[SOLVED] Unable to send mail via SMTP+TLS+Auth

[Centurion]

First of all, this is a 4.5.9 Ubuntu installation. I can send via the web interface so the underlying MTA is ok.

However, I have SMTP auth and TLS switched on. I have followed the wiki article to generate some new self-signed certs so they reflect my domains etc. However, since doing this, whenever I send a message using a thunderbird mail client I get the following in the logs:

Code:

Nov 20 13:58:40 node postfix/smtpd[1544]: connect from remote.server.name[1.2.3.4]
Nov 20 13:58:40 node postfix/smtpd[1544]: setting up TLS connection from remote.server.name[1.2.3.4]
Nov 20 13:58:41 node postfix/smtpd[1544]: TLS connection established from remote.server.name[1.2.3.4]: TLSv1 with cipher AES128-SHA (128/128 bits)
Nov 20 13:58:41 node postfix/master[797]: warning: process /opt/zimbra/postfix-2.2.9/libexec/smtpd pid 1544 killed by signal 11
Nov 20 13:58:41 node postfix/master[797]: warning: /opt/zimbra/postfix-2.2.9/libexec/smtpd: bad command startup -- throttling

...and when using Apple mail I see the following log lines:

Code:

Nov 20 13:59:04 node postfix/smtpd[1151]: connect from remote.server.name[1.2.3.4]
Nov 20 13:59:04 node postfix/smtpd[1151]: setting up TLS connection from remote.server.name[1.2.3.4]
Nov 20 13:59:09 node postfix/smtpd[1151]: SSL_accept error from remote.server.name[1.2.3.4]: 0
Nov 20 13:59:09 node postfix/smtpd[1151]: warning: TLS library problem: 1151:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1057:SSL alert number 49:
Nov 20 13:59:09 node postfix/smtpd[1151]: lost connection after STARTTLS from remote.server.name[1.2.3.4]
Nov 20 13:59:09 node postfix/smtpd[1151]: disconnect from remote.server.name[1.2.3.4]

I couldn't find anything else that indicates a problem - as stated at the top, the web interface works fine. Stumped and totally unsure of how to proceed. Anyone seen this before?

[jholder]

Hi Cent-
Have you had a look at this thread:
Smtp Tls

looks like there might be a utility that might help. Let me know if you've already tried it, and we'll try something else.

[Centurion]

Followed that thread through which ended up here. However, in those instructions, the following command failed on my system:

Code:

root@node:~# cp /opt/zimbra/ssl/ssl/server/tomcat.pem /opt/zimbra/conf/smtpd.crt
cp: cannot stat `/opt/zimbra/ssl/ssl/server/tomcat.pem': No such file or directory

Regardless, I restarted zimbra and now get:

Code:

Nov 20 14:38:52 node postfix/smtpd[20409]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Nov 20 14:38:52 node postfix/smtpd[20409]: warning: TLS library problem: 20409:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:
Nov 20 14:38:52 node postfix/smtpd[20409]: cannot load RSA certificate and key data

...which I expected. So I redployed the mta certificate as per the original wiki article and now am back to the original error. Strangley the "starttls" command returns a 220:

Code:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 node.gray.net.au ESMTP Postfix
ehlo localhost
250-node.gray.net.au
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
STARTTLS
220 Ready to start TLS

I've googled this up the whazoo for 48 hours now, and still can't find any answers.

[brian]

Looks like you installed the cert without the key. Make sure you've installed the smtpd cert/key completely (per the wiki)

Code:

zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key
postfix reload

[brian]

BTW, everyone should be glad to know that certificate management can now be done via the Admin Console starting in 5.0.0_RC2 with some simplified wizards.

[Centurion]

Yes - did that step again, and verified the key+cert matched etc using openssl. However I still have the same problem.

I really can't afford too much more downtime, so I'm migrating to ZCS 5.0RC1 on a spare system to see if that can be coaxed to life.

Will keep you posted....

-- James

[Centurion]

Brilliant...can't upgrade from 4.5.9GA -> 5.0.0RC1 See here for why. So now I'm stuffed.

[jholder]

Can you disable tls for smtp auth for the interm while you figure it out?

[jholder]

Are you a Network Edition Customer? If so, by all means, please contact support! I can give them a heads up if you want.

[Centurion]

Ok - nothing to loose, so did a virgin installation of 4.5.9GA. Ran through the SSL self-signed certificate procedures verbatim. However, I am back to the same problem I have in the original post.

Is this a bug in 4.5.9? Is there a step missing or incorrect in that procedure??