Newbie alert - cert creation for postfixconfix howto ....

[slk2k]

OK, newbie here. Am trying to set up postfix using the Complete Postfix HowTo found
here:

http://www.scalix.com/wiki/index.php?ti ... _and_virii

Background:
----------------
- Installed latest scalix (11.4.3) on Debian Etch
- Email inside working fine
- installed fetchmail to pull from mail server and that works fine. Email pulled shows up.
- Outlook 2007 connector fine (but small problem with shared calendars, but that's a seperate thing - posting in Outlook Connectory forum)

Went and started following the howto listed above.
Got to the point of configuring tls on postfix. Need to generate
the certs. Here is where I went off-track.

Tried to generate my own keys but obviously something is wrong as after I finished
the rest of the HowTo and I went to pull a test message down via 'fetchmail', I see
this in the /var/log/syslog:

Feb 22 16:58:20 scalix fetchmail[24330]: 1 message for testuser at pop.XXXXXXXX.com (1703 octets).
Feb 22 16:58:20 scalix postfix/smtpd[25035]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Feb 22 16:58:20 scalix postfix/smtpd[25035]: warning: cannot get certificate from file /etc/ssl/cert.pem
Feb 22 16:58:20 scalix postfix/smtpd[25035]: warning: TLS library problem: 25035:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: CERTIFICATE:
Feb 22 16:58:20 scalix postfix/smtpd[25035]: warning: TLS library problem: 25035:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:727:
Feb 22 16:58:20 scalix postfix/smtpd[25035]: cannot load RSA certificate and key data
Feb 22 16:58:20 scalix postfix/smtpd[25035]: connect from scalix.XXXXXXXX.com[192.168.2.91]
Feb 22 16:58:20 scalix postfix/smtpd[25035]: 7335F2E689E: client=scalix.XXXXXXXX.com[192.168.2.91]
Feb 22 16:58:20 scalix postfix/cleanup[25039]: 7335F2E689E: message-id=<57344.IP_ADDRESS.1235343492.squirrel@IP_ADDRESS>
Feb 22 16:58:20 scalix postfix/qmgr[23911]: 7335F2E689E: from=<mailscanner@mailscanner.YYYYYYYY.com>, size=2055, nrcpt=1 (queue active)
Feb 22 16:58:20 scalix fetchmail[24330]: reading message testuser@pop.XXXXXXXX.com:1 of 1 (1703 octets) flushed
Feb 22 16:58:20 scalix postfix/smtpd[25042]: warning: cannot get certificate from file /etc/ssl/cert.pem
Feb 22 16:58:20 scalix postfix/smtpd[25042]: warning: TLS library problem: 25042:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: CERTIFICATE:
Feb 22 16:58:20 scalix postfix/smtpd[25042]: warning: TLS library problem: 25042:error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib:ssl_rsa.c:727:
Feb 22 16:58:20 scalix postfix/smtpd[25042]: cannot load RSA certificate and key data
Feb 22 16:58:20 scalix postfix/smtpd[25042]: connect from localhost.localdomain[127.0.0.1]
Feb 22 16:58:20 scalix postfix/smtpd[25042]: 9A4C82E68A1: client=localhost.localdomain[127.0.0.1]
Feb 22 16:58:20 scalix postfix/cleanup[25039]: 9A4C82E68A1: message-id=<57344.IP_ADDRESS.1235343492.squirrel@IP_ADDRESS>
Feb 22 16:58:20 scalix postfix/qmgr[23911]: 9A4C82E68A1: from=<mailscanner@mailscanner.YYYYYYYY.com>, size=2483, nrcpt=1 (queue active)
Feb 22 16:58:20 scalix postfix/smtpd[25042]: disconnect from localhost.localdomain[127.0.0.1]
Feb 22 16:58:20 scalix amavis[23719]: (23719-01) Passed CLEAN, LOCAL [192.168.2.91] [IP_ADDRESS] <mailscanner@mailscanner.YYYYYYYY.com> -> <testuser@XXXXXXXX.com>, Message-ID: <57344.71.201.39.202.1235343492.squirrel@71.201.39.202>, mail_id: 84VDlvZ5D3Se, Hits: -, queued_as: 9A4C82E68A1, 160 ms
Feb 22 16:58:20 scalix postfix/smtp[25040]: 7335F2E689E: to=<testuser@rXXXXXXXX.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.24, delays=0.07/0.01/0.01/0.16, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=23719-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9A4C82E68A1)
Feb 22 16:58:20 scalix postfix/qmgr[23911]: 7335F2E689E: removed

(doamin namesIP addrs changed to protect the guilty ...)

I've generated the keys (I think the right way for the following files as identified
from main.cf for postfix):
---------------------------------------------
smtpd_tls_key_file = /etc/ssl/key.pem
smtpd_tls_cert_file = /etc/ssl/cert.pem
smtpd_tls_CAfile = /etc/ssl/cacert.pem

So, did I screw up the certs or is something else horrible wrong?

[schmoe90]

So, did I screw up the certs

Well,

warning: TLS library problem: 25042:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: CERTIFICATE:

would suggest so.

[slk2k]

OK - fair enough. I'm big enough to admit I screwed up!!

Thing is, cert generation is a new thing for me. I've googled around
looking for a good discussion on how to generate the three necessary pem
listed by the procedure, but haven't found anything really useful that
uses openssl and for debian ....

Does anyone have a procedure that will work?

Much Thanks!!

[slk2k]

OK - dig around long enough in the dirt and you will find what you
are looking for .....

For anyone else who comes wandering this way, this link helped
me out a great deal!

http://koti.kapsi.fi/ptk/postfix/postfi ... cert.shtml