How to fix mail server SSL?
Solution 1
Your /etc/postfix/main.cf
will contain the following three directives.
smtpd_tls_cert_file=
smtpd_tls_key_file=
smtpd_use_tls=yes
This tells Postfix to use TLS.
You can get it working again by disabling TLS, or creating new certificates.
Disabling TLS
- Change smtpd_use_tls from yes to no
- /etc/init.d/postfix restart
Creating new certificates
- Find the key file (according to smtpd_tls_key_file). If it is missing, you will have to create a new one. (openssl genrsa -out filename.key 1024; chmod 600 filename.key)
- Create a CSR (openssl req -new -key filename.key -out filename.csr)
- Create the certificate (openssl x509 -req -days 730 -in filename.csr -signkey filename.key -out filename.crt)
- Make it into the .pem format (cat filename.key filename.crt > filename.pem;chmod 600 filename.pem; chown postfix filename.pem)
Then ensure it is where it needs to be according to /etc/postfix/main.cf, and restart Postfix. You should be good to go.
Solution 2
It would appear as though you have an issue in "/etc/postfix/ssl/smtpd.cert", either the file is missing, the permissions on it are wrong, or the formatting of the certificate inside it is invalid.
Related videos on Youtube
Noah Goodrich
I work for Lendio which helps small businesses find lending. While I have spent a lot of time as a full stack LAMPP programmer, my first love was data and databases. At present I get to spend all of my time at Lendio working on data architecture solutions, data quality, and helping data tell its story to our employees.
Updated on September 17, 2022Comments
-
Noah Goodrich almost 2 years
Our mail server was originally set up using self-created certificates. However when those expired, and I tried to recreate them, the whole thing just blew up. Since I know it will be important, we are running a Debian server and postfix.
Now I see these errors generated in the mail logs:
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: cannot get certificate from file /etc/postfix/ssl/smtpd.cert May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/postfix/ssl/smtpd.cert','r'): May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720: May 15 08:06:34 letterpress postfix/smtpd[22901]: cannot load RSA certificate and key data
And when trying to access email from a client like Thunderbird from outside our local network, you receive "Unable to connect to smtp server".
I have verified that the file /etc/postfix/ssl/smtpd.cert does exist. The current owner of the file is
root:root
. Does this need to be changed?-
Dave Cheney about 15 years
/etc/postfix/ssl/smtpd.cert
is missing
-
-
Noah Goodrich about 15 years@Brent - Why change it to a .pem format? Any links explaining what differentiates a pem file from the other key file formats would be great. I've wondered this for a very long time.
-
phirschybar about 15 yearsNot sure why it uses a .pem format - that step may be unnecessary. As you can see, the pem format is just a concatenation of the .key and .crt files.
-
Charles Stewart over 14 yearsNote that
smtp_use-tls
is now obsolete, should use ` smtpd_tls_security_level, with value
may` to allow.