Page 1 of 1

Centos 7 STARTTLS fails local problem

Posted: 2017/09/13 20:12:30
by flotsam
Hello, I think I've reached a dead end. I don't know what to try now, so any help would be much appreciated.

I'm setting up a Postfix server on a local development machine. Postfix will accept AUTH PLAIN and will deliver local mail. Now I'm trying to add TLS. I get no error messages in maillog when I connect using Telnet and Postifix advertises STARTTLS after the EHLO command. But, when I try to issue a STARTTLS command I get the message:

454 4.7.0 TLS not available due to local problem.

The modulus of the private key matches the modulus of the certificate. The certificate comes from Comodo (free version).

tlsproblem.txt
(2.58 KiB) Downloaded 13 times

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/14 05:39:29
by hunter86_bg
Any error messages in the logs/journal ?
If I have understood you right, you are setting a mail relay server with sSTARTTLS.If so - you can check the following example.

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/14 10:40:32
by flotsam
Thanks. No, nothing in the logs. I'd checked that. Turns out that a self-signed certificate works, so it has to be something wrong with the way I assembled the pem file from the Comodo certificate.

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/15 05:39:23
by hunter86_bg
How did you do it ?

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/15 15:00:54
by flotsam
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > spillthebeans_org.pem

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/15 22:43:31
by hunter86_bg
I think you have done it correctly, thus check the following guide and try again.

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/15 23:12:08
by TrevorH
Which one of those 3 crt files is your cert?

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/16 11:53:08
by pjsr2
You can test the certificate chain with openssl and see on which certificate it chokes:

Code: Select all

openssl s_client -connect yourhost.yourdomain.tld:25 -starttls smtp

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/16 14:41:20
by flotsam
Thanks for the suggestions. I've used openssl to test the connection to https using port 443 and to smtp on port 25. Here's a summary of the results:

sudo openssl s_client -connect localhost:443 -servername spillthebeans.org - Succeeds, shows the correct certificate chain. https access also works.

sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org - Fails: no peer certificate available.

Postfix main.cf is specifying the same certificate and key files as ssl.conf.

Here's what I see in maillog after trying to connect with openssl:

Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: connect from localhost[127.0.0.1]
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: lost connection after UNKNOWN from localhost[127.0.0.1]

If I substitute a self-signed certificate, then the following command succeeds, with a warning that the certificate is self-signed.

sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org

Re: Centos 7 STARTTLS fails local problem

Posted: 2017/09/17 13:33:35
by pjsr2
According to your output of postconf -n you are using in your main.cf smtpd_use_tls = yes. This is a deprecated directive. You should use smtpd_tls_security_level instead and set it to "may" or "encrypt".

Consider also to disable the insecure SSL versions and set:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3