# Setting up a mail server (_many_ issues)

## panderiz

```
./CA.pl -sign

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

unable to load certificate

140371520951976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

Signed certificate is in newcert.pem

```

Trying to follow http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5  but when I get to the signing part I get the above output with out the newcert.pem to be found anywhere.  Can't figure out how to fix this so I can get the newcert.pem

Found some files in /etc/ssl/postfix so I am trying to use those for now but when I send mail I get

```
 certificate verification failed for smtp.gmail.com[74.125.95.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

: 85117193001E: to=<test@gmail.com>, relay=smtp.gmail.com[74.125.95.109]:587, delay=0.44, delays=0.03/0.01/0.36/0.04, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.95.109] said: 530-5.5.1 Authentication Required. Learn more at                               530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 f7sm19584308icq.5 (in reply to MAIL FROM command))

```

When I don't try and use a relay server ever time I send mail out I get connection timed out so the mail never goes out.

```
connect to gmail-smtp-in.l.google.com[74.125.95.27]:25: Connection timed out

```

By default postfix has a 30 second connection time out, and thats the amount of time from sending a mail using mutt it takes.

main.cf

```

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = //usr/lib64/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = rss.servegame.com

mydomain = rss.servegame.com

inet_interfaces = all

unknown_local_recipient_reject_code = 550

local_destination_concurrency_limit = 2

default_destination_concurrency_limit = 10

debug_peer_level = 2

debugger_command =

    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

    ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = /usr/share/doc/postfix-2.7.1/html

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = /usr/share/doc/postfix-2.7.1/readme

home_mailbox = .maildir/

relayhost=[smtp.gmail.com]:587

smtpd_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/server.crt

smtpd_tls_key_file = /etc/postfix/server.key

#smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Help would be greatly appreciated!

----------

## gerdesj

Well let's start with a simple question - "what are you trying to acheive" ?

Anyway - you seem to have a SSL cert generation problem.  I don't think you have a root CA set up properly.

Try this

openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650

This will ask you for a password for the key (twice) followed by the attributes for the cert.  The important one is the common name - that should match your system's DNS name (as seen by outsiders).  You may want to change "MYCERT" and maybe -days.

The output is a self signed certificate - ie no CA - does that help?

This will strip the password requirement, so that when you pair MYCERT.key.nocrypt and MYCERT.crt you wont have to enter a password:

openssl rsa -in MYCERT.key > MYCERT.key.nocrypt

You can, of course, change the filenames ...

Cheers

Jon

----------

## panderiz

 *Quote:*   

> Well let's start with a simple question - "what are you trying to acheive" ?
> 
> 

 

Not sure if you heard of cuts but I'm going to take over the project and start releasing my own updates/scripts for it. In a nut shell you send a text message to your computer (user@yourcomputer.com) and then it'll execute the commands and send them back to you. 

```
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650

Generating a 1024 bit RSA private key

.......++++++

.................++++++

writing new private key to 'MYKEY.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

Verify failure

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CA

State or Province Name (full name) [Some-State]:Ontario

Locality Name (eg, city) []:Windsor

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Meow Mix Inc.

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:rss.servegame.com

Email Address []:

```

So that worked.  

 *Quote:*   

> The important one is the common name - that should match your system's DNS name (as seen by outsiders).

 

I'm assumed this was the dynamic dns I am using with no-ip. I figured Common Name might've been something like Joe Somebody.

The next command failed so I just changed the file names around and go

```
#openssl rsa -in MYKEY.key > MYCERT.key.nocrypt

Enter pass phrase for MYKEY.key:

writing RSA key

#ls MY*

MYCERT.crt  MYCERT.key.nocrypt  MYKEY.key

```

Looks like it worked. Not entirely sure which files to plug into where now with postfix. Well I sent a mail and didn't go. Got this in /var/log/messages for postfix

```
Jan  5 21:10:15 dm400 postfix/pickup[26308]: D52DB193001E: uid=1000 from=<panderiz>

Jan  5 21:10:15 dm400 postfix/cleanup[26587]: D52DB193001E: message-id=<20110105211015.GA26582@dm400.gateway.2wire.net>

Jan  5 21:10:15 dm400 postfix/qmgr[26309]: D52DB193001E: from=<panderiz@rss.servegame.com>, size=489, nrcpt=1 (queue active)

Jan  5 21:10:16 dm400 postfix/smtp[26589]: certificate verification failed for smtp.gmail.com[74.125.95.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

Jan  5 21:10:16 dm400 postfix/smtp[26589]: D52DB193001E: to=<testuser@gmail.com>, relay=smtp.gmail.com[74.125.95.109]:587, delay=0.68, delays=0.08/0.08/0.47/0.05, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.95.109] said: 530-5.5.1 Authentication Required. Learn more at                               530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 z4sm21409612ibg.19 (in reply to MAIL FROM command))

Jan  5 21:10:16 dm400 postfix/cleanup[26587]: 9C68D193001F: message-id=<20110105211016.9C68D193001F@rss.servegame.com>

Jan  5 21:10:16 dm400 postfix/qmgr[26309]: 9C68D193001F: from=<>, size=2766, nrcpt=1 (queue active)

Jan  5 21:10:16 dm400 postfix/bounce[26591]: D52DB193001E: sender non-delivery notification: 9C68D193001F

Jan  5 21:10:16 dm400 postfix/qmgr[26309]: D52DB193001E: removed

Jan  5 21:10:16 dm400 postfix/local[26592]: 9C68D193001F: to=<panderiz@rss.servegame.com>, relay=local, delay=0.12, delays=0.01/0.1/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)

Jan  5 21:10:16 dm400 postfix/qmgr[26309]: 9C68D193001F: removed

```

----------

## gerdesj

The first command you ran was to create a self signed certificate.  The common name should be the DNS name for your system.

The second command was to strip the encryption off your key.

SSL certificates have two parts - the public and the private parts.  The public part is the certificate itself and the private part is the key (both bits can be referred to as keys!)

The private key is usually protected with a password but then that means that when used with a daemon like a mail MTA that password has to be entered every time it starts.  Remove the encryption and the password is not needed.

I have never used PostFix (I'm an Exim fan) but you should reference the .crt and .key files in its config somewhere.  As the cert is self signed then there should not be a certificate chain to worry about.

Cheers

Jon

----------

## panderiz

Here's the two lines I got relating the the certificates in the configuration...

```

smtpd_tls_cert_file = /etc/postfix/MYCERT.crt

smtpd_tls_key_file = /etc/postfix/MYCERT.key.nocrypt

```

I'm not looking for postfix specific for a mail server... I'm looking for just getting a mail server up and running, just happened to try the postfix guide. If you wouldn't mind passing along a link to a guide you used or recommend that'd be great

----------

## Inodoro_Pereyra

If it helps, my postfix mail server is running fine based in this guide.

Cheers!

----------

