1

Topic: postfix authentication problem

==== Required information ====
- iRedMail version: 0.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  PGSQL
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: Ubuntu14.04
- Related log if you're reporting an issue:
====

Hi.
I've just check this topic posted here but I've no answer to my problem http://www.iredmail.org/forum/topic2224 … ailed.html
I'm getting the exact same error but I cannot take the same path of solution since my certificates are being generated by my own ejbca, and this software doesn't support generating certificates without a passphrase. This is my mail.log and my dovecot.log. Further more, Idon;t know why but reading my dovecot.log it seems like I'm login in and then inmediatly I'm being logged out. It;s that correct.
Thanks in advance

Mail.log
May  7 12:44:08 correo1 postfix/smtpd[2636]: warning: cannot get RSA private key from file /etc/ssl/private/iRedMail.key: disabling TLS support
May  7 12:44:08 correo1 postfix/smtpd[2636]: warning: TLS library problem: error:0906406D:PEM routines:PEM_def_callback:problems getting password:pem_lib.c:111:
May  7 12:44:08 correo1 postfix/smtpd[2636]: warning: TLS library problem: error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read:pem_pkey.c:109:
May  7 12:44:08 correo1 postfix/smtpd[2636]: warning: TLS library problem: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
May  7 12:44:08 correo1 postfix/smtpd[2636]: connect from localhost[127.0.0.1]
May  7 12:44:09 correo1 postfix/cleanup[2638]: 00B92E17EA: message-id=<20150507194409.00B92E17EA@correo1.cujae.edu.cu>
May  7 12:44:09 correo1 postfix/qmgr[2587]: 00B92E17EA: from=<double-bounce@correo1.cujae.edu.cu>, size=907, nrcpt=1 (queue active)
May  7 12:44:09 correo1 postfix/smtpd[2636]: disconnect from localhost[127.0.0.1]
May  7 12:44:09 correo1 roundcube: SMTP Error: SMTP error: Authentication failure: Invalid response code received from server (Code: 454) in /usr/share/apache2/roundcubemail-1.0.4/program/lib/Roundcube/rcube.php on line 1505 (POST /mail/?_task=mail&_unlock=loading1431027848914&_lang=en_US&_framed=1?_task=mail&_action=send)

Dovecot.log
May 07 12:43:43 imap-login: Info: Login: user=<tony@etecsa.cu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2609, secured, session=<3TISIYMVkgB/AAAB>
May 07 12:43:43 imap(tony@etecsa.cu): Info: Disconnected: Logged out in=195 out=959
May 07 12:43:43 imap-login: Info: Login: user=<tony@etecsa.cu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2612, secured, session=<lGgUIYMVlAB/AAAB>
May 07 12:43:43 imap(tony@etecsa.cu): Info: Disconnected: Logged out in=70 out=668
May 07 12:43:43 imap-login: Info: Login: user=<tony@etecsa.cu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2620, secured, session=<9swaIYMVmQB/AAAB>
May 07 12:43:43 imap(tony@etecsa.cu): Info: Disconnected: Logged out in=290 out=1426
May 07 12:43:43 imap-login: Info: Login: user=<tony@etecsa.cu>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2621, secured, session=<5VMbIYMVmgB/AAAB>

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: postfix authentication problem

could you run
ls -la /etc/ssl/private/iRedMail.key

3

Re: postfix authentication problem

I already think about that. I even give all permissions to the iRedMail.key on a deseperate acct and still doesn't work.

4

Re: postfix authentication problem

If you use your own SSL certificate, please update the private key file too. not just the cert file.
file '/etc/ssl/private/iRedMail.key' should be replaced by your own private key.

5

Re: postfix authentication problem

ZhangHuangbin wrote:

If you use your own SSL certificate, please update the private key file too. not just the cert file.
file '/etc/ssl/private/iRedMail.key' should be replaced by your own private key.

I've done that. Sorry if Ididn't make myself clear about the problem i'm getting.

I've created a certificate using the EJBCA software. This gives me certificate in .p12 format, so I split it in two files: the certificate (.crt format) and the key (.key format). I've copied this two files to their folders /etc/ssl/certs/ and /etc/ssl/private/ with the names iRedMail.crt and iRedMail.key, so that I don't need to change all the conf files (apache, dovecot,etc)
This key is the one that I think it's getting me in troubles. At first the dovecot wont let me login into roundcube, but I fixed this problem. Reading the logs i realize that the .key file was password protected, then with this directive "ssl_key_password = secret" on dovecot.conf it was solved.
Now I login on roundcube but when trying to send an email I get the above problem. I think that it could be similar to the issue with dovecot but in the postfix configuration, because the mail.log shows "cannot load private key...." So now i'm stuck. I've read some postfix documentation but I don't find anything.

PS: Is it normal the dovecot.log shown above? It shows  that I login but then it gets me logout??

Thanks for your quick response

6

Re: postfix authentication problem

You adding the key into Dovecot does not mean that Postfix knows it, you're best off decrypting the key and removing the password from Dovecot.
The mail.log is primarily Postfix, thus the log issue you are having.
Since more than just 1 or 2 packages need access to that key, its best if you decrypt it

7

Re: postfix authentication problem

7t3chguy wrote:

You adding the key into Dovecot does not mean that Postfix knows it, you're best off decrypting the key and removing the password from Dovecot.
The mail.log is primarily Postfix, thus the log issue you are having.
Since more than just 1 or 2 packages need access to that key, its best if you decrypt it

That's absolutly right. Me adding the key's password into dovecot doesn't mean that postfix sould know about it. But then again there sould be a directive that I could add into the postfix configuration (main.cf or similar) where I could do that, just like I've done it on dovecot.
And how do I decript the key file? This won't bring the level of security down? I mean, the key has a password for a reason, I think, right??
Thanks

8

Re: postfix authentication problem

If they key is just stored in a config file then there is 0 Extra security gained by encrypting it.
Something like:
openssl rsa -in /etc/ssl/private/iRedMail.key -out /etc/ssl/private/iRedMail.key
It should query you for the password.

Encrypted Private Keys are normally only for manual use, so that they are entered when a service boots up, or when they are likely to be moved on a device such as a flash drive. If its going to be static on a server, and its password in a config file, then its just detrimental.

9

Re: postfix authentication problem

You were absolutly right. I apply that command and it tottally worked. You can close this topic now. Thanks for all the help that you give me.

10

Re: postfix authentication problem

Glad you have it working - Closing