Smtp Tls

[kollross]

I'm currently trying to get TLS working on our Filter server for incoming emails. Currently TLS works fine for outgoing SMTP connection on the other server. Currently with a manual telnet i'm getting this response
Connected to black.soltec.net.

Escape character is '^]'.

220 black.soltec.net ESMTP Postfix

ehlo xyz

250-black.soltec.net

250-PIPELINING

250-SIZE 102400000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

starttls

454 TLS not available due to local problem


I'm guessing this was a cert error (planning on using self signed). I then took your directions for creating a self signed cert
keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
But I'm getting this error.

keytool error: java.lang.Exception: Alias does not exist
Any ideas or is this even a cert problem. Only thing installed on filter server is mta spamfilter virusfilter and snmp

[rsharpe]

The cert CA is not there so you don't need that command it is already deleted just zmcreateca to recreate the CA.

[kollross]

Basically This then
zmcreateca

zmcreatecert

zmcertinstall mailbox ssl/ssl/server/tomcat.crt

zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

[rsharpe]

I believe so.

[kollross]

yep that works thanks

[jerryboi]

I have installed a commercial certificate as described in the wiki and I had the https site and the pop3 access working fine with it, however, when I tried to send mail through smtp, I got "error 454 - TLS not available due to a local problem". I tried settting the certificate for the mta manually by issuing

zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

which installed the original, zimbra issued certificate there. Not happy with that, in a particularly experimental mindset I copied my commercial .crt file over the /opt/zimbra/conf/smtpd.crt file. Now I get the error "unable to connect to smtp server via STARTTLS since it doesn't offer STARTTLS in EHLO response". Not happy with this one either, please help!

[9327nexus]

I'm having the exact same problem.

[Nutz]

I used to have this problem...
Try this (from http://mark.foster.cc/kb/openssl-keytool.html ):
Export the *public key* (certificate) from a keystore

|keytool -export -alias mykey -keystore keystore -file exported.crt|
The result is a DER (binary) formatted certificate in exported.crt
|openssl x509 -noout -text -in exported.crt -inform der|
Now you will want to convert it to another format - PEM - which is

more widely used in applications such as apache and by openssl to do

the pkcs12 conversion.
| openssl x509 -out exported-pem.crt -outform pem -text -in

exported.crt -inform der|


Then just copy it over smtpd.crt

[9327nexus]

that worked without trouble but didnt fix the problem for me at least. my zimbra log now shows this
Mar 9 14:09:54 mail postfix/smtpd[31353]: lost connection after STARTTLS from c-67-169-127-128.hsd1.ca.comcast.net[67.169.127.128]

Mar 9 14:13:44 mail postfix/smtpd[22605]: warning: TLS library problem: 22605:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE:

Mar 9 14:13:44 mail postfix/smtpd[22605]: warning: TLS library problem: 22605:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:765:

Mar 9 14:15:13 mail postfix/smtpd[11729]: lost connection after STARTTLS from c-67-169-127-128.hsd1.ca.comcast.net[67.169.127.128]


client shows same error as before

[Nutz]

can you post the first line of your exported-pem.crt (just open with a text editor)?