Ssl – Postfix ‘tlsv1 alert unknown ca’

dovecotpostfixssl

I have VPS (server A) and hosting (server B). On the server A, I've set up mail server (debian, postfix, dovecot, postfixadmin and roundcube, self-signed cert, TLS only auth) which works fine:

I can send and recieve messages logged via roundcube,
I can send and recieve messages from post client (eg thunderbird),
I can send emails from website on my local machine,
I can send emails from website hosted on server B (symfony2/swiftmailer).

Problem is that it's impossilble to send emails from website (exact copy of original website from server B) hosted on server A (same as mail server). I get following messages in log:

Oct 26 19:45:00 vps105120 postfix/smtpd[3107]: connect from domain[ip]
Oct 26 19:45:00 vps105120 postfix/smtpd[3107]: SSL_accept error from domain[ip]: 0
Oct 26 19:45:00 vps105120 postfix/smtpd[3107]: warning: TLS library problem: 3107:error:14094418:SSL rutines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1258:SSL alert number 48:
Oct 26 19:45:00 vps105120 postfix/smtpd[3107]: lost connection after STARTTLS from domain[ip]
Oct 26 19:45:00 vps105120 postfix/smtpd[3107]: disconnect from domain[ip]

Any ideas what to do with this?

Best Answer

I've figured it out :), as expected turned out to be as simple as possible...

My cert wasn't readable by openssl, after adding link named as cert hash to /etc/ssl/certs/ everything works like a charm.

Related Solutions

Linux – How to correct Postfix’ ‘Relay Access Denied’

TLS just enables encryption on the smtp session and doesn't directly affect whether or not Postfix will be allowed to relay a message.

The relaying denied message occurs because the smtpd_recipient_restrictions rules was not matched. One of those conditions must be fulfilled to allow the message to go through:

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    check_recipient_access hash:/etc/postfix/filtered_domains
    permit_mynetworks
    reject_unauth_destination

To explain those rules:

permit_sasl_authenticated

permits authenticated senders through SASL. This will be necessary to authenticate users outside of your network which are normally blocked.

check_recipient_access

This will cause postfix to look in /etc/postfix/filtered_domains for rules based on the recipient address. (Judging by the file name on the file name, it is probably just blocking specific domains... Check to see if gmail.com is listed in there?)

permit_mynetworks

This will permit hosts by IP address that match IP ranges specified in $mynetworks. In the main.cf you posted, $mynetworks was set to 127.0.0.1, so it will only relay emails generated by the server itself.

Based on that configuration, your mail client will need to use SMTP Authentication before being allowed to relay messages. I'm not sure what database SASL is using. That is specified in /usr/lib/sasl2/smtpd.conf Presumably it also uses the same database as your virtual mailboxes, so you should be able enable SMTP authentication in your mail client and be all set.

Postfix Rejecting Mail from Authenticated Clients: Troubleshooting Guide

After much experimentation it turned out I had to add permit_sasl_authenticated to smtpd_client_restrictions (not to be confused with smtpd_recipient_restrictions).

This has fixed it.

Related Topic