I'm trying to configure mail forwarding through Gmail on CentOS 6 with postfix, following the blog http://carlton.oriley.net/blog/?p=31 and I think the blog has missed the step:
# postmap /etc/postfix/sasl_passwd
- as I've seen in the /var/log/maillog:
postfix/smtp[1926]: fatal: open database /etc/postfix/sasl_passwd.db: No such file or directory postfix/master[1831]: warning: process /usr/libexec/postfix/smtp pid 1926 exit status 1 postfix/master[1831]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
But when I try to run postmap, I get
postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied
even though the postfix service is stopped, the SELinux is permissive and the file is writable:
[root@preferans postfix]# ll -rw-r--r--. 1 root root 20K Jun 25 14:50 access -rw-r--r--. 1 root root 12K Jun 25 14:50 canonical -rw-r--r--. 1 root root 9.7K Jun 25 14:50 generic -rw-r--r--. 1 root root 18K Jun 25 14:50 header_checks -rw-r--r--. 1 root root 27K Oct 4 20:24 main.cf -rw-r--r--. 1 root root 27K Oct 4 20:23 main.cf.OLD -rw-r--r--. 1 root root 5.0K Jun 25 14:50 master.cf -rw-r--r--. 1 root root 6.7K Jun 25 14:50 relocated -rw-r--r--. 1 postfix root 113 Oct 4 20:25 sasl_passwd -rw-r--r--. 1 root root 13K Jun 25 14:50 transport -rw-r--r--. 1 root root 13K Jun 25 14:50 virtual
Has anybody fought this problem already?
Thank you Alex
Alexander Farber wrote:
I'm trying to configure mail forwarding through Gmail on CentOS 6 with postfix, following the blog http://carlton.oriley.net/blog/?p=31 and I think the blog has missed the step:
# postmap /etc/postfix/sasl_passwd
- as I've seen in the /var/log/maillog:
postfix/smtp[1926]: fatal: open database /etc/postfix/sasl_passwd.db: No such file or directory
<snip>
But when I try to run postmap, I get
postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied
even though the postfix service is stopped, the SELinux is permissive and the file is writable:
[root@preferans postfix]# ll -rw-r--r--. 1 root root 20K Jun 25 14:50 access
<snip> One thing I keep finding very annoying with most versions of Linux is the alias for ll, which is *not* what I was used to in sun, Solaris, Irix, or Tru64. Out of curiosity, try ls -laF /etc/postfix, and the libexec, and let's see what permissions and ownerships the *directories* have.
mark
Thank you, the "ls -laF" tip is good....
And now I unfortunately get:
postfix/postfix-script[2054]: starting the Postfix mail system postfix/master[2056]: daemon started -- version 2.6.6, configuration /etc/postfix postfix/qmgr[2059]: F10CC31D62CC: from=root@preferans.localdomain, size=609, nrcpt=1 (queue active) postfix/smtp[2061]: warning: cannot get RSA certificate from file /etc/pki/tls/gmail_relay/server.pem: disabling TLS support postfix/smtp[2061]: warning: TLS library problem: 2061:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE: postfix/smtp[2061]: warning: TLS library problem: 2061:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:729: postfix/smtp[2061]: F10CC31D62CC: to=Alexander.Farber@gmail.com, orig_to=<root>, relay=smtp.gmail.com[74.125.39.109]:587, delay=2963, delays=2963/0.07/0.03/0.01, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.39.109] said: 530 5.7.0 Must issue a STARTTLS command first. m26sm26530788fac.6 (in reply to MAIL FROM command)) postfix/cleanup[2064]: 2FE0C31D6686: message-id=20111004191529.2FE0C31D6686@preferans.localdomain postfix/bounce[2063]: F10CC31D62CC: sender non-delivery notification: 2FE0C31D6686 postfix/qmgr[2059]: 2FE0C31D6686: from=<>, size=2696, nrcpt=1 (queue active) postfix/qmgr[2059]: F10CC31D62CC: removed
Eventhough I have at the bottom of main.cf:
#### GMail SSL SMTP Relay relayhost = [smtp.gmail.com]:587 #auth smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#tls smtp_use_tls = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes tls_random_source = dev:/dev/urandom smtp_tls_scert_verifydepth = 5 smtp_tls_key_file=/etc/pki/tls/gmail_relay/server.key smtp_tls_cert_file=/etc/pki/tls/gmail_relay/server.pem smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert =no smtp_tls_enforce_peername = no
On Tue, Oct 4, 2011 at 9:18 PM, Alexander Farber alexander.farber@gmail.com wrote:
postfix/smtp[2061]: F10CC31D62CC: to=Alexander.Farber@gmail.com, orig_to=<root>, relay=smtp.gmail.com[74.125.39.109]:587, delay=2963, delays=2963/0.07/0.03/0.01, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.39.109] said: 530 5.7.0 Must issue a STARTTLS command first. m26sm26530788fac.6 (in reply to MAIL FROM command)) postfix/cleanup[2064]: 2FE0C31D6686: message-id=20111004191529.2FE0C31D6686@preferans.localdomain
On Oct 4, 2011, at 12:18 PM, Alexander Farber wrote:
Thank you, the "ls -laF" tip is good....
And now I unfortunately get:
postfix/postfix-script[2054]: starting the Postfix mail system postfix/master[2056]: daemon started -- version 2.6.6, configuration /etc/postfix postfix/qmgr[2059]: F10CC31D62CC: from=root@preferans.localdomain, size=609, nrcpt=1 (queue active) postfix/smtp[2061]: warning: cannot get RSA certificate from file /etc/pki/tls/gmail_relay/server.pem: disabling TLS support postfix/smtp[2061]: warning: TLS library problem: 2061:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE: postfix/smtp[2061]: warning: TLS library problem: 2061:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:729: postfix/smtp[2061]: F10CC31D62CC: to=Alexander.Farber@gmail.com, orig_to=<root>, relay=smtp.gmail.com[74.125.39.109]:587, delay=2963, delays=2963/0.07/0.03/0.01, dsn=5.7.0, status=bounced (host smtp.gmail.com[74.125.39.109] said: 530 5.7.0 Must issue a STARTTLS command first. m26sm26530788fac.6 (in reply to MAIL FROM command)) postfix/cleanup[2064]: 2FE0C31D6686: message-id=20111004191529.2FE0C31D6686@preferans.localdomain postfix/bounce[2063]: F10CC31D62CC: sender non-delivery notification: 2FE0C31D6686 postfix/qmgr[2059]: 2FE0C31D6686: from=<>, size=2696, nrcpt=1 (queue active) postfix/qmgr[2059]: F10CC31D62CC: removed
---- this is your problem and it is significant...
postfix/smtp[2061]: warning: TLS library problem: 2061:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE: postfix/smtp[2061]: warning: TLS library problem: 2061:error:140DC009:SSL
There's something wrong with this file as it is not a PEM encoded certificate file as is expected.
Easy enough to verify...
openssl x509 -in $YOUR_CERTIFICATE.pem -noout -text
Craig
Hello,
On Tue, Oct 4, 2011 at 10:37 PM, Craig White craig.white@ttiltd.com wrote:
postfix/smtp[2061]: warning: TLS library problem: 2061:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE: postfix/smtp[2061]: warning: TLS library problem: 2061:error:140DC009:SSL
There's something wrong with this file as it is not a PEM encoded certificate file as is expected.
Easy enough to verify...
openssl x509 -in $YOUR_CERTIFICATE.pem -noout -text
oops, sorry, after struggling I've just deleted that file and installed sendmail. I'll try your suggestion later though with my development VM.
Could the reason also be that I've started with a minimalistic CentOS 6 installation and was missing the cyrus-sasl-plain and cyrus-sasl-md5 packages?
Thank you Alex
On Oct 4, 2011, at 1:46 PM, Alexander Farber wrote:
Hello,
On Tue, Oct 4, 2011 at 10:37 PM, Craig White craig.white@ttiltd.com wrote:
postfix/smtp[2061]: warning: TLS library problem: 2061:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE: postfix/smtp[2061]: warning: TLS library problem: 2061:error:140DC009:SSL
There's something wrong with this file as it is not a PEM encoded certificate file as is expected.
Easy enough to verify...
openssl x509 -in $YOUR_CERTIFICATE.pem -noout -text
oops, sorry, after struggling I've just deleted that file and installed sendmail. I'll try your suggestion later though with my development VM.
Could the reason also be that I've started with a minimalistic CentOS 6 installation and was missing the cyrus-sasl-plain and cyrus-sasl-md5 packages?
---- I personally have found postfix much easier to deal with in all phases, especially with details such as sasl and ldap.
I think your issue was not understanding what the certificates are, how they are created, how they interact, etc. and thus your issue really isn't going to be solved with either postfix or sendmail but rather certificates in general.
If you are going to have self-signed certificates, you need a mechanism to:
1 - create a CA (Certificate Authority) and generate a private key and a CA Certificate. This private key would be needed to sign certificate requests.
2 - generate a signing request for various services such as an SMTP server - this should include a directive to output the key into a separate file. This key is NOT the CA key.
3 - sign the request which generates a PEM encoded certificate and thus you should end up with 3 files useful for your SMTP server: - ca certificate - smtp certificate - smtp key (for the certificate)
This methodology counts on various SMTP servers to not verify the client certificate your SMTP server presents (ie, Google in your case if I recall correctly) which is generally the case.
I have implemented a reasonably feature complete set of scripts to be my own CA with 4 distinct certificate types (1 for HTTP server, 1 for IMAP servers, 1 for SMTP servers and 1 for LDAP servers) and a reasonably feature complete set of scripts for an LDAP server (master), LDAP server (slave aka replicant) and LDAP clients and at some point, I will try to figure out a way to pass this info on to others but I suspect that it will take a long time to document because I would suspect that the target audience isn't fully up to speed.
I don't think either of the 2 cyrus-sasl packages you mentioned are required to send e-mail via tls to Google's SMTP server but I haven't installed RHEL or CentOS 6 so I wouldn't know but those are very small packages and won't hurt to install... I think they are both geared to your server authenticating users but I am not sure.
Craig
Thanks Craig for your comments.
I've got my sendmail on CentOS 6 working with:
# yum erase postfix # yum install sendmail sendmail-cf
# mkdir /etc/mail/auth # chmod 700 /etc/mail/auth # mkdir /etc/mail/certs # chmod 700 /etc/mail/certs
Create the file /etc/mail/auth/client-info:
AuthInfo:smtp.gmail.com "U:smmsp" "I:Alexander.Farber" "P:XXX" "M:PLAIN" AuthInfo:smtp.gmail.com:587 "U:smmsp" "I:Alexander.Farber" "P:XXX" "M:PLAIN"
# cd /etc/mail/auth # makemap -r hash client-info.db < client-info
# cd /etc/mail/certs # openssl dsaparam 1024 -out dsa1024.pem # openssl req -x509 -nodes -days 3650 -newkey dsa:dsa1024.pem -out /etc/mail/certs/mycert.pem -keyout /etc/mail/certs/mykey.pem # ln -s /etc/mail/certs/mycert.pem /etc/mail/certs/CAcert.pem # rm dsa1024.pem # chmod 400 *.pem
Added to file /etc/mail/sendmail.mc:
define(`SMART_HOST', `smtp.gmail.com')dnl
define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs') define(`confCACERT_PATH', `CERT_DIR') define(`confCACERT', `CERT_DIR/CAcert.pem') define(`confSERVER_CERT', `CERT_DIR/mycert.pem') define(`confSERVER_KEY', `CERT_DIR/mykey.pem') define(`confCLIENT_CERT', `CERT_DIR/mycert.pem') define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')
Then "make" in /etc/mail and "service sendmail restart"
I understand your point that it is stupid of me (and probably many other users) to ask same questions again and again, without really understanding what's going on :-)
The file /etc/pki/tls/misc/CA.pl on CentOS is cubersome to understand though. I tried creating ./CA.pl -newca etc. but then I wanted to start over because of an invalid input made by myself and I didn't even know how.
I know CA.pl keeps a text file somewhere where it stores increasing integer numbers... but couldn't find it
Regards Alex
Also needed for Gmail in sendmail.mc:
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(`authinfo',`hash /etc/mail/auth/client-info')dnl
Nevermind - solved that by
# sudo chown root.root sasl_passwd
(sorry, too tired in the evening)
On Tue, Oct 4, 2011 at 9:04 PM, Alexander Farber alexander.farber@gmail.com wrote:
I'm trying to configure mail forwarding through Gmail on CentOS 6 with postfix, following the blog http://carlton.oriley.net/blog/?p=31 and I think the blog has missed the step:
# postmap /etc/postfix/sasl_passwd
- as I've seen in the /var/log/maillog:
postfix/smtp[1926]: fatal: open database /etc/postfix/sasl_passwd.db: No such file or directory postfix/master[1831]: warning: process /usr/libexec/postfix/smtp pid 1926 exit status 1 postfix/master[1831]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
But when I try to run postmap, I get
postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied
even though the postfix service is stopped, the SELinux is permissive and the file is writable:
[root@preferans postfix]# ll -rw-r--r--. 1 root root 20K Jun 25 14:50 access -rw-r--r--. 1 root root 12K Jun 25 14:50 canonical -rw-r--r--. 1 root root 9.7K Jun 25 14:50 generic -rw-r--r--. 1 root root 18K Jun 25 14:50 header_checks -rw-r--r--. 1 root root 27K Oct 4 20:24 main.cf -rw-r--r--. 1 root root 27K Oct 4 20:23 main.cf.OLD -rw-r--r--. 1 root root 5.0K Jun 25 14:50 master.cf -rw-r--r--. 1 root root 6.7K Jun 25 14:50 relocated -rw-r--r--. 1 postfix root 113 Oct 4 20:25 sasl_passwd -rw-r--r--. 1 root root 13K Jun 25 14:50 transport -rw-r--r--. 1 root root 13K Jun 25 14:50 virtual
Has anybody fought this problem already?
Thank you Alex
-
Alexander Farber -
Craig White -
m.roth@5-cent.us