Sometimes I see some postfix warnings in my mail.log file:
I searched on the internet what to do, but the only thing I found is to edit the main.cf file (postfix). When I edit the main.cf file, and restart postfix, everything change back to the default settings (I think the settings from Zimbra)...
warning: cannot get RSA private key from file /opt/zimbra/conf/smtpd.key: disabling TLS support
Mar 11 06:40:31 mail postfix/smtpd: warning: TLS library problem: 20084:error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
Mar 11 06:40:31 mail postfix/smtpd: warning: TLS library problem: 20084:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:454:
Mar 11 06:40:31 mail postfix/smtpd: warning: TLS library problem: 20084:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
File permissions ok in that file?
$ ls -la /opt/zimbra/conf/smtpd.key
-rw-r----- 1 zimbra zimbra 887 Mar 10 17:08 /opt/zimbra/conf/smtpd.key
-rwxrwxrwx 1 zimbra zimbra 1751 2012-02-28 13:17 /opt/zimbra/conf/smtpd.key
is that also ok?
The file should have less permissions and most definetly shouldn't be world readable/writable, chmod 640 to correct those.
You can also
to check that the file contains -----BEGIN RSA PRIVATE KEY-----
cat smtpd.key | grep RSA
-----END RSA PRIVATE KEY-----, which would indicate that there actually is RSA key in there.
OK, did that, but still the same problem...
Zimbra rewrites the main.cf on every restart. If you have a change you want to be kept after a restart, you need to edit the file main.cf.in - that is the file used to generate the main.cf file.
Originally Posted by Sam159
Note though that changes do not persist through zimbra upgrades. There may be some way to make changes that will persist through upgrades too - but I am unaware of it at this time.
I don't have main.cf.in
files in /opt/zimbra/postfix/conf:
access generic main.cf.bak master.cf.in virtual
aliases header_checks main.cf.default relocated
bounce.cf.default LICENSE makedefs.out TLS_LICENSE
canonical main.cf master.cf transport
I see in main.cf.default some strange things:
smtpd_tls_ciphers = export
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = none
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = $smtpd_tls_cert_file
Is that normal that smtpd_tls_cert_file is empty...
Does postfix or zimbra use main.cf.default or just main.cf?