It was my fault. The problem was the missing access rights to pem file. I forgot to make the folder /etc/ssl/private/ accessible by vpopmail user.
Then I added also all intermediate certs to this pem file, set up another tcpserver service for port 465 and voila. Smtp works over SSL without any client complains now. The solution with c_rehash described in one of the links you gave was definitely not needed. My only concern now is that the pem file with private key is now accessible by the non-privileged user vpopmail. Alex From: [email protected] [mailto:[email protected]] On Behalf Of Sam Clippinger Sent: Samstag, 20. August 2011 00:29 To: spamdyke users Subject: Re: [spamdyke-users] Unable to load SSL/TLS certificate Hmmm. That error message is more helpful -- Google returns results that make it look like OpenSSL does need all the certificates in the CA chain. I found these two links that seem to be outlining solutions to your problem, although neither of them deal with spamdyke specifically: http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate / http://totalrecall.wordpress.com/2008/09/01/alpine-tls-unable-to-get-local-i ssuer-certificate/ You might try saving your CA certificate in PEM format and appending it to the end of your own certificate file -- that way OpenSSL would have everything it needs in one file. -- Sam Clippinger On Aug 19, 2011, at 1:35 PM, Alex S. wrote: The filename is correct and I even tried to give the same permissions as on /var/qmail/control/servercert.pem. Yes, the PEM file contains both the certificate and unprotected private key. As I mentioned no problems with Courierssl. If I verify the PEM file with openssl I get this: # openssl verify /etc/ssl/private/www_mydomain_de.pem /etc/ssl/private/www_ mydomain _de.pem: /OU=Domain Control Validated/OU=PositiveSSL/CN=www. mydomain.de error 20 at 0 depth lookup:unable to get local issuer certificate Any ideas what's happening? Can it be that Spamdyke looks for certificate with common name equal one specified in /var/qmail/control/me (or other setting) and fails because it doesn't match? Alex From: [email protected] [mailto:[email protected]] On Behalf Of Sam Clippinger Sent: Freitag, 19. August 2011 18:11 To: spamdyke users Subject: Re: [spamdyke-users] Unable to load SSL/TLS certificate I don't think this is a problem with intermediate CAs, because spamdyke doesn't have to "trust" your certificate as long as it can match the public and private keys. This is why self-signed certificates work fine with spamdyke. The errors you're seeing are originating with OpenSSL and being reported by spamdyke. I can think of a number of things that might trigger this kind of error: Your certificate file is not present or misnamed (double-check for typos). Your certificate file is not accessible (permission problem). Your certificate file is corrupted or truncated. Your certificate file is not in PEM format. Your certificate file is only contains your public key; your private key is stored in another file. Your private key is password protected and spamdyke doesn't have the password. Can you use the "openssl" command line tool to inspect your certificate file? If "openssl" can read it, spamdyke should be able to. -- Sam Clippinger On Aug 15, 2011, at 2:39 PM, Alex S. wrote: Hello, I'm trying to setup a proper SSL certificate for TLS/SSL encryption with Spamduke 4.2.0. So I set it up in /etc/spamdyke.conf: tls-certificate-file=/etc/ssl/private/www_mydomain_de.pem The pem file contains both private key and certificate and already successfully used in CourierSSL. Spamdyke complains in the qmail logfile: 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to load SSL/TLS certificate from file: /etc/ssl/private/www_mydomain_de.pem : The operation failed due to an I/O error, Unexpected EOF found, error:0200100D:lib(2):func(1):reason(13), error:20074002:lib(32):func(116):reason(2), error:140DC002:lib(20):func(220):reason(2) 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: incorrect SSL/TLS private key password or SSL/TLS certificate/privatekey mismatch/etc/ssl/private/www_ mydomain _de.pem : A protocol or library failure occurred, error:140A80B1:lib(20):func(168):reason(177) 2011-08-15 21:15:09.314426500 spamdyke[10646]: ERROR: unable to initialize SSL/TLS library What does it mean? Why can't the certificate be used by Spamdyke. The server is running Debian with openssl 0.9.8o-4squeeze1 installed. The default qmail certificate /var/qmail/control/servercert.pem can be used by Spamdyke without any errors. I already gave my pem file the reading permissions for vpopmail user which is running tcpserver that starts spamdyke. Can the problem be caused by the fact that my SSL certificate needs intermediate certificates to be assumed as trustful by clients. How can I tell the Spamdyke to use an intermediary ca-bundle file? (In CourierSSL it is done with TLS_TRUSTCERTS=/etc/ssl/private/www_mydomain_de.ca-bundle directive). Thanks Alex _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
_______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
