Home / server / Questions / 9485
Accepted
Noah Goodrich
Asked: 2009-05-19 07:26:33 +0800 CST

How to fix mail server SSL?

  • 772

Our mail server was originally set up using self-created certificates. However when those expired, and I tried to recreate them, the whole thing just blew up. Since I know it will be important, we are running a Debian server and postfix.

Now I see these errors generated in the mail logs:

May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: cannot get certificate from file /etc/postfix/ssl/smtpd.cert
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/postfix/ssl/smtpd.cert','r'):
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720:
May 15 08:06:34 letterpress postfix/smtpd[22901]: cannot load RSA certificate and key data

And when trying to access email from a client like Thunderbird from outside our local network, you receive "Unable to connect to smtp server".

I have verified that the file /etc/postfix/ssl/smtpd.cert does exist. The current owner of the file is root:root. Does this need to be changed?

debian postfix email-server ssl-certificate

3 Answers

  1. Best Answer

    Your /etc/postfix/main.cf will contain the following three directives.

     smtpd_tls_cert_file=
 smtpd_tls_key_file=
 smtpd_use_tls=yes

    This tells Postfix to use TLS.

    You can get it working again by disabling TLS, or creating new certificates.

    Disabling TLS

    1. Change smtpd_use_tls from yes to no
    2. /etc/init.d/postfix restart

    Creating new certificates

    1. Find the key file (according to smtpd_tls_key_file). If it is missing, you will have to create a new one. (openssl genrsa -out filename.key 1024; chmod 600 filename.key)
    2. Create a CSR (openssl req -new -key filename.key -out filename.csr)
    3. Create the certificate (openssl x509 -req -days 730 -in filename.csr -signkey filename.key -out filename.crt)
    4. Make it into the .pem format (cat filename.key filename.crt > filename.pem;chmod 600 filename.pem; chown postfix filename.pem)

    Then ensure it is where it needs to be according to /etc/postfix/main.cf, and restart Postfix. You should be good to go.

    • 5

  2. It would appear as though you have an issue in "/etc/postfix/ssl/smtpd.cert", either the file is missing, the permissions on it are wrong, or the formatting of the certificate inside it is invalid.

    • 1

  3. I had this problem. It turned out the name of my private key was mailserver.pem and yet in postfix's configuration it was mailserver.key. I'd followed a tutorial which had both with a .pem extension.

    I also had both the cert and private key readable only by root, and I changed this so that they were readable by both root and postfix (chown root:postfix filename; chmod 640 filename). Not sure if this second step is required.

    • 0