We are trying to get a dragonfly mta (dma) client to use STARTTLS with our mailhub. We created a self-signed certificate and key using openssl
openssl req -new -newkey rsa:4096 -x509 -sha256 -set_serial 201912200501 -days 3650 -nodes -out x.crt -keyout x.key
and concatenated these into a pem file:
cat x.crt x.key > /usr/local/etc/pki/tls/private/x.pem ; chmod 600 /usr/local/etc/pki/tls/private/x.pem
In /etc/dma.conf we have this:
SECURETRANSFER
STARTTLS
CERTFILE = /usr/local/etc/pki/tls/private/x.pem
When we try to send to the mail hub dma reports this in /var/log/maillog:
Dec 20 16:15:54 gway05 dma[2813d.8018280f0]: trying remote delivery to smtp.hamilton.harte-lyne.ca [216.185.71.31] pref 0
Dec 20 16:15:54 gway05 dma[2813d.8018280f0]: SSL: Cannot load certificate `= /usr/local/etc/pki/tls/private/x.pem': error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
Dec 20 16:15:54 gway05 dma[2813d.8018280f0]: remote delivery deferred
What are we doing wrong?
The problem with
error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system libis caused by thepemfile not being readable by thewheelgroup. changing the permissions on/usr/local/etc/pki/tls/private/gway05_ss.pemto-rw-r----- 1 root wheelresolves the issue.