What's wrong with my postfixclient.key?
in [Postfix]
|
Prev: question about policy daemon time limit
Next: How did I get this [Sender address rejected: User unknown in virtual alias table] and how do I get rid of it?
From: Wietse Venema on 14 Sep 2009 19:17 sean darcy: > Wietse Venema wrote: > > sean darcy: > >> Wietse Venema wrote: > >>> sean darcy: > >>>> Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library > >>>> problem: 1786:error:0B080074:x509 certificate > >>>> routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: > >>> Does the client private key match the client (public key) certificate? > >>> > >>> See the Postfix TLS_README for an example of how to create these. > >>> > >>> Wietse > >>> > >> It doesn't seem to need to match. But reading TLS_README realllly > >> closely solved it. > >> > >> Counter-intuitively -at least for me - you set up all the files for > >> smtpd_tls... That is, you set them up as if you're a server. > > > > That configures the certificates for the Postfix SMTP server. > > > > You won't be using any certificates in the SMTP client. > > > > Wietse > > > Right, which is puzzling. I would have assumed I was the client to the > gmail server. Why setting the certificates up as a server works makes no > sense to me, but it does work. You can delete all the SERVER TLS settings. They have no effect on SENDING mail, period. Wietse
From: sean darcy on 14 Sep 2009 21:12 Wietse Venema wrote: > sean darcy: >> Wietse Venema wrote: >>> sean darcy: >>>> Wietse Venema wrote: >>>>> sean darcy: >>>>>> Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library >>>>>> problem: 1786:error:0B080074:x509 certificate >>>>>> routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: >>>>> Does the client private key match the client (public key) certificate? >>>>> >>>>> See the Postfix TLS_README for an example of how to create these. >>>>> >>>>> Wietse >>>>> >>>> It doesn't seem to need to match. But reading TLS_README realllly >>>> closely solved it. >>>> >>>> Counter-intuitively -at least for me - you set up all the files for >>>> smtpd_tls... That is, you set them up as if you're a server. >>> That configures the certificates for the Postfix SMTP server. >>> >>> You won't be using any certificates in the SMTP client. >>> >>> Wietse >>> >> Right, which is puzzling. I would have assumed I was the client to the >> gmail server. Why setting the certificates up as a server works makes no >> sense to me, but it does work. > > You can delete all the SERVER TLS settings. > > They have no effect on SENDING mail, period. > > Wietse > Wow. You're absolutely right. Here's main.cf: relayhost = [smtp.gmail.com]:587 smtp_connection_cache_destinations = smtp.gmail.com smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_tls_security_options = noanonymous tls_random_source = dev:/dev/urandom smtp_tls_CAfile=/etc/pki/CA/cacert.pem smtp_tls_security_level = may smtp_tls_scert_verifydepth = 9 This is way simpler than any of the howto's for gmail relay access. Or the TLS_README. It's weird how everyone make this so complicated. sean
From: Victor Duchovni on 14 Sep 2009 22:33 On Mon, Sep 14, 2009 at 09:11:43PM -0400, sean darcy wrote: > This is way simpler than any of the howto's for gmail relay access. Or the > TLS_README. > > It's weird how everyone make this so complicated. Which part of TLS_README led you astray? In the section on client certificates: http://www.postfix.org/TLS_README.html#client_cert_key the first paragraph, reads: Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them. The recommended setting is to let the defaults stand: smtp_tls_cert_file = smtp_tls_dcert_file = smtp_tls_key_file = smtp_tls_dkey_file = # Postfix >= 2.6 smtp_tls_eccert_file = smtp_tls_eckey_file = The best way to use the default settings is to comment out the above parameters in main.cf if present. I thought this would serve the intended goal of helping people to avoid unnecessary SMTP client certificates. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: sean darcy on 17 Sep 2009 03:33
Victor Duchovni wrote: > On Mon, Sep 14, 2009 at 09:11:43PM -0400, sean darcy wrote: > >> This is way simpler than any of the howto's for gmail relay access. Or the >> TLS_README. >> >> It's weird how everyone make this so complicated. > > Which part of TLS_README led you astray? In the section on client certificates: > > http://www.postfix.org/TLS_README.html#client_cert_key > > the first paragraph, reads: > > Do not configure Postfix SMTP client certificates unless you must present > client TLS certificates to one or more servers. Client certificates are > not usually needed, and can cause problems in configurations that work > well without them. The recommended setting is to let the defaults stand: > > smtp_tls_cert_file = > smtp_tls_dcert_file = > smtp_tls_key_file = > smtp_tls_dkey_file = > # Postfix >= 2.6 > smtp_tls_eccert_file = > smtp_tls_eckey_file = > > The best way to use the default settings is to comment out the above > parameters in main.cf if present. > > I thought this would serve the intended goal of helping people to avoid > unnecessary SMTP client certificates. > I was lead astray by various howto's on how to setup the google relay. All the ones I saw included setting up the client TLS certificates. Therefore I assumed they must be presented. Not so. sean |