[CentOS] postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied

Tue Oct 4 23:08:58 UTC 2011
Craig White <craig.white at ttiltd.com>

On Oct 4, 2011, at 1:46 PM, Alexander Farber wrote:

> Hello,
> On Tue, Oct 4, 2011 at 10:37 PM, Craig White <craig.white at ttiltd.com> wrote:
>>> postfix/smtp[2061]: warning: TLS library problem:
>>> 2061:error:0906D06C:PEM routines:PEM_read_bio:no start
>>> line:pem_lib.c:698:Expecting: TRUSTED CERTIFICATE:
>>> postfix/smtp[2061]: warning: TLS library problem:
>>> 2061:error:140DC009:SSL
>> There's something wrong with this file as it is not a PEM encoded certificate file as is expected.
>> Easy enough to verify...
>> openssl x509 -in $YOUR_CERTIFICATE.pem -noout -text
> oops, sorry, after struggling I've just deleted
> that file and installed sendmail. I'll try your suggestion
> later though with my development VM.
> Could the reason also be that I've started with
> a minimalistic CentOS 6 installation and was
> missing the cyrus-sasl-plain and cyrus-sasl-md5 packages?
I personally have found postfix much easier to deal with in all phases, especially with details such as sasl and ldap.

I think your issue was not understanding what the certificates are, how they are created, how they interact, etc. and thus your issue really isn't going to be solved with either postfix or sendmail but rather certificates in general.

If you are going to have self-signed certificates, you need a mechanism to:

1 - create a CA (Certificate Authority) and generate a private key and a CA Certificate. This private key would be needed to sign certificate requests.

2 - generate a signing request for various services such as an SMTP server - this should include a directive to output the key into a separate file. This key is NOT the CA key.

3 - sign the request which generates a PEM encoded certificate and thus you should end up with 3 files useful for your SMTP server:
- ca certificate
- smtp certificate
- smtp key (for the certificate)

This methodology counts on various SMTP servers to not verify the client certificate your SMTP server presents (ie, Google in your case if I recall correctly) which is generally the case.

I have implemented a reasonably feature complete set of scripts to be my own CA with 4 distinct certificate types (1 for HTTP server, 1 for IMAP servers, 1 for SMTP servers and 1 for LDAP servers) and a reasonably feature complete set of scripts for an LDAP server (master), LDAP server (slave aka replicant) and LDAP clients and at some point, I will try to figure out a way to pass this info on to others but I suspect that it will take a long time to document because I would suspect that the target audience isn't fully up to speed.

I don't think either of the 2 cyrus-sasl packages you mentioned are required to send e-mail via tls to Google's SMTP server but I haven't installed RHEL or CentOS 6 so I wouldn't know but those are very small packages and won't hurt to install... I think they are both geared to your server authenticating users but I am not sure.