Sendmail: Getting error on private key when trying to sent out via TLS/SSl

ossedk · September 13, 2016, 2:03pm

Hello,

We are getting crazy here!

We keep getting this error on our server when trying to sent out mails via TLS/SSL

Sep 13 16:02:42 woolspire sm-mta[7475]: STARTTLS=client, error: SSL_CTX_use_PrivateKey_file(/etc/ssl/woolspire.crt) failed
Sep 13 16:02:42 woolspire sm-mta[7475]: STARTTLS=client, error: SSL_CTX_check_private_key failed(/etc/ssl/woolspire.crt): 0

What are we doing wrong here to be able to sent out via sendmail and apache2.4 ?

serverco · September 13, 2016, 2:10pm

I’d suspect that the settings in your sendmail.cf are incorrect. It could possibly also be due to the version of openssl you have installed on that server.

What is your config ?

ossedk · September 13, 2016, 2:16pm

Hello serverco,

Many thanks for your help.

here is the edited sendmail.cf

# CA directory
O CACertPath=/etc/ssl
# CA file
O CACertFile=/etc/ssl/intermediate.ca
# Server Cert
O ServerCertFile=/etc/ssl/woolspire.crt
# Server private key
O ServerKeyFile=/etc/ssl/woolspire.key
# Client Cert
#O ClientCertFile=/etc/ssl/woolspire.crt
# Client private key
O ClientKeyFile=/etc/ssl/woolspire.crt
# File containing certificate revocation lists
#O CRLFile
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# Random data source (required for systems without /dev/urandom under OpenSSL)
#O RandFile

Version of OpenSSL: OpenSSL 1.0.1f 6 Jan 2014

cpu · September 13, 2016, 2:24pm

This strikes me as strange - are you 100% sure you want to be configuring mutually authenticated TLS with a ClientKeyFile? If so I'd also expect to see the ClientCertFile uncommented. For a mailserver intended to send mail to other Internet mailservers I wouldn't expect you to need a client certificate or key to send outbound STARTTLS mail at all. Maybe you could try commenting out the ClientKeyFile line and trying again?

Edit: This is definitely the problem I read more carefully and you're using the .crt file as the ClientKeyFile. As expected sendmail balks at using a certificate as a private key for client authentication.

ossedk · September 13, 2016, 2:29pm

If I comment out ClientKeyFile, I don’t get the error as before but:

Sep 13 16:27:55 woolspire sendmail[8803]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-GCM-SHA384, bits=256/256

But verify is still FAIL ?

SPF record is set.

cpu · September 13, 2016, 2:31pm

What is the remote mailserver you are trying to send the test message to?

What operating system/distro/version is this server? You might also need to change this to /etc/ssl/certs.

ossedk · September 13, 2016, 2:40pm

You were right

The combination of your to edits - did the job!

change to /certs and remove clientprivatekey - got it verified.

There is only one issue - and I don’t know if you know how we can avoid this. But the mails still end up in spam folder?

cpu · September 13, 2016, 3:35pm

Woo hoo Glad to hear it.

That problem is likely a bit too complicated & out of scope for this forum. I'm afraid I don't have any answers that will help. Good luck!

system · October 13, 2016, 3:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.