Postfix Send Error: Must Issue STARTTLS command

Question

Running Ubuntu 12.04 and trying to configure postfix to relay send and receive through GMAIL. Am running into connection issues particularly with TLS. Have tried a bunch of troubleshooting solutions and have changed my main.cf to address TLS but still receive the below errors.

Tried debugging connection issues with:

      `root@mailservice:/etc/postfix# openssl s_client -connect localhost:587 -starttls smtp`

and I recveive these errors

    `connect: Connection refused'
     'connect:errno=111`

in my logs I see:

       Jun 11 13:54:31 mailservice postfix/smtp[3765]: warning: cannot get RSA certificate
       from file /etc/postfix/cert.pem: disabling TLS support

       Jun 11 13:54:31 mailservice postfix/smtp[3765]: warning: TLS library problem: 
       3765:error:0906D06C:PEM routines:PEM_read_bio:no start    
       line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE:

       Jun 11 13:54:31 mailservice postfix/smtp[3765]: warning: TLS library problem:   
       3765:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM    
       lib:ssl_rsa.c:729:

       Jun 11 13:54:31 mailservice postfix/smtp[3765]: 9986B6846A: to=
       <mary.cutrali@gmail.com>, relay=smtp.gmail.com[173.194.77.109]:587, delay=0.15, 
       delays=0.02/0.02/0.09/0.02, dsn=5.7.0, status=bounced (host 
       smtp.gmail.com[173.194.77.109] said: 530 5.7.0 Must issue a STARTTLS command first.  
       hd9sm12170509obc.6 (in reply to MAIL FROM command))

The contents of my main.cf (pertaining to TLS) look like this:

     #TLS Parameters 
     smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
     smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
     smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
     smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

     #TLS Settings 
     smtp_use_tls = yes 
     smtp_tls_security_level = may 
     smtp_tls_loglevel = 1
     smtp_enforce_tls = yes 
     smtp_tls_CAfile = /etc/postfix/cacert.pem
     smtp_tls_cert_file = /etc/postfix/cert.pem 
     smtp_tls_key_file = $smtp_tls_cert_file 
     smtp_tls_session_cache_dataabase = btree:/var/run/smtp_tls_session_cache 
     smtp_tls_note_starttls_offer = yes 
     smtpd_use_tls = yes 
     smtpd_tls_security)level = may 
     smtpd_tls_auth_only = no 
     smtpd_tls_CAfile = /etc/postfix/cacert.pem
     smtpd_tls_cert_file = /etc/postfix/cert.pem
     smtpd_tls_key_file = /etc/postfix/key.pem
     smtpd_tls_received_header = yes 
     smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache 
     smtpd_tls_session_cache_timeout = 3600s 
     tls_random_source = dev:/dev/urandom

As far as I can tell everything is in order for a proper TLS Connection, and I am unsure what would need to change in main.cf or elsewhere for mail to send.

score 2 · Answer 1 · answered Nov 24 '12 at 14:36

From: http://www.postfix.org/TLS_README.html ...

Server-side TLS activity logging ...

Use log level 3 only in case of problems.

more...

To get additional information about Postfix SMTP server TLS activity you can increase the log level from 0..4. Each logging level also includes the information that is logged at a lower logging level.

Level Postfix 2.9 and later Earlier releases.

0 Log only a summary message on TLS handshake completion — no logging of client certificate trust-chain verification errors if client certificate verification is not required. Disable logging of TLS activity.
1 Also log trust-chain verification errors and peer certificate summary information. Also log TLS handshake and certificate information.
2 Also log levels during TLS negotiation.
3 Also log hexadecimal and ASCII dump of TLS negotiation process.
4 Also log hexadecimal and ASCII dump of complete transmission after STARTTLS.

Use log level 3 only in case of problems. Use of log level 4 is strongly discouraged.

kworr · Accepted Answer · 2012-06-11T15:30:26.497

1

Postix says it has no access to certificates. They are not created or stored with too restricitve permissions.

You need to check that all files are accessible by postfix limited user. You can check which user postfix runs as with:

postconf mail_owner

After that you should give this user access to all keys/certs mentioned in your config file.

For example my keys look like:

-r--r-----  1 postfix  cyrus   668  4 Apr 13:17 somehost.pk

edited Jun 11 '12 at 15:30

answered Jun 11 '12 at 14:51

kworr

1,055
8
14

`/etc/ssl/private:` `total 12` `drwx--x--- 2 root ssl-cert 4096 Jun 10 22:11 .` `drwxr-xr-x 4 root root 4096 Jun 10 21:50 ..` `-rw-r----- 1 root ssl-cert 1704 Jun 10 22:11 ssl-cert-snakeoil.key` – Mary Elizabeth Jun 11 '12 at 15:00
/etc/postfix: total 132 – Mary Elizabeth Jun 11 '12 at 15:01
/etc/ssl/certs: total 784 -- unable to list all of the certs for etc/postfix and etc/ssl/certs because there are too many for the comment format – Mary Elizabeth Jun 11 '12 at 15:01
-rw-r--r-- 1 root root 1042 Jun 10 22:15 /etc/postfix/cacert.pem -rw-r--r-- 1 root root 0 Jun 10 22:15 /etc/postfix/cert.pem -rw-r--r-- 1 root root 981 Jun 10 22:11 /etc/ssl/certs/ssl-cert-snakeoil.pem -rw-r----- 1 root ssl-cert 1704 Jun 10 22:11 /etc/ssl/private/ssl-cert-snakeoil.key – Mary Elizabeth Jun 11 '12 at 15:25
-rw-r----- 1 root ssl-cert 1704 Jun 10 22:11 /etc/ssl/private/ssl-cert-snakeoil.key <- postfix has no access to this one. – kworr Jun 11 '12 at 15:27
ah! thank you, is this something that I address in my main.cf? It;s my first time doing anything with postfix, so I am pretty much a blank slate when it comes to troubleshooting – Mary Elizabeth Jun 11 '12 at 16:30
ah, just saw your edit. it looks like they are under the user "postfix" – Mary Elizabeth Jun 11 '12 at 16:32

Postfix Send Error: Must Issue STARTTLS command

2 Answers2