# exim smtp failover not working [SOLVED]

## cdstealer

Hi,

I've been at this for almost a week and have exhausted my knowledge, sanity and the vast expanses of the tinterweb.

In short:  I have created a 2 node cluster (bind, dhcp, exim, dovecot, apache) using heartbeat.  The master server works perfect  :Smile:  and for the most part, so does the failover, except for smtps.  The failover is obviously just a mirror of the master.  And as such, the configs for everything are just copied over (with obvious adjustments).  The issue I have is, exim is configured for smtps (port 465).  The certs are copied from the master (also tried generating new ones with the same results).  Whenever I try to send an mail from the failover, I get the following message:

```
/var/log/exim/main.log

2010-04-01 04:42:25 TLS error on connection from laptop.cdstealer.com [XXX.XXX.XXX.XXX] (cert/key setup: cert=/path/to/email/server.crt key=/path/to/email/server.key): Error while reading file.
```

Has anyone come across this before?Last edited by cdstealer on Wed Jun 09, 2010 10:20 am; edited 1 time in total

----------

## Mad Merlin

Certainly for HTTPS TLS/SSL, the hostname is a part of the certificate, and that's probably also true here. Do you have a certificate for a single host (rather than a wildcard certificate) and the failover has a different hostname than the master?

----------

## cdstealer

Hi Mad Merlin,

The hostnames are different.  I can almost guarantee that this *will* be something really stupid (PEBKAC).  But I just can't seem to see the wood for the trees  :Sad: 

The certs are just self signed.. just for encryption  :Smile: 

I've tried generating for hostname, the FQDN of the VIP and wildcard.

```
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt
```

I doubt this is a problem with the certs as dovecot is using the same ones and that is working with out issue.

```
# openssl s_client -crlf -connect XXX.XXX.XXX.XXX:465

CONNECTED(00000003)

write:errno=104
```

```
# exim -C /etc/exim/exim.conf -bV

Exim version 4.71 #1 built 31-Mar-2010 08:08:28

Copyright (c) University of Cambridge, 1995 - 2007

Berkeley DB: Berkeley DB 4.7.25: (2010-03-28)

Support for: crypteq iconv() IPv6 PAM Perl TCPwrappers GnuTLS Content_Scanning DKIM Old_Demime

Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch mysql passwd

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa

Routers: accept dnslookup ipliteral manualroute queryprogram redirect

Transports: appendfile/maildir/mailstore autoreply pipe smtp

Fixed never_users: 0

Size of off_t: 4

GnuTLS compile-time version: 2.8.5

GnuTLS runtime version: 2.8.5

Configuration file is /etc/exim/exim.conf
```

----------

## cdstealer

Yay.. decided to put my analytical head on.  My cert files had the wrong perms.  They had 644 (rw-r--r--) when they needed to be 444 (r--r--r--).  Which to be honest I don't full understand as the certs on the master have 644 perms.. confused?  you bet your bottom dollar I am.  But at least its working.

----------

