/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_version: 2

-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --

-- end of saslfinger output --


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Patrick Ben Koetter
* Alex Feldman <[hidden email]>:
> OK, let me give this another try.  I'm trying to follow the instructions,
> which call for lots of output, so this letter is kind of long.  I have put
> $$ in front of my own comments to make it easy to skip around the output.
> Thanks in advance.
>
> I have installed Postfix and SASL in my Fedora 9 distribution, two
> different ways.  I get the same problem either way:

SASL and TLS are two pair of shoes. Which one do you want? If you want
encrypted Transport go for TLS. If you want SMTP Authentication go for SASL.

Your Subject indicates you want TLS. In this case your debug output is - as
complete as it is for SASL debugging - not suited to debug TLS.

Which do you want?

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Patrick Ben Koetter
* Alex Feldman <[hidden email]>:
> I want TLS, but I thought I had to have SASL installed to get TLS.  

No, you don't.

> Functionally, what I want is to be able to leave port 25 open in my
> firewall (iptables) with RSA-protected password protection for an SMTP
> connection - so I will always be able to send mail from my laptop, but I
> won't be operating an open relay.  That's what I want, and it seems to me,
> that means TLS.

You will probably need both, SASL and TLS, unless you run postfix on your
laptop too and use your home system to relay messages from the laptop.

If you don't run Postfix on your laptop, here's what you need to do:

SASL will do the part of SMTP Authentication. You need to setup the SASL
server part. All options will start with smtpd_sasl_... Read the SASL_README.

TLS will encrypt the Transport Layer (to protect your SMTP AUTH communication
if you use weak mechanisms). Once you have setup SMTP AUTH you need to create a
TLS server configuration on your home machine.

> Here is what I get in the logfile (maillog) when
>
>    smtpd_tls_security_level = may
>
> is in main.cf, and I try to telnet to port 25:
>
> May 21 12:22:19 XXX postfix/tlsmgr[6641]: fatal: tls_prng_exch_open: cannot
> open PRNG exchange file /var/lib/postfix/prng_exch: Permission denied

Is the user Postfix runs as allowed to access, read and write to
/var/lib/postfix?

p@rick

--
state of mind
Agentur für Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht München        Partnerschaftsregister PR 563
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Newbie

Monah Baki-2
Hi All,

I'm new to postfix and I'm running postfix 2.4.6, currently I can  
receive email from certain domains and from other domains (i.e  
gmail.com, guru.com), I cannot. I did a tail on the mail.log and saw  
the following

postfix/smtpd[1110]: timeout after EHLO from yw-out-1718.google.com
[74.125.46.158]


My postconf -n

command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
html_directory = no
mailbox_size_limit = 500000000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $mydomain
mydomain = $myhostname
mynetworks = 127.0.0.0/8 192.168.3.0/24 67.100.188.208
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_always_send_ehlo = no
smtpd_recipient_restrictions = permit_mynetworks,  
reject_unauth_destination, check_sender_access hash:/usr/local/etc/
postfix/sender_access
unknown_local_recipient_reject_code = 550
virtual_alias_domains = webnocent.com vixaroy.com whywire.com
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual



Hope someone can shed some light as to why my server is behaving like  
this.



Thank you

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Alex Feldman-3
In reply to this post by Patrick Ben Koetter
Well, I've tried several things.  I did enable dovecot sasl support, and
that survived the authentication test given in
http://www.postfix.org/SASL_README.html
Moreover, everything seems to work - as long as I turn TLS off, my mail
client asks me for a password, so I am not running an open relay.  But I
am transmitting everything in the clear, which I don't want if I am
using my home machine as an smtp server for my laptop.

But when I try to turn TLS on, I still seem top be having the same
problem with postfix, with one exception: postfix no longer refuses to
stop or start, it just doesn't work.  Specifically, when I have the line

smtpd_tls_security_level = may

In my main.cf file, I get no response at all when I try to telnet into
port 25, and the following  error messages show up in /var/log/maillog:

May 22 14:28:05 alexfeldman postfix/tlsmgr[7483]: fatal:
tls_prng_exch_open: cannot open PRNG exchange file
/var/lib/postfix/prng_exch: Permission denied
May 22 14:28:06 alexfeldman postfix/master[7476]: warning: process
/usr/libexec/postfix/tlsmgr pid 7483 exit status 1
May 22 14:28:06 alexfeldman postfix/master[7476]: warning:
/usr/libexec/postfix/tlsmgr: bad command startup -- throttling
May 22 14:29:06 alexfeldman postfix/tlsmgr[7490]: fatal:
tls_prng_exch_open: cannot open PRNG exchange file
/var/lib/postfix/prng_exch: Permission denied

The directory /var/lib/postfix is owned by postfix and was set to
permissions of 700.  I changed it to 777 but that had no effect.  I have
looked in that directory several times and not seen anything in there.  
I have not seen a file named prng_exch* anywhere.

In my former configuration, there was no /var/lib/postfix directory, and
the prng_exch file was in /etc/postfix.  Can someone tell me what might
have happened to this file?

Thanks.

Patrick Ben Koetter wrote:

>
>> Here is what I get in the logfile (maillog) when
>>
>>    smtpd_tls_security_level = may
>>
>> is in main.cf, and I try to telnet to port 25:
>>
>> May 21 12:22:19 XXX postfix/tlsmgr[6641]: fatal: tls_prng_exch_open: cannot
>> open PRNG exchange file /var/lib/postfix/prng_exch: Permission denied
>>    
>
> Is the user Postfix runs as allowed to access, read and write to
> /var/lib/postfix?
>
> p@rick
>
>  
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Victor Duchovni
On Thu, May 22, 2008 at 02:54:23PM -0600, Alex Feldman wrote:

> May 22 14:28:05 alexfeldman postfix/tlsmgr[7483]: fatal:
> tls_prng_exch_open: cannot open PRNG exchange file
> /var/lib/postfix/prng_exch: Permission denied
> May 22 14:28:06 alexfeldman postfix/master[7476]: warning: process
> /usr/libexec/postfix/tlsmgr pid 7483 exit status 1
> May 22 14:28:06 alexfeldman postfix/master[7476]: warning:
> /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
> May 22 14:29:06 alexfeldman postfix/tlsmgr[7490]: fatal:
> tls_prng_exch_open: cannot open PRNG exchange file
> /var/lib/postfix/prng_exch: Permission denied

Now disable or fix the ruleset for AppArmor, SELinux, ...

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Patrick Ben Koetter
In reply to this post by Alex Feldman-3
* Alex Feldman <[hidden email]>:

> Well, I've tried several things.  I did enable dovecot sasl support, and
> that survived the authentication test given in
> http://www.postfix.org/SASL_README.html
> Moreover, everything seems to work - as long as I turn TLS off, my mail
> client asks me for a password, so I am not running an open relay.  But I am
> transmitting everything in the clear, which I don't want if I am using my
> home machine as an smtp server for my laptop.
>
> But when I try to turn TLS on, I still seem top be having the same problem
> with postfix, with one exception: postfix no longer refuses to stop or
> start, it just doesn't work.  Specifically, when I have the line
>
> smtpd_tls_security_level = may
>
> In my main.cf file, I get no response at all when I try to telnet into port
> 25, and the following  error messages show up in /var/log/maillog:
>
> May 22 14:28:05 alexfeldman postfix/tlsmgr[7483]: fatal:
> tls_prng_exch_open: cannot open PRNG exchange file
> /var/lib/postfix/prng_exch: Permission denied
> May 22 14:28:06 alexfeldman postfix/master[7476]: warning: process
> /usr/libexec/postfix/tlsmgr pid 7483 exit status 1
> May 22 14:28:06 alexfeldman postfix/master[7476]: warning:
> /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
> May 22 14:29:06 alexfeldman postfix/tlsmgr[7490]: fatal:
> tls_prng_exch_open: cannot open PRNG exchange file
> /var/lib/postfix/prng_exch: Permission denied
>
> The directory /var/lib/postfix is owned by postfix and was set to
> permissions of 700.  I changed it to 777 but that had no effect.  I have
> looked in that directory several times and not seen anything in there.  I
> have not seen a file named prng_exch* anywhere.

Is /var/lib/postfix/prng_exch there, but owned by root and the user postfix may
not access it? What about the directories atop of /var/lib/postfix? Can your
user postfix access those directories? Is your Postfix, especially the tlsmgr,
running chrooted?

> In my former configuration, there was no /var/lib/postfix directory, and
> the prng_exch file was in /etc/postfix.  Can someone tell me what might
> have happened to this file?

A design decision was made to create a $data_directory:

<http://de.postfix.org/ftpmirror/experimental/postfix-2.6-20080511.HISTORY>

20071204

        ...

        Feature: data_directory configuration parameter for
        Postfix-writable data such as caches and random numbers.
        Files: postfix-install, conf/postfix-files.


p@rick







>
> Thanks.
>
> Patrick Ben Koetter wrote:
>>
>>> Here is what I get in the logfile (maillog) when
>>>
>>>    smtpd_tls_security_level = may
>>>
>>> is in main.cf, and I try to telnet to port 25:
>>>
>>> May 21 12:22:19 XXX postfix/tlsmgr[6641]: fatal: tls_prng_exch_open:
>>> cannot open PRNG exchange file /var/lib/postfix/prng_exch: Permission
>>> denied
>>>    
>>
>> Is the user Postfix runs as allowed to access, read and write to
>> /var/lib/postfix?
>>
>> p@rick
>>

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Alex Feldman-3
In reply to this post by Victor Duchovni
Ah, yes.  Thank you.

Victor Duchovni wrote:
>
> Now disable or fix the ruleset for AppArmor, SELinux, ...
>
>  
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support

Victor Duchovni
On Thu, May 22, 2008 at 03:46:13PM -0600, Alex Feldman wrote:

> Ah, yes.  Thank you.
>
> Victor Duchovni wrote:
> >
> >Now disable or fix the ruleset for AppArmor, SELinux, ...

And as already mentioned, don't chroot tlsmgr.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Loading...