Postfix TLS Library Problem No such file


#1

Setting up a Postfix/Dovcot email server on Ubuntu 18.10, I can receive but not send mail from my client. I created the SSL for my server just fine with certbot using nginx.

This is the end result of a week of work following guides and examples, hopefully, this is the last hurdle.

Thanks for any help you can provide - the log / config files are below:

chuck@cow:/var/log$ sudo tail mail.log

Oct 30 16:23:46 cow postfix/smtpd[8011]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:…/crypto/bio/bss_file.c:290:fopen(’/etc/letsencrypt/live/cow.MASK.com/fullchain.pem;’,‘r’):
Oct 30 16:23:46 cow postfix/smtpd[8011]: warning: TLS library problem: error:20074002:BIO routines:file_ctrl:system lib:…/crypto/bio/bss_file.c:292:
Oct 30 16:23:46 cow postfix/smtpd[8011]: warning: TLS library problem: error:140DC002:SSL routines:use_certificate_chain_file:system lib:…/ssl/ssl_rsa.c:615:

Oct 30 16:23:46 cow postfix/smtpd[8011]: warning: hostname bl28-67-120.dsl.telepac.pt does not resolve to address 37.189.67.120: Name or service not known
Oct 30 16:23:46 cow postfix/smtpd[8011]: connect from unknown[37.189.67.120]
Oct 30 16:23:47 cow postfix/smtpd[8011]: NOQUEUE: reject: RCPT from unknown[37.189.67.120]: 554 5.7.1 spameri@tiscali.it: Relay access denied; from=spameri@tiscali.it to=spameri@tiscali.it proto=ESMTP helo=
Oct 30 16:23:47 cow postfix/smtpd[8011]: disconnect from unknown[37.189.67.120] ehlo=1 mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
Oct 30 16:27:07 cow postfix/anvil[8013]: statistics: max connection rate 1/60s for (smtp:37.189.67.120) at Oct 30 16:23:46
Oct 30 16:27:07 cow postfix/anvil[8013]: statistics: max connection count 1 for (smtp:37.189.67.120) at Oct 30 16:23:46
Oct 30 16:27:07 cow postfix/anvil[8013]: statistics: max cache size 1 at Oct 30 16:23:46

main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
compatibility_level = 2

smtpd_tls_cert_file=/etc/letsencrypt/live/cow.MASK.com/fullchain.pem;
smtpd_tls_key_file=/etc/letsencrypt/live/cow.MASK.com/privkey.pem;

smtpd_use_tls=yes
smtpd_tls_auth_only = yes

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
unix:private/policyd-spf
reject_unauth_destiantion stays where it is.
policyd-spf_time_limit = 3600
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf

milter_default_action = accept
milter_protocol = 2
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = cow.MASK.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf

content_filter = scan:127.0.0.1:10026
receive_override_options = no_address_mappings

master.cf
smtp inet n - y - - smtpd
-o content_filter=spamassassin
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store {nexthop} {user} {extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
{nexthop} {user}

spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f {sender} {recipient}

scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - 16 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf

** Mail Responce when setting up client **
Authenticate as SSL client failed.
You might be connecting to non SSL port -or- using incorrect SSL/TLS version.
Consider using TLS 1.2: client.SSLConfiguration.EnalbedSslProtocols=SslProtocols.Tls12;

Extra
I’m using port 587 in my client when trying to connect to the mail server for sending. It defaulted to port 465, but apparently, my postfix isn’t listening on that port, and I heard 465 is a legacy port anyway so I should use 587 instead.


#2

Hi,

Could you please give into the folder and see if a fullchain.pem is present?
/etc/letsencrypt/live/cow.MASK.com/

Thank you


#3

sudo ls -la /etc/letsencrypt/live/cow.MASK.com/

README
cert.pem
chain.pem
fullchain.pem
privkey.pem


#4

Yes, the file is present. Could it be a permissions issue?


#5

Yes it could be a permissions issue.
fullchain.pem is a “public” file.
Try giving the “postfix” system user access to that file.
If that change works, you may then see an error accessing the privkey.pem [which is a private file - but required to create/establish encryption].

If you are concerned about sharing/mixing the “security” of these files (being accessed by postfix), then you might want to create a separate cert specifically only for use by postfix and give postfix full access to only those two files.


#6

I think the files created by certbot (in the live and archive directories) are generally world-readable; the permission restriction is rather on the directories themselves.

I agree with your suggestion to create a separate cert (and key) specifically for postfix, in a location accessible by postfix, and set its ownership and permissions accordingly. This could be automated with a --deploy-hook script.


#7

Do you happen to have selinux enabled?


#8

I do not have selinux enabled that I am aware of, it’s a basic Ubuntu 18.10 standard build.


#9

Ok, well testing permission is my next task then. You mention creating a cert specifically for postfix, but I used certbot --nginx and then just selected the number of the site I wanted. I guess your talking about using cerbox manually to create a certificate then put it somewhere readable by postfix?

As for the --deploy-hook, would the script basically just cp the .pem files to a location postfix can read them? I assume I’ll have to copy the files myself intially but the hook script fires automatically on renew?

Thanks, hope this works it was a pain lol


#10

Coping the files shouldn’t be necessary; If the cert is specifically designated to be used by postfix ONLY.
That is, certbot can manage all the certs in the system.
And you include a cert that is only intended for postfix use.
You know where those specific cert files will be located.
You then get postfix to use those specific files [giving postfix the proper access rights to them].
If that works, then the updates/renewals should be automatic:

  • certbot ensures the cert gets renewed before it expires
  • deploy-hook restarts nginx after each successful cert renewal [ensuring nginx is always using the latest cert]

#11

Ok, still a little confused. Let me say it to you and see if I have it right.

  1. I somehow give postfix permission to access the letsencrypt directory chmod 2777 letsencrypt/cow.MASK.com/

  2. Modify deploy-hook to restart nginx, postfix, and dovcot.

  3. Done.

Just because I give access to the cert for Postfix, why can’t nginx still use it? I noticed you said if it’s specifically designated to be used by postfix ONLY above. I don’t expect you would really use chmod 2777, would you chgrp postfix on the folder instead?

It seems like more people would have this particular problem because I can’t see that I did anything differently than anyone else would do with the installs, yet I couldn’t find anyone with this particular error heh.

Thanks again for your time!


#12

I think Postfix is trying to use the exact file /etc/letsencrypt/live/cow.MASK.com/fullchain.pem; with a semicolon in its name. Try checking if there’s an extra semicolon in the config file and removing it.


#13

WOW mnordhoff, what a great catch. Really amazing, that’s 3 days of head scratching over a semicolon.

My problem isn’t cured, but the logs no longer suggest it can’t find the file.

This is what I get in my mail.log file when I try to connect now:

Nov 1 21:03:04 cow postfix/submission/smtpd[1844]: connect from 71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 1 21:03:04 cow postfix/submission/smtpd[1844]: lost connection after UNKNOWN from 71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 1 21:03:04 cow postfix/submission/smtpd[1844]: disconnect from 71-209-88-135.chyn.qwest.net[71.209.88.135] unknown=0/1 commands=0/1

My mail client says: (I’m using port 587)
Authenticate as SSL client failed.
You might be connecting to a non SSL port -or- using incorrect SSL/TLS version.
Consider using TLS 1.2: client.SSLConfiguration.EnalbedSslProtocols = SslProtocols.Tls12;

In my client i’m using port 587, encryption type is SSL/TLS, I have requires authentication checked, and I give my emails username and password.

I don’t know this problem is a letsencrypt problem anymore, but if you could point me in the right direction that would be great. I don’t know where to go from here.


#14

Hmm, am I supposed to be using STARTTLS instead of SSL/TLS? Because when I set my client to STARTTLS it works now.

Though I heard STARTTLS is less secure:
https://serverfault.com/questions/523804/is-starttls-less-safe-than-tls-ssl


#15

Ok, I don’t know if there are even more setting you should set for a really secure server but this made it work for me if you are just reading this and it helps you -

Edit your master.cf file
sudo nano /etc/postfix/master.cf

uncomment the following line:
-o smtpd_tls_wrappermode=yes

Restart postfix

This should allow you to connect vis SSL/TLS on port 587 from your mail client.

It’s working now for me thanks everyone for your help. :slight_smile:


#16

You’re reading too much into the “ONLY”.
What I meant by that was that only postfix will be trying to use that cert.
Not that is must restricted so that ONLY postfix can access it.


#17

Hmm, so now I can send emails to some addresses but not others. The only warning I see in the logs is about Milter service local:/opendkim/opendkim.sock, could that be the problem?

My opendkim.sock file is located at
/var/spool/postfix/opendkim/opendkim.sock

main.cf milters settings:
smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
non_smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock

4EB497FF85 1374 Thu Nov 1 23:26:59 me@mask.com
(lost connection with mail.MAILSERVER.net[3X.1XX.1XX.32] while performing the HELO handshake) TO_USER@MAILSERVER.net

/var/log/mail.log
Nov 2 00:23:27 cow postfix/submission/smtpd[3561]: connect from 71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 2 00:23:28 cow postfix/submission/smtpd[3561]: 0B7457FF85: client=71-209-88-135.chyn.qwest.net[71.209.88.135], sasl_method=PLAIN, sasl_username=xxx@xxx.com
Nov 2 00:23:28 cow postfix/cleanup[3567]: 0B7457FF85: message-id=35f7198a-263f-44a1-85f4-da8965a22083@getmailbird.com
Nov 2 00:23:28 cow postfix/qmgr[3010]: 0B7457FF85: from=xxx@xxx.com, size=1152, nrcpt=1 (queue active)
Nov 2 00:23:28 cow clamsmtpd: 100008: accepted connection from: 127.0.0.1
Nov 2 00:23:28 cow postfix/smtpd[3570]: connect from localhost[127.0.0.1]
Nov 2 00:23:28 cow postfix/smtpd[3570]: warning: connect to Milter service local:/opendkim/opendkim.sock: No such file or directory
Nov 2 00:23:28 cow postfix/submission/smtpd[3561]: disconnect from 71-209-88-135.chyn.qwest.net[71.209.88.135] ehlo=1 auth=1 mail=1 rcpt=1 data=1 noop=1 commands=6
Nov 2 00:23:28 cow postfix/smtpd[3570]: 45FE37FF8C: client=localhost[127.0.0.1], orig_queue_id=0B7457FF85, orig_client=71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 2 00:23:28 cow postfix/cleanup[3567]: 45FE37FF8C: message-id=35f7198a-263f-44a1-85f4-da8965a22083@getmailbird.com
Nov 2 00:23:28 cow postfix/qmgr[3010]: 45FE37FF8C: from=xxx@xxx.com, size=1368, nrcpt=1 (queue active)
Nov 2 00:23:28 cow clamsmtpd: 100008: from=xxx@xxx.com, to=xxy@xxy.net, status=CLEAN
Nov 2 00:23:28 cow postfix/smtp[3568]: 0B7457FF85: to=xxy@xxy.net, relay=127.0.0.1[127.0.0.1]:10026, delay=0.35, delays=0.23/0.01/0.06/0.06, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 45FE37FF8C)
Nov 2 00:23:28 cow postfix/qmgr[3010]: 0B7457FF85: removed
Nov 2 00:23:28 cow postfix/smtpd[3570]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 2 00:23:28 cow dovecot: imap-login: Login: user=xxx@xxx.com, method=PLAIN, rip=71.209.88.135, lip=178.128.157.12, mpid=3574, TLS, session=
Nov 2 00:23:29 cow dovecot: imap-login: Login: user=xxx@xxx.com, method=PLAIN, rip=71.209.88.135, lip=178.128.157.12, mpid=3576, TLS, session=
Nov 2 00:23:32 cow postfix/smtp[3573]: 45FE37FF8C: to=xxy@xxy.net, relay=mail.xxy.net[3x.1xx.1xx.32]:25, delay=4.3, delays=0.06/0.01/4.2/0, dsn=4.4.2, status=deferred (lost connection with mail.xxy.net[3x.1xx.1xx.32] while performing the HELO handshake)

Thanks in advance!


#18

The error location does not match the location you stated:


#19

Thanks rg305,

None of this is making any sense to me. Do you think the Milter warning could be why postfix is losing connection while performing the handshake? :frowning:

My current Main.cf file for postfix reads:
smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock
non_smtpd_milters = local:/var/spool/postfix/opendkim/opendkim.sock

My current /etc/opendkim.conf file reads:
Socket local:/var/spool/postfix/opendkim/opendkim.sock

As you can see I have both of them set to the location of the file.

Still, when I try to send an email the warning reads:
Nov 2 23:04:05 cow postfix/submission/smtpd[11291]: warning: connect to Milter service local:/var/spool/postfix/opendkim/opendkim.sock: No such file or directory

Should it be local: or unix: ? Does the full path not need to be there maybe? I’m so lost.

Thanks!

Full Log of the mailing transaction:
Nov 2 23:04:05 cow postfix/submission/smtpd[11291]: connect from 71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 2 23:04:05 cow postfix/submission/smtpd[11291]: warning: connect to Milter service local:/var/spool/postfix/opendkim/opendkim.sock: No such file or directory
Nov 2 23:04:05 cow postfix/submission/smtpd[11291]: F1B747FF4F: client=71-209-88-135.chyn.qwest.net[71.209.88.135], sasl_method=PLAIN, sasl_username=xxx@xxx.com
Nov 2 23:04:06 cow postfix/cleanup[11297]: F1B747FF4F: message-id=4c3395a2-ec12-4142-856f-60637467019c@getmailbird.com
Nov 2 23:04:06 cow postfix/qmgr[11280]: F1B747FF4F: from=xxx@xxx.com, size=1142, nrcpt=1 (queue active)
Nov 2 23:04:06 cow clamsmtpd: 100002: accepted connection from: 127.0.0.1
Nov 2 23:04:06 cow postfix/smtpd[11300]: connect from localhost[127.0.0.1]
Nov 2 23:04:06 cow postfix/submission/smtpd[11291]: disconnect from 71-209-88-135.chyn.qwest.net[71.209.88.135] ehlo=1 auth=1 mail=1 rcpt=1 data=1 noop=1 commands=6
Nov 2 23:04:06 cow postfix/smtpd[11300]: 361647FF8E: client=localhost[127.0.0.1], orig_queue_id=F1B747FF4F, orig_client=71-209-88-135.chyn.qwest.net[71.209.88.135]
Nov 2 23:04:06 cow postfix/cleanup[11297]: 361647FF8E: message-id=4c3395a2-ec12-4142-856f-60637467019c@getmailbird.com
Nov 2 23:04:06 cow postfix/qmgr[11280]: 361647FF8E: from=xxx@xxx.com, size=1358, nrcpt=1 (queue active)
Nov 2 23:04:06 cow clamsmtpd: 100002: from=xxx@xxx.com, to=xxx@xxx.net, status=CLEAN
Nov 2 23:04:06 cow postfix/smtp[11298]: F1B747FF4F: to=xxx@xxx.net, relay=127.0.0.1[127.0.0.1]:10026, delay=0.35, delays=0.22/0.01/0.06/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 361647FF8E)
Nov 2 23:04:06 cow postfix/qmgr[11280]: F1B747FF4F: removed
Nov 2 23:04:06 cow postfix/smtpd[11300]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=2 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 2 23:04:10 cow postfix/smtp[11286]: 361647FF8E: to=xxx@xxx.net, relay=mail.xxx.net[38.111.141.32]:25, delay=4.5, delays=0.07/0/4.4/0, dsn=4.4.2, status=deferred (lost connection with mail.xxx.net[38.111.141.32] while performing the HELO handshake)


#20

Me neither.
Maybe you should post your problem on a postfix forum.