philolegein

Asked: 2018-11-03 04:08:03 +0800 CST2018-11-03 04:08:03 +0800 CST 2018-11-03 04:08:03 +0800 CST

Can't connect Postfix to AWS MySQL RDS over SSL SSL_CTX_set_default_verify_paths

I'm trying to set up a mail server with Postfix (3.3.0) with virtual domains, queried against an Amazon RDS MySQL (8.0.11) instance, with SSL between the mail server and the RDS instance.

I'm just at the very beginning of setting this up, so haven't turned on any advanced services; I just got Postfix and Dovecot up and running, and tried to send a mail via telnet from local to the mail server. This fails (which is fine, that's the point of testing), but I'm having trouble pinpointing the origin of the failure. In particular, postfix doesn't want to work, but postmap seems to work fine!

The core error returned when done via postfix seems to be "SSL_CTX_set_default_verify_paths". Looking around here, I can only find two really relevant questions, one of which was answered by a simple typo in the config file; the other of which seemed to do with postfix read permissions on the CA file. I don't have (at least that particular) typo, and I'm pretty sure it's not a file permission problem, but, maybe I'm wrong.

Here's what the failure from postfix looks like:

$telnet localhost 25
EHLO <my.working.mailserver>
MAIL FROM: <[email protected]>
RCPT TO: postmaster@localhost

And here's what the mail log says:

Nov  2 11:09:31 ip-172-31-7-179 postfix/smtpd[11883]: connect from localhost[127.0.0.1]
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: connect to mysql server <my.rds.endpoint>:<myport>: SSL connection error: SSL_CTX_set_default_verify_paths failed
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov  2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov  2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov  2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov  2 11:09:58 ip-172-31-7-179 postfix/smtpd[11883]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <postmaster@localhost>: Temporary lookup failure; from=<[email protected]> to=<postmaster@localhost> proto=ESMTP helo=<my.working.mailserver>

BUT, if I try and lookup postmaster@localhost with postmap, it seems to work just fine:

$sudo -upostfix postmap -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf  
root@localhost

and with some verbosity:

$sudo -upostfix postmap -v -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf
postmap: name_mask: all
postmap: inet_addr_local: configured 2 IPv4 addresses
postmap: inet_addr_local: configured 2 IPv6 addresses
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: user = postfix
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: password = <password>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: dbname = <db_name>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: result_format = %s
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_group = client
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_key_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_cert_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CApath = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_ciphers = <NULL>
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: tls_verify_cert = on
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: require_result_set = on
postmap: cfg_get_int: /etc/postfix/mysql_alias.cf: expansion_limit = 0
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: domain = 
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: hosts = <my.rds.endpoint>:<myport>
postmap: dict_open: mysql:/etc/postfix/mysql_alias.cf
postmap: dict_mysql_get_active: attempting to connect to host <my.rds.endpoint>:<myport>
postmap: dict_mysql: successful connection to host <my.rds.endpoint>:<myport>
postmap: mysql:/etc/postfix/mysql_alias.cf: successful query result from host <my.rds.endpoint>:<myport>
postmap: dict_mysql_lookup: retrieved 1 rows
root@localhost

As I said, I don't think it's a file permission problem, because I'm sudo-ing as postfix, and all of the postfix services except for master are running as that user

$ps -auxw | grep postfix
root     11864  0.0  0.4  67376  4100 ?        Ss   11:09   0:00 /usr/lib/postfix/sbin/master -w
postfix  11874  0.0  0.5  73808  5172 ?        S    11:09   0:00 pickup -l -t unix -u -c
postfix  11875  0.0  0.5  73856  5428 ?        S    11:09   0:00 qmgr -l -t unix -u
postfix  11877  0.0  0.6  88668  6608 ?        S    11:09   0:00 cleanup -z -t unix -u -c
postfix  11879  0.0  0.6  88500  6288 ?        S    11:09   0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix  11884  0.0  0.7  87248  7988 ?        S    11:09   0:00 tlsmgr -l -t unix -u -c
postfix  11972  0.0  0.6  88668  6496 ?        S    11:51   0:00 cleanup -z -t unix -u -c
cwr      11974  0.0  0.1  14856  1080 pts/1    S+   11:53   0:00 grep postfix

Am I missing something simple? How can postmap running as the postfix user work fine when reading the same configuration as postfix itself, but postfix not work?

For completeness, note the postmap command was reading mysql:/etc/postfix/mysql_alias.cf. Here's the key bits of main.cf:

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

Those three files are all fairly straightforward, I think:

$sudo cat /etc/postfix/mysql_alias.cf 
hosts = <my.rds.endpoint>:<myport>
user = <postfix_db_user>
password = <postfix_db_user_pass>
dbname = <db_name>
query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
tls_verify_cert = yes

Any thoughts on how to either fix, or debug this further, would be greatly appreciated.

Can't connect Postfix to AWS MySQL RDS over SSL SSL_CTX_set_default_verify_paths

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Can't connect Postfix to AWS MySQL RDS over SSL SSL_CTX_set_default_verify_paths

0 Answers