Centos 7 STARTTLS fails local problem
Centos 7 STARTTLS fails local problem
Hello, I think I've reached a dead end. I don't know what to try now, so any help would be much appreciated.
I'm setting up a Postfix server on a local development machine. Postfix will accept AUTH PLAIN and will deliver local mail. Now I'm trying to add TLS. I get no error messages in maillog when I connect using Telnet and Postifix advertises STARTTLS after the EHLO command. But, when I try to issue a STARTTLS command I get the message:
454 4.7.0 TLS not available due to local problem.
The modulus of the private key matches the modulus of the certificate. The certificate comes from Comodo (free version).
I'm setting up a Postfix server on a local development machine. Postfix will accept AUTH PLAIN and will deliver local mail. Now I'm trying to add TLS. I get no error messages in maillog when I connect using Telnet and Postifix advertises STARTTLS after the EHLO command. But, when I try to issue a STARTTLS command I get the message:
454 4.7.0 TLS not available due to local problem.
The modulus of the private key matches the modulus of the certificate. The certificate comes from Comodo (free version).
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Centos 7 STARTTLS fails local problem
Any error messages in the logs/journal ?
If I have understood you right, you are setting a mail relay server with sSTARTTLS.If so - you can check the following example.
If I have understood you right, you are setting a mail relay server with sSTARTTLS.If so - you can check the following example.
Re: Centos 7 STARTTLS fails local problem
Thanks. No, nothing in the logs. I'd checked that. Turns out that a self-signed certificate works, so it has to be something wrong with the way I assembled the pem file from the Comodo certificate.
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Centos 7 STARTTLS fails local problem
How did you do it ?
Re: Centos 7 STARTTLS fails local problem
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > spillthebeans_org.pem
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Centos 7 STARTTLS fails local problem
I think you have done it correctly, thus check the following guide and try again.
Re: Centos 7 STARTTLS fails local problem
Which one of those 3 crt files is your cert?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Centos 7 STARTTLS fails local problem
You can test the certificate chain with openssl and see on which certificate it chokes:
Code: Select all
openssl s_client -connect yourhost.yourdomain.tld:25 -starttls smtp
Re: Centos 7 STARTTLS fails local problem
Thanks for the suggestions. I've used openssl to test the connection to https using port 443 and to smtp on port 25. Here's a summary of the results:
sudo openssl s_client -connect localhost:443 -servername spillthebeans.org - Succeeds, shows the correct certificate chain. https access also works.
sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org - Fails: no peer certificate available.
Postfix main.cf is specifying the same certificate and key files as ssl.conf.
Here's what I see in maillog after trying to connect with openssl:
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: connect from localhost[127.0.0.1]
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: lost connection after UNKNOWN from localhost[127.0.0.1]
If I substitute a self-signed certificate, then the following command succeeds, with a warning that the certificate is self-signed.
sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org
sudo openssl s_client -connect localhost:443 -servername spillthebeans.org - Succeeds, shows the correct certificate chain. https access also works.
sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org - Fails: no peer certificate available.
Postfix main.cf is specifying the same certificate and key files as ssl.conf.
Here's what I see in maillog after trying to connect with openssl:
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: connect from localhost[127.0.0.1]
Sep 16 10:27:23 euphrosyne postfix/smtpd[23536]: lost connection after UNKNOWN from localhost[127.0.0.1]
If I substitute a self-signed certificate, then the following command succeeds, with a warning that the certificate is self-signed.
sudo openssl s_client -connect localhost:25 -starttls smtp -servername spillthebeans.org
Re: Centos 7 STARTTLS fails local problem
According to your output of postconf -n you are using in your main.cf smtpd_use_tls = yes. This is a deprecated directive. You should use smtpd_tls_security_level instead and set it to "may" or "encrypt".
Consider also to disable the insecure SSL versions and set:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
Consider also to disable the insecure SSL versions and set:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3