What's wrong with my postfixclient.key?
in [Postfix]
|
Prev: question about policy daemon time limit
Next: How did I get this [Sender address rejected: User unknown in virtual alias table] and how do I get rid of it?
From: sean darcy on 13 Sep 2009 16:17 Postfix-2.6.5 0n Fedora 12: I'm trying use gmail as a relay for my mail. But I keep getting this error when I try to send mail: Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: cannot get RSA private key from file /etc/postfix/postfixclient.key: disabling TLS support Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library problem: 1786:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: Sep 13 16:00:20 asterisk postfix/smtp[1785]: A174723A74: to=<myaddress(a)mydomain.com>, relay=smtp.gmail.com[74.125.93.111]:587, delay=2346, delays=2345/0.3/0.62/0.05, dsn=4.7.0, status=SOFTBOUNCE (host smtp.gmail.com[74.125.93.111] said: 530 5.7.0 Must issue a STARTTLS command first. 8sm5319200qwj.18 (in reply to MAIL FROM command)) /etc/postfix/postfixclient.key exists, and contains an RSA key: cat /etc/postfix/postfixclient.key -----BEGIN RSA PRIVATE KEY----- MII..........................................................== -----END RSA PRIVATE KEY----- which was generated with: openssl genrsa -out postfixclient.key 1024 main.cf has: relayhost = [smtp.gmail.com]:587 smtp_connection_cache_destinations = smtp.gmail.com relay_destination_concurrency_limit = 1 default_destination_concurrency_limit = 5 smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_use_tls = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes tls_random_source = dev:/dev/urandom smtp_tls_security_level = may smtp_tls_scert_verifydepth = 9 smtp_tls_key_file=/etc/postfix/postfixclient.key smtp_tls_cert_file=/etc/pki/tls/cert.pem smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt smtpd_tls_req_ccert =no smtpd_tls_ask_ccert = yes soft_bounce = yes smtp_tls_loglevel = 1 Any help appreciated. sean
From: Wietse Venema on 13 Sep 2009 17:04 sean darcy: > Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library > problem: 1786:error:0B080074:x509 certificate > routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: Does the client private key match the client (public key) certificate? See the Postfix TLS_README for an example of how to create these. Wietse
From: sean darcy on 13 Sep 2009 18:37 Wietse Venema wrote: > sean darcy: >> Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library >> problem: 1786:error:0B080074:x509 certificate >> routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: > > Does the client private key match the client (public key) certificate? > > See the Postfix TLS_README for an example of how to create these. > > Wietse > It doesn't seem to need to match. But reading TLS_README realllly closely solved it. Counter-intuitively -at least for me - you set up all the files for smtpd_tls... That is, you set them up as if you're a server. So main.cf: relayhost = [smtp.gmail.com]:587 smtp_connection_cache_destinations = smtp.gmail.com relay_destination_concurrency_limit = 1 default_destination_concurrency_limit = 5 smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_tls_security_options = noanonymous tls_random_source = dev:/dev/urandom smtp_tls_CAfile=/etc/pki/CA/cacert.pem smtp_tls_security_level = may smtp_tls_scert_verifydepth = 9 smtpd_tls_CAfile=/etc/pki/CA/cacert.pem smtpd_tls_cert_file=/opt/postfix-mail/postfix.generated.pem.cert smtpd_tls_key_file=/opt/postfix-mail/postfix-key.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may Et Voila! sean
From: Wietse Venema on 13 Sep 2009 18:47 sean darcy: > Wietse Venema wrote: > > sean darcy: > >> Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library > >> problem: 1786:error:0B080074:x509 certificate > >> routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: > > > > Does the client private key match the client (public key) certificate? > > > > See the Postfix TLS_README for an example of how to create these. > > > > Wietse > > > > It doesn't seem to need to match. But reading TLS_README realllly > closely solved it. > > Counter-intuitively -at least for me - you set up all the files for > smtpd_tls... That is, you set them up as if you're a server. That configures the certificates for the Postfix SMTP server. You won't be using any certificates in the SMTP client. Wietse
From: sean darcy on 14 Sep 2009 17:48
Wietse Venema wrote: > sean darcy: >> Wietse Venema wrote: >>> sean darcy: >>>> Sep 13 16:00:19 asterisk postfix/smtp[1786]: warning: TLS library >>>> problem: 1786:error:0B080074:x509 certificate >>>> routines:X509_check_private_key:key values mismatch:x509_cmp.c:304: >>> Does the client private key match the client (public key) certificate? >>> >>> See the Postfix TLS_README for an example of how to create these. >>> >>> Wietse >>> >> It doesn't seem to need to match. But reading TLS_README realllly >> closely solved it. >> >> Counter-intuitively -at least for me - you set up all the files for >> smtpd_tls... That is, you set them up as if you're a server. > > That configures the certificates for the Postfix SMTP server. > > You won't be using any certificates in the SMTP client. > > Wietse > Right, which is puzzling. I would have assumed I was the client to the gmail server. Why setting the certificates up as a server works makes no sense to me, but it does work. sean |