# Solution to Postfix TLS invalid certificate problem.

## tyr

Here's a solution to a problem I experienced when using Postfix with TLS. SMTP AUTH was working fine but attempts to use TLS with Opera and Mozilla were both being rejected. The clients were complaing of an invalid certificate.

The following errors were being logged by postfix:

```

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:before/accept initialization

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv2/v3 read client hello A

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client hello B

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:SSLv3 flush data

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A.

Apr  5 23:13:40 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A

Apr  5 23:13:40 [postfix/smtpd] SSL3 alert read:fatal:bad certificate

Apr  5 23:13:40 [postfix/smtpd] SSL_accept:failed in SSLv3 read client certificate A

Apr  5 23:13:40 [postfix/smtpd] SSL_accept error from host[x.x.x.x]: 0

```

This problem was fixed by generating my own certificates. I found a good guide for configuring certificates and TLS for Postfix at http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

Note: The guide above is for RedHat. The ssl cert tools for Gentoo  can be found in /etc/ssl rather than /usr/share/ssl/

I'm running postfix-2.0.19 which is the most recent unmasked x86 build at the time of writing.

I hope this post is useful for anyone who runs across this problem.

----------

## hanj

Bummer.. the link is dead. I'm running across this same problem. I generated my own certs.. but I'm thinking I have problems with them. Occasionally, Eudora users are receiving a invalid certificate.

thanks

hanj

----------

## 7dave7

 *Quote:*   

> Bummer.. the link is dead. I'm running across this same problem.

 

Try this one:

http://mia.ece.uic.edu/~papers/volans/settingupCA.html

----------

## MarkH

 *tyr wrote:*   

> Here's a solution to a problem I experienced when using Postfix with TLS. SMTP AUTH was working fine but attempts to use TLS with Opera and Mozilla were both being rejected. The clients were complaing of an invalid certificate.
> 
> The following errors were being logged by postfix:
> 
> ```
> ...

 

Spot on for me too - thanks.  (Good high spped overview of SSL also)

----------

## dashnu

I to am receiving ssl errors.

```
Jan 10 12:47:59 ox postfix/smtpd[5284]: starting TLS engine

Jan 10 12:47:59 ox postfix/smtpd[5284]: connect from unknown[192.168.1.248]

Jan 10 12:47:59 ox postfix/smtpd[5284]: setting up TLS connection from unknown[192.168.1.248]

Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:before/accept initialization

Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FA0] (11 bytes => -1 (0xFFFFFFFF))

Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:error in SSLv2/v3 read client hello A

Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FA0] (11 bytes => 11 (0xB))

Jan 10 12:47:59 ox postfix/smtpd[5284]: 0000 80 34 01 03 01 00 1b 00|00 00 10     .4...... ...

Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FAB] (43 bytes => -1 (0xFFFFFFFF))

Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:error in SSLv2/v3 read client hello B

Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FAB] (43 bytes => 43 (0x2B))

```

And further down.. It accepts the connection..

```
Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:SSLv3 flush data

Jan 10 12:47:59 ox postfix/smtpd[5284]: TLS connection established from unknown[192.168.1.248]: TLSv1 with cipher RC4-MD5 (128/128 bits)

```

Looks like my TLS connection is all fine and dandy but these errors are driving me nuts. I am using the default pre-installed postfix certs.

Now I have a few questions.  I have went through you link and tried to creat my own ssl certs.

I get all the way to signing my cert and I throw an error.

```
root@ox misc #  ./CA_nodes -sign

Using configuration from /etc/ssl/openssl.cnf

27354:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject

Enter pass phrase for ./demoCA/private/cakey.pem:

```

I am using openssl version 0.9.7d-r2 

If I continue on with the process It seems to finish.

edit **

I do all the regular stuff telnet localhost 25 i see 250-STARTTLS

Than I try to connect via evolution and recive the same error in the logs

So no idea what is going on there.. And I also need to make certs for cyrus-imapd Its default certs do not work.. One way I test this is by going to https://mail.server.com:993 and I get an invalid cert error. How ever this does work with evolution and outlook.. Why I do not know . Entourage (M$ mac client) will not work.. and I think this stems from bad certs for imapd. I have a "virtual mail" server running fine from a while back were all certs are fine.. I can figure out what I am doing wrong.. Any help would kick some major arse!

----------

