# First Postfix Install: Certificate Troubles

## CoderMan

Hi. I'm trying to set up my first e-mail server, using postfix. I have been trying to follow the Gentoo documentation I found for postfix, but things are not going as smoothly as in the tutorial.  :Crying or Very sad: 

The document I found is here:

http://www.gentoo.org/doc/en/virt-mail-howto.xml

First of all, I followed the "Postfix Basics" section fairly closely, except I hard-coded in the domain name instead of using the variable.

Where I started having trouble was in section 5,  "SSL Certs for Postfix and Apache". When running the commands to create the Postfix certificates, everything seemed to be going fine; but at the end of the "./CA.pl -sign" program, instead of creating the final, signed server certificate, the program died with "could not update database".

Since I could not figure out how to get the CA.pl program to work correctly, I instead created my own certificates using the instructions that I found here:

http://www.tc.umn.edu/~brams006/selfsign.html

I copied them in, and adjust postfix's main.cf to use them instead.

However, when I run the telnet test, I get

```
EHLO <my domain here>

250-<my hostname>.localdomain

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN
```

(I replaced my actual domain/host names in the above text for security reasons.) As you can see, the text

```
250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN
```

is missing, which is what the tutorial says I am looking for specifically.

So, anyway, I don't want to finish the rest of the tutorial instructions until I have some idea here of what is going wrong. Could anyone provide me with any helpful insight into this whole situation?

```

Portage 2.1.8.3 (default/linux/x86/10.0/server, gcc-4.4.3, glibc-2.11.2-r0, 2.6.34-gentoo-r6 i686)

=================================================================

System uname: Linux-2.6.34-gentoo-r6-i686-Intel-R-_Celeron-R-_CPU_2.40GHz-with-gentoo-1.12.13

Timestamp of tree: Tue, 14 Sep 2010 04:30:01 +0000

app-shells/bash:     4.1_p7

dev-lang/python:     2.6.5-r3, 3.1.2-r4

dev-util/cmake:      2.8.1-r2

sys-apps/baselayout: 1.12.13

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.4.3-r2

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.6b

sys-devel/make:      3.81-r2

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="ftp://mirrors.tera-byte.com/pub/gentoo"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl apache2 berkdb bzip2 cli cracklib crypt cups cxx dri emacs fortran gdbm gpm iconv ipv6 ldap mmx modules mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session snmp sse sse2 ssl sysfs tcpd truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

----------

## cach0rr0

the missing auth lines == correct behaviour

they should only appear if you connect via ssl

try this:

```

openssl s_client -connect x.x.x.x:25 -starttls smtp

```

replacing x.x.x.x with your IP obviously

see if the auth banners appear

those auth mechanisms are cleartext, and as such should not be sent over an unencrypted connection

simply connecting via telnet isn't giving you an encrypted connection

telnet:

```

 telnet renee.whitehathouston.com 25

Trying 75.148.243.92...

Connected to renee.whitehathouston.com.

Escape character is '^]'.

220 renee.whitehathouston.com ESMTP Postfix (2.6.5)

ehlo mate

250-renee.whitehathouston.com

250-PIPELINING

250-SIZE 100000000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

quit

```

openssl s_client

```

 # openssl s_client -connect renee.whitehathouston.com:25 -starttls smtp

CONNECTED(00000003)

<snip>

SSL handshake has read 5278 bytes and written 378 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

<snip>

---

250 DSN

ehlo mate

250-renee.whitehathouston.com

250-PIPELINING

250-SIZE 100000000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

```

The other possibility is auth isn't enabled in your main.cf 

Two secs and ill post again with the relevant snippets from my main.cf

----------

## cach0rr0

relevant sections from my main.cf

```

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

smtpd_tls_security_level = may

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt

smtpd_tls_key_file = /etc/ssl/postfix/server.key

smtpd_tls_CAfile = /etc/ssl/postfix/root.crt

smtpd_tls_ask_ccert = no

smtpd_tls_loglevel = 1

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        reject_unauth_destinationsmtpd_use_tls = yes

smtpd_enforce_tls = no

smtpd_tls_auth_only = yes

tls_random_source = dev:/dev/urandom

smtp_tls_note_starttls_offer = yes

```

if you want to allow cleartext logins over unencrypted connections, we can do that, but i dont recommend it.

Whether or not you allow such logins is dictated by smtpd_tls_auth_only

 *http://www.postfix.org/TLS_README.html wrote:*   

> 
> 
> Supporting AUTH over TLS only
> 
> Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer encryption is required ("smtpd_tls_security_level = encrypt" or the obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete "smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
> ...

 

The default for this is no, but if you have set this to yes then the auth banner will not be shown unless you've first negotiated ssl/tls

----------

## CoderMan

 *cach0rr0 wrote:*   

> the missing auth lines == correct behaviour
> 
> they should only appear if you connect via ssl
> 
> try this:
> ...

 

At this point I keep getting

```
CONNECTED(00000003)

24033:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607:
```

Google searching indicated that this error would show up if I was using a pass-phrase-protected secret key. I think I do remember giving the secret key a pass-phrase.

----------

