Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Comodo SSL + Postfix
New on LowEndTalk? Please Register and read our Community Rules.

Comodo SSL + Postfix

pbalazs123pbalazs123 Member
in Help

Hi folks,

Is there someone who knows perfectly how to configure Postfix to properly use SSL cert from this provider? I gave up after 3 hours of try.

The error was the following:

Feb 23 00:27:44 vps postfix/submission/smtpd[1054]: warning: cannot get RSA private key from file /etc/ssl/private/fh.key: disabling TLS support
Feb 23 00:27:44 vps postfix/submission/smtpd[1054]: warning: TLS library problem: 1054:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:
Feb 23 00:27:46 vps postfix/submission/smtpd[1054]: connect from sender1.zohomail.com[72.5.230.103]
Feb 23 00:27:46 vps postfix/submission/smtpd[1054]: lost connection after STARTTLS from sender1.zohomail.com[72.5.230.103]

It's says key values mismatch. Then i've tried to compare like this:

root@smtp:/etc/postfix# openssl x509 -noout -modulus -in fh.crt | openssl md5 ; openssl rsa -noout -modulus -in fh.key | openssl md5

(stdin)= d42311fa4d77e88e3d43e39de8630ac0
(stdin)= d42311fa4d77e88e3d43e39de8630ac0

No idea!

Thanks!

Comments

  • howardsl2howardsl2 Member

    Please refer to:
    https://security.stackexchange.com/questions/72985/tls-library-problem-when-connecting-to-dovecot
    https://github.com/al3x/sovereign/issues/31#issuecomment-24770580

  • FalzoFalzo Member

    logfile said:

    warning: cannot get RSA private key from file /etc/ssl/private/fh.key

    you tested:

    /etc/postfix# openssl x509 -noout -modulus -in fh.crt | openssl md5 ; openssl rsa -noout -modulus -in fh.key | openssl md5

    wrong path?

  • pbalazs123pbalazs123 Member

    @Falzo

    The path is good but i've tested later in another directory without success, so don't be confused about that. :)

  • pbalazs123pbalazs123 Member

    Thanks! I'm gonna try to solve with the info you've found on the second page. I've seen the first link yesterday night, tried to make a bundle with different orders but it didn't worked out. I'll get back to you later.

    @hwdsl2 said:
    Please refer to:
    https://security.stackexchange.com/questions/72985/tls-library-problem-when-connecting-to-dovecot
    https://github.com/al3x/sovereign/issues/31#issuecomment-24770580

  • FalzoFalzo Member

    so where is your key-file located then, and what about the permissions of file and folder to it? - maybe postfix simply can't read the file because it got no permission to do so...

  • pbalazs123pbalazs123 Member

    I've moved it temporarily to /etc/postfix/ , also changed the path in main.cf and permissions are correctly set. Same like the self-generated one before. The self-generated is working but the Comodo cert is not. That's the difference.

    @Falzo said:
    so where is your key-file located then, and what about the permissions of file and folder to it? - maybe postfix simply can't read the file because it got no permission to do so...

  • pbalazs123pbalazs123 Member

    @hwdsl2 @Falzo

    Ok i've got this in mail. Plus i have the private key saved.

        Root CA Certificate - AddTrustExternalCARoot.crt
    Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
    Your Free SSL Certificate - xxxxxxxxxxxxxx.crt

    Which one should be in which line in the main.cf?

  • msg7086msg7086 Member
    edited February 2015

    @pbalazs123 said:

        1. Root CA Certificate - AddTrustExternalCARoot.crt
    2. Intermediate CA Certificate - COMODORSAAddTrustCA.crt
    3. Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
    4. Your Free SSL Certificate - xxxxxxxxxxxxxx.crt

    Which one should be in which line in the main.cf?

    Typically we use 4+3+2, concatenated into one file.

  • pbalazs123pbalazs123 Member

    Ok, finally i've managed to install cert. It works like a charm in Gmail and Thunderbird. But now i have another problem.

    There's a feature called Send As in Zohomail. If i add my server as a custom smtp (port 587/TLS) i've got the following error in my log files:

    Feb 24 12:58:40 smtp postfix/submission/smtpd[20403]: connect from sender1.zohomail.com[72.5.230.103]
Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: SSL_accept error from sender1.zohomail.com[72.5.230.103]: 0
Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: warning: TLS library problem: 20403:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1260:SSL alert number 46:
Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: lost connection after STARTTLS from sender1.zohomail.com[72.5.230.103]
Feb 24 12:58:41 smtp postfix/submission/smtpd[20403]: disconnect from sender1.zohomail.com[72.5.230.103]

    Error msg in Zohomail:

    Your certificate is invalid lol :D

    Using the same method in Gmail works, using in Thunderbird it works.

    What's the deal now?

Sign In or Register to comment.