Postfix enable SSL 465 failed

Question

I have installed the Postfix and enabled SSL/TLS, just tested, I can sent email from port 25, 578, but cannot sent email from port 465, the log is:

May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept:SSLv3 write server hello A
May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept:SSLv3 write certificate A
May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept:SSLv3 write server done A
May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept:SSLv3 flush data
May 26 17:24:06 mail postfix/smtpd[28721]: SSL3 alert read:fatal:certificate unknown
May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept:failed in SSLv3 read client certificate A
May 26 17:24:06 mail postfix/smtpd[28721]: SSL_accept error from unknown[10.155.36.240]: 0
May 26 17:24:06 mail postfix/smtpd[28721]: warning: TLS library problem: 28721:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1197:SSL alert number 46:
May 26 17:24:06 mail postfix/smtpd[28721]: lost connection after CONNECT from unknown[10.155.36.240]
May 26 17:24:06 mail postfix/smtpd[28721]: disconnect from unknown[10.155.36.240]

My email server is: 10.155.34.117, and email client is: 10.155.36.240, the client error is:

Could not connect to SMTP host: 10.155.34.117, port: 465.

My Master.cf:

smtps     inet  n       -       n       -       -       smtpd
    -o smtpd_tls_wrappermode=yes

My main.cf:

smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/pki/myca/mail.key
smtpd_tls_cert_file = /etc/pki/myca/mail.crt
smtpd_tls_CAfile = /etc/pki/myca/cacert_new.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

Seems it's my certificate issue, but I have tried to grant the file many times...I have no idea on this, please help!

score 2 · Answer 1 · answered May 26 '14 at 11:23

2

There are two issues that I came across when I was setting up my Postfix SMTP server to run with TLS. I got to the point where I put all of the Certificate files in the /etc/postfix folder with only root read access.

Along with this, all of the files MUST be in PEM format or else it can't read the files.

The following website, i'm sure you have read, but it worth going over the Creating the server certificate file section again.

Postfix TLS README

answered May 26 '14 at 11:23

Lieko

31
2

Thank you! Just copied the files to /etc/postfix and made the owner to root, also changed the files permission to 400 and changed the file format to pem, and tested again, also got the same error. I have already read the document... – user221290 May 26 '14 at 13:47
Do you get the same error message or are you getting something different? Can you nano into the key and crt files and read them. Key file should begin ------BEGIN PRIVATE KEY-------- and the crt should start with ------BEGIN CERTIFICATE------ – Lieko May 27 '14 at 15:41
Yes, The file is ok. It's start with --Begin private key-- and -----END PRIVATE KEY-----, the cert fie start with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. – user221290 May 28 '14 at 01:19

score 0 · Answer 2 · answered May 30 '14 at 15:11

0

http://www.postfix.org/postconf.5.html#smtp_tls_security_level

smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may

answered May 30 '14 at 15:11

ADM

1,373
12
16

Postfix enable SSL 465 failed

2 Answers2