On Aug 23, 2013, at 09:20, David Benfell <dbenf...@gmail.com> wrote: > Unfortunately, I'm finding this singularly unhelpful: > > - -------- Original Message -------- > Subject: Postfix SMTP server: errors from unknown[209.85.212.69]
Check your DNS configuration; that IP address has matching forward and reverse records, and should therefore not yield 'unknown'. > Transcript of session follows. > > Out: 220 mail.parts-unknown.org ESMTP Postfix > In: EHLO mail-vb0-f69.google.com > Out: 250-mail.parts-unknown.org > Out: 250-PIPELINING > Out: 250-SIZE 20971520 > Out: 250-VRFY > Out: 250-ETRN > Out: 250-STARTTLS > Out: 250-ENHANCEDSTATUSCODES > Out: 250-8BITMIME > Out: 250 DSN > In: STARTTLS > Out: 454 4.7.0 TLS not available due to local problem > In: QUIT > Out: 221 2.0.0 Bye [snip] > Here's my postconf -n: [snip] > smtp_tls_key_file = /big/www/ssl/munich/munich.parts-unknown.org.key > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes Are you sure you need to specify 'smtp_tls_key_file' here? See; http://www.postfix.org/postconf.5.html#smtp_tls_cert_file > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = > /big/www/ssl/munich/munich.parts-unknown.org.concatenated.crt > smtpd_tls_loglevel = 3 > smtpd_tls_security_level = may Does the 'smtpd_tls_cert_file' contain the key? Also, inside the 'www' directory? Why not store it in '/etc/ssl' or '/etc/postfix'? Also, turn down 'smtpd_tls_loglevel' to '1' until you are sure it's actually a TLS problem instead of a configuration issue. > What has changed are the SSL keys. But if something is wrong here, I > don't know how to tell what. This is a StartSSL.com certificate so > there's an intermediate key as well as the certificate itself and the > certificate authority key. The chain should be complete. I've just > checked my work; I think I did this right. > > So how do I tell what's going wrong? Have you tested your server with 'openssl s_client'? This is what I am getting; $ openssl s_client -connect mail.parts-unknown.org:25 -starttls smtp CONNECTED(00000003) 4851:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-47.1/src/ssl/s23_clnt.c:607: Disable debug logging, and lower your TLS log level. Restart Postfix, and check your logs for any warnings or errors. Check your configuration, related files, permissions, and so on. Revert to the old certificate, see if that resolves the problem and enables you to make a succesful connection with the openssl client. Generate a self-signed one, see if that resolves the problem, and so on. Mvg, Joni
