Postfix starttls failing

OS type and version CentOS Linux 7.9.2009
Webmin version 1.994
Virtualmin version 7.1
Related packages SUGGESTED

Updated postfix to 3.7.2 & copied a CA cert to postfix but getting the following error (TLS failing)

[000.337] ‑‑> STARTTLS
[000.411] <‑‑ 454 4.7.0 TLS not available due to local problem
[000.411] STARTTLS command rejected

Think I may be missing something in etc/postfix/ - this is the default

readme_directory = /usr/share/doc/postfix3-3.7.2/README_FILES
shlib_directory = /usr/lib/postfix
meta_directory = /etc/postfix
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = may
mailbox_size_limit = 0
allow_percent_hack = no
tls_server_sni_maps = hash:/etc/postfix/sni_map

Ive tried adding:
smtpd_use_tls = yes
smtp_use_tls = yes

and changing smtp_tls_security_level = may to smtp_tls_security_level = encrypt but doesnt seem to solve the issue. Has anyone resolved this?

It’s missing the paths to the certs. That much I can tell by looking at it. But Postfix is not my strongest skill, so let someone smarter than me confirm that and help you fix it.


I have these in TLS CONFIGURATION:

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

As I said, I’m no Postfix expert. I just copied those from my working


I did find this guide (Fix Email sending Error 454 4.7.0 TLS not available due to local problem) which suggests you have to create a new folder first. Did you have to add those lines to your configuration or were they already there?

They were already there, presumably created either by default or by Virtualmin.

Postfix itself was installed by Virtualmin, presumably from the Rocky Linux repo, and I haven’t touched it. When I have in the past it’s typically led to all-nighters fixing the stuff I broke; so I pretty much leave it alone nowadays as long as it’s working.

Personally, I would back up, make sure the cert files are where Postfix / Virtualmin expect them to be, add the entries, restart Postfix, and see what happens.

I’m not saying that’s the right thing to do. It’s just what I’d try next being a relative neophyte when it comes to Postfix. If someone with more expertise chimes in, ignore everything I’ve said.


Thanks for this - it looks like the SSL files are in the pki directory. Would you mind posting your etc/postfix/ so i can see if there are any other parameters im missing/need changing. I’m just wondering if i need all of the lines listed here:

smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem

smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem

smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtpd_tls_security_level = may

smtpd_use_tls = yes

smtp_tls_security_level = may

smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem

smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem

smtp_tls_key_file = /etc/postfix/tls/smtpd.pem

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtp_use_tls = yes

smtpd_tls_received_header = yes

smtpd_tls_ask_ccert = yes

smtpd_tls_loglevel = 1

tls_random_source = dev:/dev/urandom

Here for those they are Symlink links to


in alma.x , and no TLS DIR in postfix at my virtualmin 6.x is in etc/postfix/

So take care while other versions and configs / settings!

Probably too much to paste with the annotations. Let’s try a PDF in a ZIP. (50.4 KB)

Here.s .txt in a ZIP. Doing too many things at once. I should have sent it that way in the first place. (9.7 KB)

Also, are the DNS entries correct, particularly as regarding mail.example.tld? The cert also needs to include that.

DNS is correct, the latest version of postfix supports SNI so i should be able to use mail.domain.tld for all my domains/servers.

Using file manager looking at etc/pki/tls/certs there is no postfix.pem and no postfix.key in private. There is ca-bundle.crt and in etc/pki/tls/certs

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.