Centos 7 STARTTLS fails local problem

Issues related to applications and software problems
flotsam
Posts: 5
Joined: 2014/08/27 21:41:40

Centos 7 STARTTLS fails local problem

Postby flotsam » 2017/09/13 20:12:30

Hello, I think I've reached a dead end. I don't know what to try now, so any help would be much appreciated.

I'm setting up a Postfix server on a local development machine. Postfix will accept AUTH PLAIN and will deliver local mail. Now I'm trying to add TLS. I get no error messages in maillog when I connect using Telnet and Postifix advertises STARTTLS after the EHLO command. But, when I try to issue a STARTTLS command I get the message:

454 4.7.0 TLS not available due to local problem.

The modulus of the private key matches the modulus of the certificate. The certificate comes from Comodo (free version).

tlsproblem.txt
(2.58 KiB) Downloaded 13 times

hunter86_bg
Posts: 760
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Centos 7 STARTTLS fails local problem

Postby hunter86_bg » 2017/09/14 05:39:29

Any error messages in the logs/journal ?
If I have understood you right, you are setting a mail relay server with sSTARTTLS.If so - you can check the following example.

flotsam
Posts: 5
Joined: 2014/08/27 21:41:40

Re: Centos 7 STARTTLS fails local problem

Postby flotsam » 2017/09/14 10:40:32

Thanks. No, nothing in the logs. I'd checked that. Turns out that a self-signed certificate works, so it has to be something wrong with the way I assembled the pem file from the Comodo certificate.

hunter86_bg
Posts: 760
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Centos 7 STARTTLS fails local problem

Postby hunter86_bg » 2017/09/15 05:39:23

How did you do it ?

flotsam
Posts: 5
Joined: 2014/08/27 21:41:40

Re: Centos 7 STARTTLS fails local problem

Postby flotsam » 2017/09/15 15:00:54

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > spillthebeans_org.pem

hunter86_bg
Posts: 760
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Centos 7 STARTTLS fails local problem

Postby hunter86_bg » 2017/09/15 22:43:31

I think you have done it correctly, thus check the following guide and try again.

User avatar
TrevorH
Forum Moderator
Posts: 20996
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 7 STARTTLS fails local problem

Postby TrevorH » 2017/09/15 23:12:08

Which one of those 3 crt files is your cert?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

pjsr2
Posts: 168
Joined: 2014/03/27 20:11:07

Re: Centos 7 STARTTLS fails local problem

Postby pjsr2 » 2017/09/16 11:53:08

You can test the certificate chain with openssl and see on which certificate it chokes:

Code: Select all

openssl s_client -connect yourhost.yourdomain.tld:25 -starttls smtp

flotsam
Posts: 5
Joined: 2014/08/27 21:41:40

Re: Centos 7 STARTTLS fails local problem

Postby flotsam » 2017/09/16 14:41:20

Thanks for the suggestions. I've used openssl to test the connection to https using port 443 and to smtp on port 25. Here's a summary of the results:

sudo openssl s_client -connect localhost:443 -servername spillthebeans.org - Succeeds, shows the correct certificate chain. https access also works.

sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org - Fails: no peer certificate available.

Postfix main.cf is specifying the same certificate and key files as ssl.conf.

Here's what I see in maillog after trying to connect with openssl:

Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: connect from localhost[127.0.0.1]
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: lost connection after UNKNOWN from localhost[127.0.0.1]

If I substitute a self-signed certificate, then the following command succeeds, with a warning that the certificate is self-signed.

sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org

pjsr2
Posts: 168
Joined: 2014/03/27 20:11:07

Re: Centos 7 STARTTLS fails local problem

Postby pjsr2 » 2017/09/17 13:33:35

According to your output of postconf -n you are using in your main.cf smtpd_use_tls = yes. This is a deprecated directive. You should use smtpd_tls_security_level instead and set it to "may" or "encrypt".

Consider also to disable the insecure SSL versions and set:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3