Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Postfix SMTP server: errors from unknown[209.85.212.69]
1,297 views
Skip to first unread message
DTNX Postmaster
Aug 23, 2013, 3:55:13 AM8/23/13
to
On Aug 23, 2013, at 09:20, David Benfell <dben...@gmail.com> wrote:
> Unfortunately, I'm finding this singularly unhelpful:
>
> - -------- Original Message --------
> Subject: Postfix SMTP server: errors from unknown[209.85.212.69]
Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield 'unknown'.
> Transcript of session follows.
>
> Out: 220 mail.parts-unknown.org ESMTP Postfix
> In: EHLO mail-vb0-f69.google.com
> Out: 250-mail.parts-unknown.org
> Out: 250-PIPELINING
> Out: 250-SIZE 20971520
> Out: 250-VRFY
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In: STARTTLS
> Out: 454 4.7.0 TLS not available due to local problem
> In: QUIT
> Out: 221 2.0.0 Bye
[snip]
> Here's my postconf -n:
[snip]
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
Are you sure you need to specify 'smtp_tls_key_file' here? See;
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file =
> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
> smtpd_tls_loglevel = 3
> smtpd_tls_security_level = may
Does the 'smtpd_tls_cert_file' contain the key? Also, inside the 'www'
directory? Why not store it in '/etc/ssl' or '/etc/postfix'?
Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
actually a TLS problem instead of a configuration issue.
> What has changed are the SSL keys. But if something is wrong here, I
> don't know how to tell what. This is a StartSSL.com certificate so
> there's an intermediate key as well as the certificate itself and the
> certificate authority key. The chain should be complete. I've just
> checked my work; I think I did this right.
>
> So how do I tell what's going wrong?
Have you tested your server with 'openssl s_client'? This is what I am
getting;
$ openssl s_client -connect mail.parts-unknown.org:25 -starttls smtp
CONNECTED(00000003)
4851:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
Disable debug logging, and lower your TLS log level. Restart Postfix,
and check your logs for any warnings or errors.
Check your configuration, related files, permissions, and so on. Revert
to the old certificate, see if that resolves the problem and enables
you to make a succesful connection with the openssl client. Generate a
self-signed one, see if that resolves the problem, and so on.
Mvg,
Joni
> Unfortunately, I'm finding this singularly unhelpful:
>
> - -------- Original Message --------
> Subject: Postfix SMTP server: errors from unknown[209.85.212.69]
Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield 'unknown'.
> Transcript of session follows.
>
> Out: 220 mail.parts-unknown.org ESMTP Postfix
> In: EHLO mail-vb0-f69.google.com
> Out: 250-mail.parts-unknown.org
> Out: 250-PIPELINING
> Out: 250-SIZE 20971520
> Out: 250-VRFY
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In: STARTTLS
> Out: 454 4.7.0 TLS not available due to local problem
> In: QUIT
> Out: 221 2.0.0 Bye
[snip]
> Here's my postconf -n:
[snip]
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
Are you sure you need to specify 'smtp_tls_key_file' here? See;
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file =
> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt
> smtpd_tls_loglevel = 3
> smtpd_tls_security_level = may
Does the 'smtpd_tls_cert_file' contain the key? Also, inside the 'www'
directory? Why not store it in '/etc/ssl' or '/etc/postfix'?
Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
actually a TLS problem instead of a configuration issue.
> What has changed are the SSL keys. But if something is wrong here, I
> don't know how to tell what. This is a StartSSL.com certificate so
> there's an intermediate key as well as the certificate itself and the
> certificate authority key. The chain should be complete. I've just
> checked my work; I think I did this right.
>
> So how do I tell what's going wrong?
Have you tested your server with 'openssl s_client'? This is what I am
getting;
$ openssl s_client -connect mail.parts-unknown.org:25 -starttls smtp
CONNECTED(00000003)
4851:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
Disable debug logging, and lower your TLS log level. Restart Postfix,
and check your logs for any warnings or errors.
Check your configuration, related files, permissions, and so on. Revert
to the old certificate, see if that resolves the problem and enables
you to make a succesful connection with the openssl client. Generate a
self-signed one, see if that resolves the problem, and so on.
Mvg,
Joni
David Benfell
Aug 23, 2013, 4:36:01 AM8/23/13
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I use these files for several applications. Including dovecot (where
thunderbird seems to think the concatenated key is just fine). So
/etc/postfix is inappropriate.
I don't like adding files to /etc/ssl because that directory is
populated by the distribution and for me there's a lot of stuff there
that I'm not interested in looking at.
thing I got after following your advice below:
CONNECTED(00000003)
139983650948752:error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
- ---
no peer certificate available
- ---
No client certificate CA names sent
- ---
SSL handshake has read 244 bytes and written 357 bytes
- ---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- ---
> Disable debug logging, and lower your TLS log level. Restart
> Postfix, and check your logs for any warnings or errors.
>
So I did this and sent a test message from gmail. It does seem to be
having a problem finding the key file:
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: cannot get RSA private key from file
/big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
disa...LS support
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
Why is this line not working?
smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
I've checked the file, it contains a private key.
> Check your configuration, related files, permissions, and so on.
> Revert to the old certificate, see if that resolves the problem and
> enables you to make a succesful connection with the openssl client.
> Generate a self-signed one, see if that resolves the problem, and
> so on.
Reverting to the old certificate yielded the same result. The previous
configuration has the same permissions as the current one.
>
> Mvg, Joni
>
- --
David Benfell / ben...@parts-unknown.org
Please see https://parts-unknown.org/node/2 for GnuPG information (or
the attachment you don't understand)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSFx7xAAoJEKrN0Ha7pkCOfZYQAJMwj6Pi5bXt5jJ57jTVW+3N
NP7U18EDjAFBKiOfDfxzZ012ksChFWIz8+vzDIwUFa0AG6Kw1Pm3Tb6AxYA3ulpc
sk/uNCA+23rKLcYbQbrYbM/b8HW6mRq5eOaP2x3tCmoCaqmfnond+6OofxTv3flP
IY9xtF5wlZHRhGSb0/yFGEysb2ocrR+U/fZiTG4nEN+OM5QMu5ePxVecjkH+vAyR
y4RMoH6kP2wqMo5H3H4iXDiLdi1yNhzn9mumgNqnhn0kKqU+knsVKvfP6mmBMP0W
McK40qTZjIzjH+BCsyDBfKnmySwAKinejWXzmO3fi/6eyCMOA9ro4bwEt8+pvek7
KuaZnJDJlYrX9SHJsnx3iOI/K9nQclbF2KQSkxsduFbdqQhRsuuA9AqY1h1WfYb+
pFgyBfazzAumRx9dwzfsuh7RD1cDkA3E87e7NWlX1sj88rmCjzMGO8emrtA+w2cz
DN/EXakoEQhrxIUqgXy8E2kB2Lg/tF4cMM9KBc87rcL8Tvqy2P5NXyubF130EZCw
iCPA3/+9d5OOuCD8UNShz9qYUTP3hP3VpnpDUSkka0rJ8UlfVSkrJATYMkFNwpDy
GrsPbsaeloxFFD5omuuy8ANH46bnisHe9AG+isyiKoSO8Lde9E/2+fz2unUz59TE
itpaN0qJ1zu68bQ4SmUA
=K5gz
-----END PGP SIGNATURE-----
Hash: SHA1
thunderbird seems to think the concatenated key is just fine). So
/etc/postfix is inappropriate.
I don't like adding files to /etc/ssl because that directory is
populated by the distribution and for me there's a lot of stuff there
that I'm not interested in looking at.
>
> Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
> actually a TLS problem instead of a configuration issue.
Done.
> Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's
> actually a TLS problem instead of a configuration issue.
>
>> What has changed are the SSL keys. But if something is wrong
>> here, I don't know how to tell what. This is a StartSSL.com
>> certificate so there's an intermediate key as well as the
>> certificate itself and the certificate authority key. The chain
>> should be complete. I've just checked my work; I think I did this
>> right.
>>
>> So how do I tell what's going wrong?
>
> Have you tested your server with 'openssl s_client'? This is what I
> am getting;
>
> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>
>
I see the word error. ;-) I assume you got, more completely, the same
>> What has changed are the SSL keys. But if something is wrong
>> here, I don't know how to tell what. This is a StartSSL.com
>> certificate so there's an intermediate key as well as the
>> certificate itself and the certificate authority key. The chain
>> should be complete. I've just checked my work; I think I did this
>> right.
>>
>> So how do I tell what's going wrong?
>
> Have you tested your server with 'openssl s_client'? This is what I
> am getting;
>
> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>
>
thing I got after following your advice below:
CONNECTED(00000003)
139983650948752:error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
- ---
no peer certificate available
- ---
No client certificate CA names sent
- ---
SSL handshake has read 244 bytes and written 357 bytes
- ---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
- ---
> Disable debug logging, and lower your TLS log level. Restart
> Postfix, and check your logs for any warnings or errors.
>
having a problem finding the key file:
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: cannot get RSA private key from file
/big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
disa...LS support
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:0906D06C:PEM
routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
warning: TLS library problem: 18925:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
Why is this line not working?
smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
I've checked the file, it contains a private key.
> Check your configuration, related files, permissions, and so on.
> Revert to the old certificate, see if that resolves the problem and
> enables you to make a succesful connection with the openssl client.
> Generate a self-signed one, see if that resolves the problem, and
> so on.
configuration has the same permissions as the current one.
>
> Mvg, Joni
>
- --
David Benfell / ben...@parts-unknown.org
Please see https://parts-unknown.org/node/2 for GnuPG information (or
the attachment you don't understand)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJSFx7xAAoJEKrN0Ha7pkCOfZYQAJMwj6Pi5bXt5jJ57jTVW+3N
NP7U18EDjAFBKiOfDfxzZ012ksChFWIz8+vzDIwUFa0AG6Kw1Pm3Tb6AxYA3ulpc
sk/uNCA+23rKLcYbQbrYbM/b8HW6mRq5eOaP2x3tCmoCaqmfnond+6OofxTv3flP
IY9xtF5wlZHRhGSb0/yFGEysb2ocrR+U/fZiTG4nEN+OM5QMu5ePxVecjkH+vAyR
y4RMoH6kP2wqMo5H3H4iXDiLdi1yNhzn9mumgNqnhn0kKqU+knsVKvfP6mmBMP0W
McK40qTZjIzjH+BCsyDBfKnmySwAKinejWXzmO3fi/6eyCMOA9ro4bwEt8+pvek7
KuaZnJDJlYrX9SHJsnx3iOI/K9nQclbF2KQSkxsduFbdqQhRsuuA9AqY1h1WfYb+
pFgyBfazzAumRx9dwzfsuh7RD1cDkA3E87e7NWlX1sj88rmCjzMGO8emrtA+w2cz
DN/EXakoEQhrxIUqgXy8E2kB2Lg/tF4cMM9KBc87rcL8Tvqy2P5NXyubF130EZCw
iCPA3/+9d5OOuCD8UNShz9qYUTP3hP3VpnpDUSkka0rJ8UlfVSkrJATYMkFNwpDy
GrsPbsaeloxFFD5omuuy8ANH46bnisHe9AG+isyiKoSO8Lde9E/2+fz2unUz59TE
itpaN0qJ1zu68bQ4SmUA
=K5gz
-----END PGP SIGNATURE-----
Wietse Venema
Aug 23, 2013, 7:01:14 AM8/23/13
to
David Benfell:
Try turning off chroot operation in master.cf
A common mistake is to turn on chroot operation in the master.cf
file without going through all the necessary steps to set up a
chroot environment. This causes Postfix daemon processes to fail
due to all kinds of missing files.
The example below shows an SMTP server that is configured with
chroot turned off:
/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
smtp inet n - n - - smtpd
Inspect master.cf for any processes that have chroot operation not
turned off. If you find any, save a copy of the master.cf file, and
edit the entries in question. After executing the command "postfix
reload", see if the problem has gone away.
If turning off chrooted operation made the problem go away, then
congratulations. Leaving Postfix running in this way is adequate
for most sites. If you prefer chrooted operation, see the Postfix
BASIC_CONFIGURATION_README file for information about how to prepare
Postfix for chrooted operation.
> Why is this line not working?
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
http://www.postfix.org/DEBUG_README.html#no_chroot
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
Try turning off chroot operation in master.cf
A common mistake is to turn on chroot operation in the master.cf
file without going through all the necessary steps to set up a
chroot environment. This causes Postfix daemon processes to fail
due to all kinds of missing files.
The example below shows an SMTP server that is configured with
chroot turned off:
/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
smtp inet n - n - - smtpd
Inspect master.cf for any processes that have chroot operation not
turned off. If you find any, save a copy of the master.cf file, and
edit the entries in question. After executing the command "postfix
reload", see if the problem has gone away.
If turning off chrooted operation made the problem go away, then
congratulations. Leaving Postfix running in this way is adequate
for most sites. If you prefer chrooted operation, see the Postfix
BASIC_CONFIGURATION_README file for information about how to prepare
Postfix for chrooted operation.
DTNX Postmaster
Aug 23, 2013, 9:33:24 AM8/23/13
to
On Aug 23, 2013, at 10:36, David Benfell <dben...@gmail.com> wrote:
>> Have you tested your server with 'openssl s_client'? This is what I
>> am getting;
>>
>> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
>> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
>> routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>>
>>
> I see the word error. ;-) I assume you got, more completely, the same
> thing I got after following your advice below:
>
> CONNECTED(00000003)
> 139983650948752:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
> - ---
> no peer certificate available
> - ---
> No client certificate CA names sent
> - ---
> SSL handshake has read 244 bytes and written 357 bytes
> - ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> - ---
No, I got a different error, look at the last number.
>> Have you tested your server with 'openssl s_client'? This is what I
>> am getting;
>>
>> $ openssl s_client -connect mail.parts-unknown.org:25 -starttls
>> smtp CONNECTED(00000003) 4851:error:140770FC:SSL
>> routines:SSL23_GET_SERVER_HELLO:unknown
>> protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607:
>>
>>
> I see the word error. ;-) I assume you got, more completely, the same
> thing I got after following your advice below:
>
> CONNECTED(00000003)
> 139983650948752:error:140770FC:SSL
> routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:766:
> - ---
> no peer certificate available
> - ---
> No client certificate CA names sent
> - ---
> SSL handshake has read 244 bytes and written 357 bytes
> - ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> - ---
>> Disable debug logging, and lower your TLS log level. Restart
>> Postfix, and check your logs for any warnings or errors.
>>
> So I did this and sent a test message from gmail. It does seem to be
> having a problem finding the key file:
>
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: cannot get RSA private key from file
> /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt:
> disa...LS support
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: TLS library problem: 18925:error:0906D06C:PEM
> routines:PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:
> Aug 23 01:12:41 munich.parts-unknown.org postfix/tlsproxy[18925]:
> warning: TLS library problem: 18925:error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
>
> Why is this line not working?
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
>
>
> smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key
>
> I've checked the file, it contains a private key.
Are you sure it is correctly formatted? It is complaining about it;
"PEM_read_bio:no start line:pem_lib.c:703:Expectin...IVATE KEY:"
-----BEGIN RSA PRIVATE KEY-----
<key goes here>
-----END RSA PRIVATE KEY-----
And each certificate, whether it is your host certificate or an
intermediate, should be marked in a similar way;
-----BEGIN CERTIFICATE-----
<certificate goes here>
-----END CERTIFICATE-----
This is what the TLS library uses to read in the key and certificates
when Postfix starts, and it looks like they may be missing, in your
case.
It is no problem to concatenate them, as long as you have the start and
end markers for each, on their own lines.
Mvg,
Joni
0 new messages