1 Topic by Simbaclaws (edited by Simbaclaws 2017-10-16 18:10:24)

  • Simbaclaws
  • Member
  • Offline
  • Registered: 2017-10-16
  • Posts: 2

Topic: cannot load Certificate Authority data: Disabling TLS support

============ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 MARIADB edition.
- Linux/BSD distribution name and version: CentOS Linux 7 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Basically I'm trying to send an email from gmail to one of my email addresses that I've setup with iredmail.
I'm getting a message back in the postmaster account telling me:
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem

I've previously setup opendkim with opendmarc manually but I've removed them later on since it was giving mitter issues with postfix. After that I've setup amavisd with opendkim. Anyhow that shouldn't be what's causing this issue. So the most important part is basically where it says cannot load Certificate Authority data. Because of this, any mail I'm recieving from gmail gets rejected.. And I'm still not quite sure why...

Does anyone have any idea what I can do to fix the issue?

Here is the mail log of today (I truncated the log because it was way too large):

Oct 16 11:41:24 server postfix/postscreen[11456]: CONNECT from [175.139.253.93]:59606 to [149.210.238.212]:25
Oct 16 11:41:24 server postfix/dnsblog[11458]: addr 175.139.253.93 listed by domain zen.spamhaus.org as 127.0.0.11
Oct 16 11:41:24 server postfix/dnsblog[11458]: addr 175.139.253.93 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 16 11:41:24 server postfix/dnsblog[11457]: addr 175.139.253.93 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 16 11:41:30 server postfix/postscreen[11456]: DNSBL rank 5 for [175.139.253.93]:59606
Oct 16 11:41:31 server postfix/postscreen[11456]: DISCONNECT [175.139.253.93]:59606
Oct 16 11:43:33 server postfix/postscreen[11477]: CONNECT from [2607:f8b0:400d:c0d::236]:43898 to [2a01:7c8:aabb:218:5054:ff:feac:2e4f]:25
Oct 16 11:43:39 server postfix/postscreen[11477]: PASS OLD [2607:f8b0:400d:c0d::236]:43898
Oct 16 11:43:39 server postfix/smtpd[11480]: cannot load Certificate Authority data: disabling TLS support
Oct 16 11:43:39 server postfix/smtpd[11480]: connect from mail-qt0-x236.google.com[2607:f8b0:400d:c0d::236]
Oct 16 11:43:40 server postfix/smtpd[11480]: lost connection after STARTTLS from mail-qt0-x236.google.com[2607:f8b0:400d:c0d::236]
Oct 16 11:43:40 server postfix/cleanup[11483]: 1634D240049: message-id=<20171016094340.1634D240049@server.systematex.nl>
Oct 16 11:43:40 server postfix/smtpd[11480]: disconnect from mail-qt0-x236.google.com[2607:f8b0:400d:c0d::236]
Oct 16 11:43:40 server postfix/qmgr[1604]: 1634D240049: from=<double-bounce@server.systematex.nl>, size=884, nrcpt=1 (queue active)
Oct 16 11:43:40 server postfix/cleanup[11483]: 1E1F8240065: message-id=<20171016094340.1634D240049@server.systematex.nl>
Oct 16 11:43:40 server postfix/qmgr[1604]: 1E1F8240065: from=<double-bounce@server.systematex.nl>, size=1033, nrcpt=1 (queue active)
Oct 16 11:43:40 server postfix/local[11486]: 1634D240049: to=<postmaster@server.systematex.nl>, relay=local, delay=0.05, delays=0.03/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as 1E1F8240065)
Oct 16 11:43:40 server postfix/qmgr[1604]: 1634D240049: removed
Oct 16 11:43:40 server postfix/pipe[11487]: 1E1F8240065: to=<postmaster@systematex.nl>, relay=dovecot, delay=0.1, delays=0/0.01/0/0.08, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 16 11:43:40 server postfix/qmgr[1604]: 1E1F8240065: removed
Oct 16 11:43:49 server postfix/postscreen[11477]: CONNECT from [202.52.254.125]:51920 to [149.210.238.212]:25
Oct 16 11:43:49 server postfix/dnsblog[11478]: addr 202.52.254.125 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 16 11:43:49 server postfix/dnsblog[11479]: addr 202.52.254.125 listed by domain b.barracudacentral.org as 127.0.0.2
Oct 16 11:43:55 server postfix/postscreen[11477]: DNSBL rank 5 for [202.52.254.125]:51920
Oct 16 11:43:56 server postfix/postscreen[11477]: DISCONNECT [202.52.254.125]:51920
Oct 16 11:45:57 server clamd[1005]: SelfCheck: Database status OK.
Oct 16 11:46:15 server postfix/postscreen[11529]: CONNECT from [61.69.110.138]:61692 to [149.210.238.212]:25
Oct 16 11:46:15 server postfix/dnsblog[11530]: addr 61.69.110.138 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 16 11:46:21 server postfix/postscreen[11529]: DNSBL rank 3 for [61.69.110.138]:61692
Oct 16 11:46:22 server postfix/postscreen[11529]: DISCONNECT [61.69.110.138]:61692
Oct 16 11:47:00 server postfix/anvil[11482]: statistics: max connection rate 1/60s for (smtpd:2607:f8b0:400d:c0d::236) at Oct 16 11:43:39
Oct 16 11:47:00 server postfix/anvil[11482]: statistics: max connection count 1 for (smtpd:2607:f8b0:400d:c0d::236) at Oct 16 11:43:39
Oct 16 11:47:00 server postfix/anvil[11482]: statistics: max cache size 1 at Oct 16 11:43:39
Oct 16 11:48:46 server postfix/postscreen[11554]: CONNECT from [200.105.200.11]:24798 to [149.210.238.212]:25
Oct 16 11:48:46 server postfix/dnsblog[11555]: addr 200.105.200.11 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 16 11:48:52 server postfix/postscreen[11554]: DNSBL rank 3 for [200.105.200.11]:24798
Oct 16 11:48:53 server postfix/postscreen[11554]: DISCONNECT [200.105.200.11]:24798
Oct 16 11:51:09 server postfix/postscreen[11635]: CONNECT from [122.249.243.105]:57828 to [149.210.238.212]:25
Oct 16 11:51:09 server postfix/dnsblog[11636]: addr 122.249.243.105 listed by domain zen.spamhaus.org as 127.0.0.4
Oct 16 11:51:15 server postfix/postscreen[11635]: DNSBL rank 3 for [122.249.243.105]:57828
Oct 16 11:51:16 server postfix/postscreen[11635]: DISCONNECT [122.249.243.105]:57828
Oct 16 11:51:42 server postfix/postscreen[11635]: CONNECT from [2607:f8b0:400d:c0d::22e]:45059 to [2a01:7c8:aabb:218:5054:ff:feac:2e4f]:25
Oct 16 11:51:42 server postfix/postscreen[11635]: PASS OLD [2607:f8b0:400d:c0d::22e]:45059
Oct 16 11:51:42 server postfix/smtpd[11663]: cannot load Certificate Authority data: disabling TLS support
Oct 16 11:51:42 server postfix/smtpd[11663]: connect from mail-qt0-x22e.google.com[2607:f8b0:400d:c0d::22e]
Oct 16 11:51:42 server postfix/smtpd[11663]: lost connection after STARTTLS from mail-qt0-x22e.google.com[2607:f8b0:400d:c0d::22e]
Oct 16 11:51:42 server postfix/cleanup[11666]: 8286A240059: message-id=<20171016095142.8286A240059@server.systematex.nl>
Oct 16 11:51:42 server postfix/qmgr[1604]: 8286A240059: from=<double-bounce@server.systematex.nl>, size=884, nrcpt=1 (queue active)
Oct 16 11:51:42 server postfix/smtpd[11663]: disconnect from mail-qt0-x22e.google.com[2607:f8b0:400d:c0d::22e]
Oct 16 11:51:42 server postfix/cleanup[11666]: 89FE52400E4: message-id=<20171016095142.8286A240059@server.systematex.nl>
Oct 16 11:51:42 server postfix/qmgr[1604]: 89FE52400E4: from=<double-bounce@server.systematex.nl>, size=1033, nrcpt=1 (queue active)
Oct 16 11:51:42 server postfix/local[11669]: 8286A240059: to=<postmaster@server.systematex.nl>, relay=local, delay=0.04, delays=0.02/0.01/0/0.01, dsn=2.0.0, status=sent (forwarded as 89FE52400E4)
Oct 16 11:51:42 server postfix/qmgr[1604]: 8286A240059: removed
Oct 16 11:51:42 server postfix/pipe[11670]: 89FE52400E4: to=<postmaster@systematex.nl>, relay=dovecot, delay=0.11, delays=0.01/0.01/0/0.1, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 16 11:51:42 server postfix/qmgr[1604]: 89FE52400E4: removed
Oct 16 11:55:02 server postfix/anvil[11665]: statistics: max connection rate 1/60s for (smtpd:2607:f8b0:400d:c0d::22e) at Oct 16 11:51:42
Oct 16 11:55:02 server postfix/anvil[11665]: statistics: max connection count 1 for (smtpd:2607:f8b0:400d:c0d::22e) at Oct 16 11:51:42
Oct 16 11:55:02 server postfix/anvil[11665]: statistics: max cache size 1 at Oct 16 11:51:42

I'd very much appreciate any help you can give me.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: cannot load Certificate Authority data: Disabling TLS support

Simbaclaws wrote:

Oct 16 11:51:42 server postfix/smtpd[11663]: cannot load Certificate Authority data: disabling TLS support

*) Do you have correct ssl cert/private key/CA configured in Postfix?
*) Does Postfix have permission to read the cert/key?
*) Are the cert/key valid?

3 Reply by Simbaclaws (edited by Simbaclaws 2017-10-18 22:43:52)

  • Simbaclaws
  • Member
  • Offline
  • Registered: 2017-10-16
  • Posts: 2

Re: cannot load Certificate Authority data: Disabling TLS support

ZhangHuangbin wrote:
Simbaclaws wrote:

Oct 16 11:51:42 server postfix/smtpd[11663]: cannot load Certificate Authority data: disabling TLS support

*) Do you have correct ssl cert/private key/CA configured in Postfix?
*) Does Postfix have permission to read the cert/key?
*) Are the cert/key valid?

this is my main.cf of postfix:

# --------------------
# INSTALL-TIME CONFIGURATION INFORMATION
#
# location of the Postfix queue. Default is /var/spool/postfix.
queue_directory = /var/spool/postfix

# location of all postXXX commands. Default is /usr/sbin.
command_directory = /usr/sbin

# location of all Postfix daemon programs (i.e. programs listed in the
# master.cf file). This directory must be owned by root.
# Default is /usr/libexec/postfix
daemon_directory = /usr/libexec/postfix

# location of Postfix-writable data files (caches, random numbers).
# This directory must be owned by the mail_owner account (see below).
# Default is /var/lib/postfix.
data_directory = /var/lib/postfix

# owner of the Postfix queue and of most Postfix daemon processes.
# Specify the name of a user account THAT DOES NOT SHARE ITS USER OR GROUP ID
# WITH OTHER ACCOUNTS AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.
# In particular, don't specify nobody or daemon. PLEASE USE A DEDICATED USER.
# Default is postfix.
mail_owner = postfix

# The following parameters are used when installing a new Postfix version.
#
# sendmail_path: The full pathname of the Postfix sendmail command.
# This is the Sendmail-compatible mail posting interface.
#
sendmail_path = /usr/sbin/sendmail.postfix

# newaliases_path: The full pathname of the Postfix newaliases command.
# This is the Sendmail-compatible command to build alias databases.
#
newaliases_path = /usr/bin/newaliases.postfix

# full pathname of the Postfix mailq command.  This is the Sendmail-compatible
# mail queue listing command.
mailq_path = /usr/bin/mailq.postfix

# group for mail submission and queue management commands.
# This must be a group name with a numerical group ID that is not shared with
# other accounts, not even with the Postfix account.
setgid_group = postdrop

# external command that is executed when a Postfix daemon program is run with
# the -D option.
#
# Use "command .. & sleep 5" so that the debugger can attach before
# the process marches on. If you use an X-based debugger, be sure to
# set up your XAUTHORITY environment variable before starting Postfix.
#
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

debug_peer_level = 2

# --------------------
# CUSTOM SETTINGS
#

# SMTP server response code when recipient or domain not found.
unknown_local_recipient_reject_code = 550

# Do not notify local user.
biff = no

# Disable the rewriting of "site!user" into "user@site".
swap_bangpath = no

# Disable the rewriting of the form "user%domain" to "user@domain".
allow_percent_hack = no

# Allow recipient address start with '-'.
allow_min_user = no

# Disable the SMTP VRFY command. This stops some techniques used to
# harvest email addresses.
disable_vrfy_command = yes

# Enable both IPv4 and/or IPv6: ipv4, ipv6, all.
inet_protocols = all

# Enable all network interfaces.
inet_interfaces = all

#
# TLS settings.
#
# SSL key, certificate, CA
#
smtpd_tls_key_file = /etc/letsencrypt/live/systematex.nl/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/systematex.nl/fullchain.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail.crt

#
# Disable SSLv2, SSLv3
#
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

#
# Fix 'The Logjam Attack'.
#
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_dh512_param_file = /etc/pki/tls/dh512_param.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/dh2048_param.pem

tls_random_source = dev:/dev/urandom

# Log only a summary message on TLS handshake completion — no logging of client
# certificate trust-chain verification errors if client certificate
# verification is not required. With Postfix 2.8 and earlier, log the summary
# message, peer certificate summary information and unconditionally log
# trust-chain verification errors.
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do
# not require that clients use TLS encryption.
smtpd_tls_security_level = may

# Produce `Received:` message headers that include information about the
# protocol and cipher used, as well as the remote SMTP client CommonName and
# client certificate issuer CommonName.
# This is disabled by default, as the information may be modified in transit
# through other mail servers. Only information that was recorded by the final
# destination can be trusted.
#smtpd_tls_received_header = yes

# Opportunistic TLS, used when Postfix sends email to remote SMTP server.
# Use TLS if this is supported by the remote SMTP server, otherwise use
# plaintext.
# References:
#   - http://www.postfix.org/TLS_README.html#client_tls_may
#   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = may

# Use the same CA file as smtpd.
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes

# Enable long, non-repeating, queue IDs (queue file names).
# The benefit of non-repeating names is simpler logfile analysis and easier
# queue migration (there is no need to run "postsuper" to change queue file
# names that don't match their message file inode number).
#enable_long_queue_ids = yes

# Reject unlisted sender and recipient
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes

# Header and body checks with PCRE table
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks.pcre

# A mechanism to transform commands from remote SMTP clients.
# This is a last-resort tool to work around client commands that break
# interoperability with the Postfix SMTP server. Other uses involve fault
# injection to test Postfix's handling of invalid commands.
# Requires Postfix-2.7+.
#smtpd_command_filter = pcre:/etc/postfix/command_filter.pcre

# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

# Sender restrictions
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

# END-OF-MESSAGE restrictions
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

# Data restrictions
smtpd_data_restrictions = reject_unauth_pipelining

proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps

# Avoid duplicate recipient messages. Default is 'yes'.
enable_original_recipient = no

# Virtual support.
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail

# Do not set virtual_alias_domains.
virtual_alias_domains =

#
# Enable SASL authentication on port 25 and force TLS-encrypted SASL authentication.
# WARNING: NOT RECOMMENDED to enable smtp auth on port 25, all end users should
#          be forced to submit email through port 587 instead.
#
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes

# hostname
myhostname = server.systematex.nl
myorigin = server.systematex.nl
mydomain = server.systematex.nl

# trusted SMTP clients which are allowed to relay mail through Postfix.
#
# Note: additional IP addresses/networks listed in mynetworks should be listed
#       in iRedAPD setting 'MYNETWORKS' (in `/opt/iredapd/settings.py`) too.
#       for example:
#
#       MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24', ...]
#
mynetworks = 127.0.0.1 [::1]

# Accepted local emails
mydestination = $myhostname, localhost, localhost.localdomain

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

# Default message_size_limit.
message_size_limit = 15728640

# The set of characters that can separate a user name from its extension
# (example: user+foo), or a .forward file name from its extension (example:
# .forward+foo).
# Postfix 2.11 and later supports multiple characters.
recipient_delimiter = +

# The time after which the sender receives a copy of the message headers of
# mail that is still queued. Default setting is disabled (0h) by Postfix.
#delay_warning_time = 1h
#
# Lookup virtual mail accounts
#
transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

sender_dependent_relayhost_maps =
    proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

# Lookup table with the SASL login names that own the sender (MAIL FROM) addresses.
smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

virtual_mailbox_domains =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf

relay_domains =
    $mydestination
    proxy:mysql:/etc/postfix/mysql/relay_domains.cf

virtual_mailbox_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf

virtual_alias_maps =
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf
    proxy:mysql:/etc/postfix/mysql/catchall_maps.cf
    proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf

sender_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf

recipient_bcc_maps =
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf

#
# Postscreen
#
postscreen_greet_action = enforce
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.0.[2..11]*3
    b.barracudacentral.org=127.0.0.[2..11]*2

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr

# Require Postfix-2.11+
#postscreen_dnsbl_whitelist_threshold = -2
#
# Dovecot SASL support.
#
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1

#
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024

# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1

#OpenDKIM config
#milter_default_action = accept
#milter_protocol = 6
#smtpd_milters = inet:localhost:8891, inet:localhost:8993
#non_smtpd_milters = inet:localhost:8991, inet:localhost:8893

cert/key is valid

the cert/key are in /etc/letsencrypt/live/systematex.nl/fullchain.pem and /etc/letsencrypt/live/systematex.nl/privkey.pem

everything under /etc/letsencrypt/live is owned by root.
Should I change ownership? I didn't have to do this for nginx and dovecot...
Perhaps change the mail owner to root?

Also, the CA is that of iredmail (not generated by letsencrypt), should this perhaps not be set since I'm giving a fullchain.pem as cert?


EDIT: It was indeed the CA bundle that was wrong, I commented it out and it seems to work fine again now smile Thanks for the help.