Results 1 to 7 of 7

Thread: TLS Problems

  1. #1
    Join Date
    Jan 2012
    Posts
    69
    Rep Power
    3

    Default TLS Problems

    Sometimes I see some postfix warnings in my mail.log file:

    Code:
    warning: cannot get RSA private key from file /opt/zimbra/conf/smtpd.key: disabling TLS support
    Mar 11 06:40:31 mail postfix/smtpd[20084]: warning: TLS library problem: 20084:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
    Mar 11 06:40:31 mail postfix/smtpd[20084]: warning: TLS library problem: 20084:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:454:
    Mar 11 06:40:31 mail postfix/smtpd[20084]: warning: TLS library problem: 20084:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
    I searched on the internet what to do, but the only thing I found is to edit the main.cf file (postfix). When I edit the main.cf file, and restart postfix, everything change back to the default settings (I think the settings from Zimbra)...

  2. #2
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    File permissions ok in that file?
    Code:
    $ ls -la /opt/zimbra/conf/smtpd.key
    -rw-r----- 1 zimbra zimbra 887 Mar 10 17:08 /opt/zimbra/conf/smtpd.key

  3. #3
    Join Date
    Jan 2012
    Posts
    69
    Rep Power
    3

    Default

    -rwxrwxrwx 1 zimbra zimbra 1751 2012-02-28 13:17 /opt/zimbra/conf/smtpd.key

    is that also ok?

  4. #4
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    The file should have less permissions and most definetly shouldn't be world readable/writable, chmod 640 to correct those.
    You can also
    Code:
    cat smtpd.key | grep RSA
    to check that the file contains -----BEGIN RSA PRIVATE KEY-----
    -----END RSA PRIVATE KEY-----, which would indicate that there actually is RSA key in there.

  5. #5
    Join Date
    Jan 2012
    Posts
    69
    Rep Power
    3

    Default

    OK, did that, but still the same problem...

  6. #6
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    712
    Rep Power
    7

    Default

    Quote Originally Posted by Sam159 View Post
    I searched on the internet what to do, but the only thing I found is to edit the main.cf file (postfix). When I edit the main.cf file, and restart postfix, everything change back to the default settings (I think the settings from Zimbra)...
    Zimbra rewrites the main.cf on every restart. If you have a change you want to be kept after a restart, you need to edit the file main.cf.in - that is the file used to generate the main.cf file.

    Note though that changes do not persist through zimbra upgrades. There may be some way to make changes that will persist through upgrades too - but I am unaware of it at this time.

  7. #7
    Join Date
    Jan 2012
    Posts
    69
    Rep Power
    3

    Default

    I don't have main.cf.in

    files in /opt/zimbra/postfix/conf:


    access generic main.cf.bak master.cf.in virtual
    aliases header_checks main.cf.default relocated
    bounce.cf.default LICENSE makedefs.out TLS_LICENSE
    canonical main.cf master.cf transport

    UPDATE:

    I see in main.cf.default some strange things:


    smtpd_tls_cert_file =
    smtpd_tls_ciphers = export
    smtpd_tls_dcert_file =
    smtpd_tls_dh1024_param_file =
    smtpd_tls_dh512_param_file =
    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
    smtpd_tls_eccert_file =
    smtpd_tls_eckey_file = $smtpd_tls_eccert_file
    smtpd_tls_eecdh_grade = none
    smtpd_tls_exclude_ciphers =
    smtpd_tls_fingerprint_digest = md5
    smtpd_tls_key_file = $smtpd_tls_cert_file


    Is that normal that smtpd_tls_cert_file is empty...
    Does postfix or zimbra use main.cf.default or just main.cf?
    Last edited by Sam159; 03-13-2012 at 12:43 AM.

Similar Threads

  1. TLS library problem
    By mocart in forum Administrators
    Replies: 0
    Last Post: 02-29-2012, 04:54 PM
  2. SMTP authentication problems continue
    By EdMartin in forum Installation
    Replies: 2
    Last Post: 01-11-2008, 02:23 AM
  3. IMAP TLS Problems after upgrade to 4.5.3
    By shanson in forum Administrators
    Replies: 4
    Last Post: 03-22-2007, 08:05 AM
  4. Replies: 0
    Last Post: 01-03-2007, 05:22 PM
  5. Supporting SPA and TLS for SMTP relaying
    By pbwebguy in forum Installation
    Replies: 1
    Last Post: 05-18-2006, 07:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •