Smtp Tls

[kollross]

I'm currently trying to get TLS working on our Filter server for incoming emails. Currently TLS works fine for outgoing SMTP connection on the other server. Currently with a manual telnet i'm getting this response

Connected to black.soltec.net.
Escape character is '^]'.
220 black.soltec.net ESMTP Postfix
ehlo xyz
250-black.soltec.net
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
starttls
454 TLS not available due to local problem


I'm guessing this was a cert error (planning on using self signed). I then took your directions for creating a self signed cert

keytool -delete -alias my_ca -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

But I'm getting this error.
keytool error: java.lang.Exception: Alias <my_ca> does not exist

Any ideas or is this even a cert problem. Only thing installed on filter server is mta spamfilter virusfilter and snmp

[rsharpe]

The cert CA is not there so you don't need that command it is already deleted just zmcreateca to recreate the CA.

[kollross]

Basically This then

zmcreateca
zmcreatecert
zmcertinstall mailbox ssl/ssl/server/tomcat.crt
zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

[rsharpe]

I believe so.

[kollross]

yep that works thanks

[jerryboi]

I have installed a commercial certificate as described in the wiki and I had the https site and the pop3 access working fine with it, however, when I tried to send mail through smtp, I got "error 454 - TLS not available due to a local problem". I tried settting the certificate for the mta manually by issuing

Code:

zmcertinstall mta ssl/ssl/server/server.crt ssl/ssl/server/server.key

which installed the original, zimbra issued certificate there. Not happy with that, in a particularly experimental mindset I copied my commercial .crt file over the /opt/zimbra/conf/smtpd.crt file. Now I get the error "unable to connect to smtp server via STARTTLS since it doesn't offer STARTTLS in EHLO response". Not happy with this one either, please help!

[nexus]

I'm having the exact same problem.

[Nutz]

I used to have this problem...

Try this (from http://mark.foster.cc/kb/openssl-keytool.html ):

Export the *public key* (certificate) from a keystore
|keytool -export -alias mykey -keystore keystore -file exported.crt|

The result is a DER (binary) formatted certificate in exported.crt

|openssl x509 -noout -text -in exported.crt -inform der|

Now you will want to convert it to another format - PEM - which is
more widely used in applications such as apache and by openssl to do
the pkcs12 conversion.

| openssl x509 -out exported-pem.crt -outform pem -text -in
exported.crt -inform der|


Then just copy it over smtpd.crt

[nexus]

that worked without trouble but didnt fix the problem for me at least. my zimbra log now shows this

Mar 9 14:09:54 mail postfix/smtpd[31353]: lost connection after STARTTLS from c-67-169-127-128.hsd1.ca.comcast.net[67.169.127.128]
Mar 9 14:13:44 mail postfix/smtpd[22605]: warning: TLS library problem: 22605:error:0906D06C:PEM routines:PEM_read_bio:no start lineem_lib.c:632:Expecting: CERTIFICATE:
Mar 9 14:13:44 mail postfix/smtpd[22605]: warning: TLS library problem: 22605:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:765:
Mar 9 14:15:13 mail postfix/smtpd[11729]: lost connection after STARTTLS from c-67-169-127-128.hsd1.ca.comcast.net[67.169.127.128]


client shows same error as before

[Nutz]

can you post the first line of your exported-pem.crt (just open with a text editor)?