# postfix sasl/starttls errors?

## BTR

Hi,

I've installed and configured postfix, courier, etc. as per http://www.gentoo.org/doc/en/virt-mail-howto.xml but postfix isn't playing nice with tls:

```

$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 unfogged.com ESMTP Postfix

ehlo domain

250-unfogged.com

250-PIPELINING

250-SIZE 10240000

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

starttls

454 4.7.0 TLS not available due to local problem

quit

```

In the log:

```

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: auxpropfunc error no mechanism available

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: initializing the server-side TLS engine

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: warning: cannot get RSA private key from file /etc/postfix/newcert.pem: disabling TLS support

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: warning: TLS library problem: 5106:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY:

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: warning: TLS library problem: 5106:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:

```

Any ideas? What else should I post to help with diagnosis?

----------

## cach0rr0

```

Apr 18 13:17:35 unfogged postfix/smtpd[5106]: warning: cannot get RSA private key from file /etc/postfix/newcert.pem: disabling TLS support 

```

'newcert.pem' is most likely your certificate, not your private key

smtpd_tls_key_file in main.cf is supposed to point at your private key, not your cert. 

smtpd_tls_cert_file in main.cf is supposed to point at your cert

your certificate, if you cat it, should begin with:

```

-----BEGIN CERTIFICATE-----

```

whereas your private key:

```

-----BEGIN RSA PRIVATE KEY-----

```

This is why postfix is complaining; youve told it a file to look in for the private key, but the file is not a private key, it is a cert

----------

## BTR

Actually it's even stupider than that: I misspelled one of the lines in the config file :(.

----------

