Hello all,
I'm setting up a new mail server to replace our 9 year old one, and
everything works - sending using submission+STARTTLS, receiving, mailman
lists, etc - with one exception...
I use PostfixAdmin, and its vacation.pl script for managing vacation
messages, and it is the sending of the vacation message that fails with
the subject error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
I basically copied everything over from the old/working server, tweaking
only for the new hostname, and I've triple checked that the /etc/ssl CA
dir and certs dirs are there with correct perms, etc.
I also did try temporarily changing the localhost alias and $myhostname
to the same as the old server, with the same result/error.
The main difference between the two is the new one (with the error) is
using the dovecot LDA, and the old one (working vacation) is using
postfix/virtual.
So... since submission (using STARTTLS) is working, why is vacation
failing with this ssl 'unknown ca' error?
Appreciate any helpful suggestions on where to look next...
Log of failed session on newhost:
2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]: connect
from myclient.example.com[192.168.1.110]
2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]:
5A76A80170248: client=myclient.example.com[192.168.1.110],
sasl_method=PLAIN, sasl_username=validu...@example.com
2013-12-28T11:04:58-05:00 newhost postfix/cleanup[10613]:
5A76A80170248: message-id=<52bef6a0.1050...@example.com>
2013-12-28T11:04:58-05:00 newhost postfix/qmgr[10594]: 5A76A80170248:
from=<validsen...@example.com>, size=623, nrcpt=2 (queue active)
2013-12-28T11:04:58-05:00 newhost dovecot:
lda(validrecipi...@example.com): msgid=<52bef6a0.1050...@example.com>:
saved mail to INBOX
2013-12-28T11:04:58-05:00 newhost postfix/pipe[10614]: 5A76A80170248:
to=<validu...@example.com>, relay=dovecot, delay=0.05,
delays=0.02/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot
service)
2013-12-28T11:04:58-05:00 newhost postfix/587/smtpd[10598]: disconnect
from myclient.example.com[192.168.1.110]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: connect
from newhost.example.com[127.0.0.1]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: SSL_accept
error from newhost.example.com[127.0.0.1]: 0
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: warning:
TLS library problem: 10620:error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1256:SSL
alert number 48:
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: lost
connection after STARTTLS from newhost.example.com[127.0.0.1]
2013-12-28T11:04:58-05:00 newhost postfix-25/smtpd[10620]: disconnect
from newhost.example.com[127.0.0.1]
newhost postconf -nf:
newhost : Sat Dec 28, 10:55:27 : ~
# postconf -nf
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_queue_lifetime = 18h
bounce_size_limit = 1
broken_sasl_auth_clients = yes
cidr = cidr:${maps_dir}/cidr
config_directory = /etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
dovecot_destination_recipient_limit = 1
hash = hash:${maps_dir}/hash
home_mailbox = .maildir/
inet_protocols = ipv4
maps_dir = /etc/postfix/maps
maximal_queue_lifetime = 1d
message_size_limit = 30720000
mydomain = example.com
myhostname = smtp2.example.com
mynetworks = 127.0.0.0/8
mysql = proxy:mysql:${maps_dir}/mysql
parent_domain_matches_subdomains =
recipient_delimiter = +
reject_ndn = check_sender_access ${hash}/reject_ndn
relayhost = [relay.example2.com]
sender_bcc_maps = ${hash}/sender_bcc
smtp_fallback_relay =
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
${hash}/moved-employees,
check_recipient_access ${hash}/x-employees, permit_sasl_authenticated,
permit_mynetworks, check_sender_access ${hash}/nospoof,
check_recipient_access ${hash}/blocked_recipients, check_sender_access
${hash}/blocked_senders, check_client_access
${cidr}/allowed_clients.cidr,
reject_unauth_destination, check_recipient_access
${hash}/backscatter_victim
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access ${cidr}/allowed_clients.cidr, reject
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/myCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/myCerts/smtp_key.pem
smtpd_tls_security_level = may
submission_client_restrictions = check_client_access
${hash}/submission_clients_banned, permit_sasl_authenticated, reject
transport_maps = ${hash}/transport
vacation_destination_recipient_limit = 1
virtual_alias_maps = ${mysql}/vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = ${mysql}/vmd.cf
virtual_mailbox_maps = ${mysql}/vmm.cf
virtual_minimum_uid = 207
virtual_transport = dovecot
virtual_uid_maps = static:207
newhost : Sat Dec 28, 10:55:37 : ~
#
Log of successful session on oldhost:
2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]: connect
from myclient.example.com[192.168.1.110]
2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]:
42C2EC77127: client=myclient.example.com[192.168.1.110],
sasl_method=PLAIN, sasl_username=validu...@example.com
2013-12-28T11:47:41-05:00 oldhost postfix/cleanup[15136]: 42C2EC77127:
message-id=<52bf00a3.5000...@example.com>
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: 42C2EC77127:
from=<validsen...@example.com>, size=1525, nrcpt=2 (queue active)
2013-12-28T11:47:41-05:00 oldhost postfix-587/smtpd[15133]: disconnect
from myclient.example.com[192.168.1.110]
2013-12-28T11:47:41-05:00 oldhost postfix/virtual[15138]: 42C2EC77127:
to=<validrecipi...@example.com>, relay=virtual, delay=0.1,
delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]: connect
from oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]:
C841FC7712A: client=oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix/cleanup[15136]: C841FC7712A:
message-id=<20131228_164741_041538.validrecipi...@example.com>
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: C841FC7712A:
from=<validrecipient@example>, size=531, nrcpt=1 (queue active)
2013-12-28T11:47:41-05:00 oldhost postfix-25/smtpd[15014]: disconnect
from oldhost.example.com[127.0.0.1]
2013-12-28T11:47:41-05:00 oldhost postfix/pipe[15137]: 42C2EC77127:
to=<validrecipient#example....@autoreply.example.com>,
orig_to=<validrecipi...@example.com>, relay=vacation, delay=0.68,
delays=0.05/0/0/0.63, dsn=2.0.0, status=sent (delivered via vacation
service)
2013-12-28T11:47:41-05:00 oldhost postfix/qmgr[10550]: 42C2EC77127:
removed
2013-12-28T11:47:42-05:00 oldhost postfix/virtual[15138]: C841FC7712A:
to=<validsen...@example.com>, relay=virtual, delay=0.24,
delays=0.12/0/0/0.12, dsn=2.0.0, status=sent (delivered to maildir)
2013-12-28T11:47:42-05:00 oldhost postfix/qmgr[10550]: C841FC7712A:
removed
and finally old/working host postconf -nf:
oldhost : Sat Dec 28, 10:03:35 : ~
# postconf -nf
alias_maps = hash:/etc/mail/aliases, hash:/var/lib/mailman/data/aliases
anvil_rate_time_unit = 360s
anvil_status_update_time = 3600s
bounce_queue_lifetime = 18h
bounce_size_limit = 1
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
cidr = cidr:${maps_dir}/cidr
config_directory = /etc/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 15m
dovecot_destination_recipient_limit = 1
hash = hash:${maps_dir}/hash
home_mailbox = .maildir/
inet_protocols = ipv4
maps_dir = /etc/postfix/maps
maximal_queue_lifetime = 1d
message_size_limit = 30720000
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8
mysql = proxy:mysql:${maps_dir}/mysql
parent_domain_matches_subdomains =
recipient_delimiter = +
reject_ndn = check_sender_access ${hash}/reject_ndn
relay_domains =
relayhost = [relay.example2.com]
sender_bcc_maps = ${hash}/sender_bcc
smtp_fallback_relay =
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = check_recipient_access
${hash}/moved-employees,
check_recipient_access ${hash}/x-employees, permit_sasl_authenticated,
permit_mynetworks, check_sender_access ${hash}/nospoof,
check_recipient_access ${hash}/blocked_recipients, check_sender_access
${hash}/blocked_senders, check_client_access
${cidr}/allowed_clients.cidr,
reject_unauth_destination, check_recipient_access
${hash}/backscatter_victim
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_client_access ${cidr}/allowed_clients.cidr,
reject_unauth_destination
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/myCerts/smtp_crt.pem
smtpd_tls_key_file = /etc/ssl/myCerts/smtp_key.pem
smtpd_tls_security_level = may
submission_client_restrictions = check_client_access
${hash}/submission_clients_banned, permit_sasl_authenticated, reject
transport_maps = ${hash}/transport
vacation_destination_recipient_limit = 1
virtual_alias_maps = ${mysql}/vam.cf,
hash:/var/lib/mailman/data/virtual-mailman
virtual_gid_maps = static:207
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = ${mysql}/vmd.cf
virtual_mailbox_maps = ${mysql}/vmm.cf
virtual_minimum_uid = 207
virtual_uid_maps = static:207
oldhost : Sat Dec 28, 11:28:34 : ~