[Postfixbuch-users] Postfix und das Liebe TLS

BrunIGunde brunhilde at siebenwind.de
Do Nov 8 12:39:57 CET 2007 

> Das sieht ja soweit gut aus - na ja, AUTH PLAIN über eine ungesicherte
> Verbindung ist nicht so toll (evt. mal smtpd_tls_auth_only = yes
> setzen), hat aber mit dem Problem nichts zu tun.
>
> Was sagt er, wenn Du versuchst, STARTTLS zu benutzen? Also z.B. via:
>
> openssl s_client -starttls smtp -connect <servername>:25
>
> oder, falls Du "swaks" hast (das benutze ich sehr gerne zum testen):
>
> swaks -tls -auth -au <username> -f <absender> -t <empfänger> -s <server>
>
> Falls es da Fehler gibt, denk' bitte dran, auch das Log zu posten. Und
> der Vollständigkeit halber dann bitte auch die Ausgabe von "postconf -n".
>
>
> Ciao
> Stefan

Hi,

Linus-H1:~/ca# openssl s_client -starttls smtp -connect mail.domain.tld:25
CONNECTED(00000003)
26506:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:567:

Ich finde in keiner logfile etwas dazu. Dann der swaks Test:


=== Trying mail.wvbrb.de:25...
=== Connected to mail.wvbrb.de.
<-  220 mx-mailer.domain.tld ESMTP (Mailsystem v2.0)
 -> EHLO localhost
<-  250-mx-mailer.domain.tld
<-  250-PIPELINING
<-  250-SIZE 30480000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
<-  250-AUTH=DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> STARTTLS
<** 454 4.3.0 TLS not available due to local problem
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

Dazu fand sich dann etwas in der Log, der Pfad zum Zertifikat ist aber
richtig.:

Nov  8 12:26:45 localhost postfix/smtpd[30206]: warning: TLS library
problem: 30206:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:26:45 localhost postfix/smtpd[30206]: warning: TLS library
problem: 30206:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:26:45 localhost postfix/smtpd[30206]: warning: TLS library
problem: 30206:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:26:45 localhost postfix/smtpd[30207]: warning: TLS library
problem: 30207:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:26:45 localhost postfix/smtpd[30207]: warning: TLS library
problem: 30207:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:26:45 localhost postfix/smtpd[30207]: warning: TLS library
problem: 30207:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:27:09 localhost postfix/smtpd[30247]: warning: TLS library
problem: 30247:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:27:09 localhost postfix/smtpd[30247]: warning: TLS library
problem: 30247:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:27:09 localhost postfix/smtpd[30247]: warning: TLS library
problem: 30247:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:27:09 localhost postfix/smtpd[30248]: warning: TLS library
problem: 30248:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:27:09 localhost postfix/smtpd[30248]: warning: TLS library
problem: 30248:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:27:09 localhost postfix/smtpd[30248]: warning: TLS library
problem: 30248:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:28:27 localhost postfix/smtpd[30405]: warning: TLS library
problem: 30405:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:28:27 localhost postfix/smtpd[30405]: warning: TLS library
problem: 30405:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:28:27 localhost postfix/smtpd[30405]: warning: TLS library
problem: 30405:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:28:27 localhost postfix/smtpd[30406]: warning: TLS library
problem: 30406:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:28:27 localhost postfix/smtpd[30406]: warning: TLS library
problem: 30406:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:28:27 localhost postfix/smtpd[30406]: warning: TLS library
problem: 30406:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:28:27 localhost postfix/smtpd[30407]: warning: TLS library
problem: 30407:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:28:27 localhost postfix/smtpd[30407]: warning: TLS library
problem: 30407:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:28:27 localhost postfix/smtpd[30407]: warning: TLS library
problem: 30407:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:28:30 localhost postfix/smtpd[30409]: warning: TLS library
problem: 30409:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:28:30 localhost postfix/smtpd[30409]: warning: TLS library
problem: 30409:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:28:30 localhost postfix/smtpd[30409]: warning: TLS library
problem: 30409:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:30:21 localhost postfix/smtpd[30613]: warning: TLS library
problem: 30613:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:30:21 localhost postfix/smtpd[30613]: warning: TLS library
problem: 30613:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:30:21 localhost postfix/smtpd[30613]: warning: TLS library
problem: 30613:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Nov  8 12:30:23 localhost postfix/smtpd[30617]: warning: TLS library
problem: 30617:error:02001002:system library:fopen:No such file or
directory:bss_file.c:122:fopen('/etc/postifx/ssl/smtpd.pem','r'):
Nov  8 12:30:23 localhost postfix/smtpd[30617]: warning: TLS library
problem: 30617:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
Nov  8 12:30:23 localhost postfix/smtpd[30617]: warning: TLS library
problem: 30617:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:274:

Und zuletzt dann noch die Postfix Conf:

alias_database = hash:/etc/aliases
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
header_checks = regexp:/etc/postfix/maps/header_checks
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 30480000
mydestination = $myhostname $mydomain localhost localhost.$mydomain
mydomain = mx-mailer.domain.tld
myhostname = mx-mailer.domain.tld
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = $mydomain
recipient_delimiter = +
relay_domains = mx-mailer.domain.tld
remote_header_rewrite_domain = mx-mailer.domain.tld
smtp_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtp_tls_cert_file = /etc/postfix/ssl/mail.crt
smtp_tls_key_file = /etc/postfix/ssl/mail.key
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP (Mailsystem v2.0)
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
reject_non_fqdn_recipient, reject_non_fqdn_sender,
reject_unauth_pipelining, reject_rhsbl_sender blackhole.securitysage.com,
reject_rhsbl_client blackhole.securitysage.com, reject_rbl_client
blackholes.easynet.nl, reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postifx/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/mail.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.key
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gid_maps.cf
virtual_mailbox_base = /var/kunden/mail/
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailbox_maps.cf
virtual_transport = maildrop
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uid_maps.cf

Mehr Informationen über die Mailingliste Postfixbuch-users