Postfix starttls failing

Wintron · June 19, 2022, 10:38pm

SYSTEM INFORMATION
OS type and version	CentOS Linux 7.9.2009
Webmin version	1.994
Virtualmin version	7.1
Related packages	SUGGESTED

Updated postfix to 3.7.2 & copied a CA cert to postfix but getting the following error (TLS failing)

[000.337]	‑‑>	STARTTLS
[000.411]	<‑‑	454 4.7.0 TLS not available due to local problem
[000.411]		STARTTLS command rejected

Think I may be missing something in etc/postfix/main.cf - this is the default

readme_directory = /usr/share/doc/postfix3-3.7.2/README_FILES
shlib_directory = /usr/lib/postfix
meta_directory = /etc/postfix
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = may
mailbox_size_limit = 0
allow_percent_hack = no
tls_server_sni_maps = hash:/etc/postfix/sni_map

Ive tried adding:
smtpd_use_tls = yes
smtp_use_tls = yes

and changing smtp_tls_security_level = may to smtp_tls_security_level = encrypt but doesnt seem to solve the issue. Has anyone resolved this?

RJM_Web_Design · June 19, 2022, 11:11pm

It’s missing the paths to the certs. That much I can tell by looking at it. But Postfix is not my strongest skill, so let someone smarter than me confirm that and help you fix it.

Richard

RJM_Web_Design · June 19, 2022, 11:34pm

I have these in TLS CONFIGURATION:

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

As I said, I’m no Postfix expert. I just copied those from my working main.cf

Richard

Wintron · June 20, 2022, 10:05am

I did find this guide (Fix Email sending Error 454 4.7.0 TLS not available due to local problem) which suggests you have to create a new folder first. Did you have to add those lines to your configuration or were they already there?

RJM_Web_Design · June 20, 2022, 11:17am

They were already there, presumably created either by default or by Virtualmin.

Postfix itself was installed by Virtualmin, presumably from the Rocky Linux repo, and I haven’t touched it. When I have in the past it’s typically led to all-nighters fixing the stuff I broke; so I pretty much leave it alone nowadays as long as it’s working.

Personally, I would back up main.cf, make sure the cert files are where Postfix / Virtualmin expect them to be, add the entries, restart Postfix, and see what happens.

I’m not saying that’s the right thing to do. It’s just what I’d try next being a relative neophyte when it comes to Postfix. If someone with more expertise chimes in, ignore everything I’ve said.

Richard

Wintron · June 20, 2022, 11:55am

RJM_Web_Design:

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Thanks for this - it looks like the SSL files are in the pki directory. Would you mind posting your etc/postfix/main.cf so i can see if there are any other parameters im missing/need changing. I’m just wondering if i need all of the lines listed here:

smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem

smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem

smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtpd_tls_security_level = may

smtpd_use_tls = yes

smtp_tls_security_level = may

smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem

smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem

smtp_tls_key_file = /etc/postfix/tls/smtpd.pem

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtp_use_tls = yes

smtpd_tls_received_header = yes

smtpd_tls_ask_ccert = yes

smtpd_tls_loglevel = 1

tls_random_source = dev:/dev/urandom

jotst2 · June 20, 2022, 12:05pm

Here for those they are Symlink links to

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

in alma.x , and no TLS DIR in postfix at my virtualmin 6.x

postfix.ca.pem is in etc/postfix/

So take care while other versions and configs / settings!

RJM_Web_Design · June 20, 2022, 12:07pm

Probably too much to paste with the annotations. Let’s try a PDF in a ZIP.

main.cf.pdf.zip (50.4 KB)

RJM_Web_Design · June 20, 2022, 12:26pm

Here.s .txt in a ZIP. Doing too many things at once. I should have sent it that way in the first place.

main.cf.txt.zip (9.7 KB)

RJM_Web_Design · June 20, 2022, 12:29pm

Also, are the DNS entries correct, particularly as regarding mail.example.tld? The cert also needs to include that.

Wintron · June 20, 2022, 4:01pm

DNS is correct, the latest version of postfix supports SNI so i should be able to use mail.domain.tld for all my domains/servers.

Using file manager looking at etc/pki/tls/certs there is no postfix.pem and no postfix.key in private. There is ca-bundle.crt and ca-bundle.trust.crt in etc/pki/tls/certs

system · August 19, 2022, 4:02pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.