I’m trying to enable TLS on Postfix but the daemon is crashing:<\/p>\n
Sep 16 16:00:38 core postfix\/master[1689]: warning: process \/usr\/libexec\/postfix\/smtpd pid 1694 killed by signal 11\nSep 16 16:00:38 core postfix\/master[1689]: warning: \/usr\/libexec\/postfix\/smtpd: bad command startup -- throttling\n<\/code><\/pre>\nThis is OpenVZ container (CentOS 6.3 x86_64) with two IPs<\/p>\n
# postconf -n\nalias_database = hash:\/etc\/aliases\nalias_maps = hash:\/etc\/aliases\nbroken_sasl_auth_clients = yes\ncommand_directory = \/usr\/sbin\nconfig_directory = \/etc\/postfix\ndaemon_directory = \/usr\/libexec\/postfix\ndata_directory = \/var\/lib\/postfix\ndebug_peer_level = 2\ndisable_vrfy_command = yes\nhome_mailbox = Maildir\/\nhtml_directory = no\ninet_interfaces = all\ninet_protocols = all\nlocal_recipient_maps = \nmail_owner = postfix\nmailbox_command = \nmailq_path = \/usr\/bin\/mailq.postfix\nmanpage_directory = \/usr\/share\/man\nmydestination = $myhostname, localhost.$mydomain, localhost\nmydomain = domain.com\nmyhostname = mail.domain.com\nmynetworks = 127.0.0.0\/8\nmyorigin = $mydomain\nnewaliases_path = \/usr\/bin\/newaliases.postfix\nqueue_directory = \/var\/spool\/postfix\nreadme_directory = \/usr\/share\/doc\/postfix-2.6.6\/README_FILES\nrelay_domains = \nsample_directory = \/usr\/share\/doc\/postfix-2.6.6\/samples\nsendmail_path = \/usr\/sbin\/sendmail.postfix\nsetgid_group = postdrop\nsmtp_tls_note_starttls_offer = yes\nsmtp_tls_session_cache_database = btree:\/var\/lib\/postfix\/smtpd_tls_cache.db\nsmtp_use_tls = yes\nsmtpd_delay_reject = yes\nsmtpd_error_sleep_time = 1s\nsmtpd_hard_error_limit = 20\nsmtpd_helo_required = yes\nsmtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit\nsmtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, permit\nsmtpd_sasl_auth_enable = yes\nsmtpd_sasl_local_domain = $myhostname\nsmtpd_sasl_path = private\/auth\nsmtpd_sasl_security_options = noanonymous\nsmtpd_sasl_type = dovecot\nsmtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit\nsmtpd_soft_error_limit = 10\nsmtpd_tls_CAfile = \/etc\/postfix\/ssl\/cacert.pem\nsmtpd_tls_cert_file = \/etc\/postfix\/ssl\/smtpd.crt\nsmtpd_tls_key_file = \/etc\/postfix\/ssl\/smtpd.key\nsmtpd_tls_loglevel = 1\nsmtpd_tls_received_header = yes\nsmtpd_tls_session_cache_timeout = 3600s\nsmtpd_use_tls = yes\ntls_random_source = dev:\/dev\/urandom\nunknown_local_recipient_reject_code = 550\n<\/code><\/pre>\n# postconf -a\ncyrus\ndovecot\n<\/code><\/pre>\n# ldd \/usr\/libexec\/postfix\/smtpd\n linux-vdso.so.1 => (0x00007fff10dfe000)\n libldap-2.4.so.2 => \/lib64\/libldap-2.4.so.2 (0x00007f8a01c2c000)\n liblber-2.4.so.2 => \/lib64\/liblber-2.4.so.2 (0x00007f8a01a1d000)\n libpcre.so.0 => \/lib64\/libpcre.so.0 (0x00007f8a017f0000)\n libmysqlclient.so.16 => \/usr\/lib64\/libmysqlclient.so.16 (0x00007f8a014ea000)\n libm.so.6 => \/lib64\/libm.so.6 (0x00007f8a01266000)\n libsasl2.so.2 => \/usr\/lib64\/libsasl2.so.2 (0x00007f8a0104b000)\n libssl.so.10 => \/usr\/lib64\/libssl.so.10 (0x00007f8a00df0000)\n libcrypto.so.10 => \/usr\/lib64\/libcrypto.so.10 (0x00007f8a00a56000)\n libdl.so.2 => \/lib64\/libdl.so.2 (0x00007f8a00851000)\n libz.so.1 => \/lib64\/libz.so.1 (0x00007f8a0063b000)\n libdb-4.7.so => \/lib64\/libdb-4.7.so (0x00007f8a002c7000)\n libnsl.so.1 => \/lib64\/libnsl.so.1 (0x00007f8a000ad000)\n libresolv.so.2 => \/lib64\/libresolv.so.2 (0x00007f89ffe93000)\n libc.so.6 => \/lib64\/libc.so.6 (0x00007f89ffb00000)\n libssl3.so => \/usr\/lib64\/libssl3.so (0x00007f89ff8c3000)\n libsmime3.so => \/usr\/lib64\/libsmime3.so (0x00007f89ff697000)\n libnss3.so => \/usr\/lib64\/libnss3.so (0x00007f89ff35b000)\n libnssutil3.so => \/usr\/lib64\/libnssutil3.so (0x00007f89ff134000)\n libplds4.so => \/lib64\/libplds4.so (0x00007f89fef30000)\n libplc4.so => \/lib64\/libplc4.so (0x00007f89fed2b000)\n libnspr4.so => \/lib64\/libnspr4.so (0x00007f89feaed000)\n libpthread.so.0 => \/lib64\/libpthread.so.0 (0x00007f89fe8d0000)\n libcrypt.so.1 => \/lib64\/libcrypt.so.1 (0x00007f89fe699000)\n libgssapi_krb5.so.2 => \/lib64\/libgssapi_krb5.so.2 (0x00007f89fe456000)\n libkrb5.so.3 => \/lib64\/libkrb5.so.3 (0x00007f89fe177000)\n libcom_err.so.2 => \/lib64\/libcom_err.so.2 (0x00007f89fdf73000)\n libk5crypto.so.3 => \/lib64\/libk5crypto.so.3 (0x00007f89fdd46000)\n \/lib64\/ld-linux-x86-64.so.2 (0x00007f8a02102000)\n libfreebl3.so => \/lib64\/libfreebl3.so (0x00007f89fdae4000)\n libkrb5support.so.0 => \/lib64\/libkrb5support.so.0 (0x00007f89fd8d8000)\n libkeyutils.so.1 => \/lib64\/libkeyutils.so.1 (0x00007f89fd6d5000)\n libselinux.so.1 => \/lib64\/libselinux.so.1 (0x00007f89fd4b5000)\n<\/code><\/pre>\n# cat \/etc\/postfix\/master.cf | grep -v \"^#\"\nsmtp inet n - n - - smtpd -v\nsmtps inet n - n - - smtpd\n -o smtpd_sasl_auth_enable=yes\n -o smtpd_reject_unlisted_sender=yes\n -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject\n -o broken_sasl_auth_clients=yes \npickup fifo n - n 60 1 pickup\ncleanup unix n - n - 0 cleanup\nqmgr fifo n - n 300 1 qmgr\ntlsmgr unix - - n 1000? 1 tlsmgr\nrewrite unix - - n - - trivial-rewrite\nbounce unix - - n - 0 bounce\ndefer unix - - n - 0 bounce\ntrace unix - - n - 0 bounce\nverify unix - - n - 1 verify\nflush unix n - n 1000? 0 flush\nproxymap unix - - n - - proxymap\nproxywrite unix - - n - 1 proxymap\nsmtp unix - - n - - smtp\nrelay unix - - n - - smtp\n -o smtp_fallback_relay=\nshowq unix n - n - - showq\nerror unix - - n - - error\nretry unix - - n - - error\ndiscard unix - - n - - discard\nlocal unix - n n - - local\nvirtual unix - n n - - virtual\nlmtp unix - - n - - lmtp\nanvil unix - - n - 1 anvil\nscache unix - - n - 1 scache\n<\/code><\/pre>\nRequested information from the comment:<\/strong><\/p>\n# { postconf -d; postconf -d; postconf -n; } | sort | uniq -u\nalias_maps = hash:\/etc\/aliases\nbroken_sasl_auth_clients = yes\ndisable_vrfy_command = yes\nhome_mailbox = Maildir\/\ninet_protocols = all\nlocal_recipient_maps = \nmailq_path = \/usr\/bin\/mailq.postfix\nmanpage_directory = \/usr\/share\/man\nmydestination = $myhostname, localhost.$mydomain, localhost, $mydomain\nmyhostname = mail.domain.com\nmynetworks = 127.0.0.0\/8\nmyorigin = $mydomain\nnewaliases_path = \/usr\/bin\/newaliases.postfix\nreadme_directory = \/usr\/share\/doc\/postfix-2.6.6\/README_FILES\nrelay_domains = \nsample_directory = \/usr\/share\/doc\/postfix-2.6.6\/samples\nsendmail_path = \/usr\/sbin\/sendmail.postfix\nsmtpd_hard_error_limit = 20\nsmtpd_helo_required = yes\nsmtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit\nsmtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, permit\nsmtpd_sasl_auth_enable = yes\nsmtpd_sasl_local_domain = $myhostname\nsmtpd_sasl_path = private\/auth\nsmtpd_sasl_type = dovecot\nsmtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit\nsmtpd_tls_auth_only = yes\nsmtpd_tls_CAfile = \/etc\/postfix\/ssl\/cacert.pem\nsmtpd_tls_cert_file = \/etc\/postfix\/ssl\/smtpd.crt\nsmtpd_tls_key_file = \/etc\/postfix\/ssl\/smtpd.key\nsmtpd_tls_loglevel = 2\nsmtpd_tls_received_header = yes\nsmtpd_tls_security_level = may\nsmtpd_tls_session_cache_database = btree:${data_directory}\/smtpd_tls_session_cache\nsmtp_tls_note_starttls_offer = yes\n<\/code><\/pre>\nPostfix version:<\/p>\n
# postconf mail_version\nmail_version = 2.6.6\n<\/code><\/pre>\nLogs (telnet 127.0.0.1 25):<\/p>\n
Sep 18 14:07:25 core postfix\/postfix-script[4078]: starting the Postfix mail system\nSep 18 14:07:25 core postfix\/master[4079]: daemon started -- version 2.6.6, configuration \/etc\/postfix\nSep 18 14:07:49 core postfix\/smtpd[4083]: initializing the server-side TLS engine\nSep 18 14:07:49 core postfix\/tlsmgr[4084]: open smtpd TLS cache btree:\/var\/lib\/postfix\/smtpd_tls_session_cache\nSep 18 14:07:49 core postfix\/tlsmgr[4084]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup\nSep 18 14:07:49 core postfix\/master[4079]: warning: process \/usr\/libexec\/postfix\/smtpd pid 4083 killed by signal 11\nSep 18 14:07:49 core postfix\/master[4079]: warning: \/usr\/libexec\/postfix\/smtpd: bad command startup -- throttling\n<\/code><\/pre>\n\n- \n
\nsmtp_tls_session_cache_database = btree:\/var\/lib\/postfix\/smtpd_tls_cache.db<\/p>\n<\/blockquote>\n
NOTE that smtp != smtp*d*<\/strong>.<\/p>\nYou have not set smtpD_tls_session_cache_database, and this setting has no default<\/em><\/strong>.<\/p>\nAdd it and reload.<\/p>\n
EDIT: meh, it’s not actually required. Oh well, perhaps somme more logging will give us a clue.<\/p>\n
RE-EDIT: please do the following:<\/p>\n
\n- stop postfix:
postfix stop<\/code><\/li>\n- clear the logs with
mv \/var\/log\/mail.log ~\/mail.log.bak<\/code> and restart your syslog service<\/strong><\/li>\n- show the output of
{ postconf -d; postconf -d; postconf -n; } | sort | uniq -u<\/code>, as this will show us what was set in main.cf that is not a default<\/em><\/li>\n- show the output of
postconf mail_version<\/code><\/li>\n- edit main.cf and set
inet_interfaces = 127.0.0.1<\/code> and debug_peer_list = 127.0.0.1<\/code><\/li>\n- start postfix:
postfix start<\/code><\/li>\n- make a connection using telnet to the local server:
telnet 127.0.0.1 25<\/code><\/li>\n- observe what happens and post the clean logs from the beginning.<\/li>\n<\/ul>\n<\/li>\n
- \n
Okay so I’m comparing this to my working Postfix+Dovecot solution that is using TLS just fine at this point. The version is newer than you’re reporting as this is running on Ubuntu 12.04 LTS.<\/p>\n
# postconf mail_version\nmail_version = 2.9.3\n<\/code><\/pre>\nNow if I check only my non-default smtpd_*<\/code> settings I have the following:<\/p>\n# postconf -n |grep ^smtpd_\nsmtpd_banner = $myhostname ESMTP $mail_name\nsmtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org\nsmtpd_data_restrictions = reject_unauth_pipelining\nsmtpd_delay_reject = yes\nsmtpd_hard_error_limit = 12\nsmtpd_helo_required = yes\nsmtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit\nsmtpd_recipient_limit = 16\nsmtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit\nsmtpd_sasl_auth_enable = yes\nsmtpd_sasl_authenticated_header = yes\nsmtpd_sasl_local_domain =\nsmtpd_sasl_path = private\/auth\nsmtpd_sasl_security_options = noanonymous\nsmtpd_sasl_type = dovecot\nsmtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit\nsmtpd_soft_error_limit = 3\nsmtpd_tls_CAfile = \/etc\/ssl\/certs\/ca-certificates.crt\nsmtpd_tls_cert_file = \/etc\/ssl\/certs\/server.example.net.crt\nsmtpd_tls_key_file = \/etc\/ssl\/private\/server.example.net.key\nsmtpd_tls_loglevel = 1\nsmtpd_tls_received_header = yes\nsmtpd_tls_security_level = may\nsmtpd_tls_session_cache_timeout = 3600s\nsmtpd_use_tls = yes\n<\/code><\/pre>\nAnother difference between my system and yours is that I am running in a chroot so my master.cf<\/code> has the following for comparison:<\/p>\nsmtp inet n - - - - smtpd\n#smtp inet n - - - 1 postscreen\n#smtpd pass - - - - - smtpd\n#dnsblog unix - - - - 0 dnsblog\n#tlsproxy unix - - - - 0 tlsproxy\nsubmission inet n - - - - smtpd\n -o syslog_name=postfix\/submission\n -o smtpd_tls_security_level=encrypt\n -o smtpd_sasl_auth_enable=yes\n -o smtpd_client_restrictions=permit_sasl_authenticated,reject\n -o milter_macro_daemon_name=ORIGINATING\n#smtps inet n - - - - smtpd\n# -o syslog_name=postfix\/smtps\n# -o smtpd_tls_wrappermode=yes\n# -o smtpd_sasl_auth_enable=yes\n# -o smtpd_client_restrictions=permit_sasl_authenticated,reject\n# -o milter_macro_daemon_name=ORIGINATING\n<\/code><\/pre>\nAs you can tell by reading that I’m only listening on 25\/tcp (smtp) and 587\/tcp (submission) as there is no need for 465\/tcp (smtps) as 25\/tcp will support STARTTLS and 587\/tcp requires STARTTLS.<\/p>\n
About the only real significant difference I could tell from my master.cf<\/code> and yours was that you have smtp starting with smtpd -v<\/code> and I simply have smtpd<\/code><\/p>\nI question what caused the log entries for postfix\/tlsmgr as simply telneting to port 25 should not have even initiated the TLS connection unless the STARTTLS command was given once connected and then to properly test that you would be better off testing using:<\/p>\n
openssl s_client -connect localhost:25 -starttls smtp -CApath \/etc\/ssl\/certs\n<\/code><\/pre>\nNotes for my SSL setup: I instal the ca-certificates<\/code> package and then place my certificate under \/etc\/ssl\/certs<\/code> and my key under \/etc\/ssl\/private<\/code>. I then stick my intermediate CA under \/usr\/local\/share\/ca-certificates<\/code> and run update-ca-certificates. This re-generates the<\/code>ca-certificates.crtand creates the proper symlinks under<\/code>\/etc\/ssl\/certs`.<\/p>\n<\/li>\n<\/ol>\nOriginally posted 2014-01-02 12:06:11. <\/small><\/p>","protected":false},"excerpt":{"rendered":"
I’m trying to enable TLS on Postfix but the daemon is crashing: Sep 16 16:00:38 core postfix\/master[1689]: warning: process \/usr\/libexec\/postfix\/smtpd pid 1694 killed by signal 11 Sep 16 16:00:38 core postfix\/master[1689]: warning: \/usr\/libexec\/postfix\/smtpd: bad command startup — throttling This is OpenVZ container (CentOS 6.3 x86_64) with two IPs # postconf -n alias_database = hash:\/etc\/aliases alias_maps […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2113","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=2113"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/2113\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=2113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=2113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=2113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}