| Summary: | Upgrade to Postfix 2.2.2-r1 breaks SSL Support | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Loren Bandiera <lorenb> |
| Component: | [OLD] Server | Assignee: | Net-Mail Packages <net-mail+disabled> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | normal | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | AMD64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
Whats your master.cf ? Cheers, Ferdy Here is my master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -o content_filter=amavis:[127.0.0.1]:10024
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
amavis unix - - n - 2 lmtp -o smtp_data_done_timeout=1200
127.0.0.1:10025 inet n - n - - smtpd -o content_filter=
during the setup stage, you were prompted: * you have "ssl" in your USE flags, TLS will be enabled. * This service entry is incompatible with previous TLS patch. * Visit http://www.postfix.org/TLS_README.html for more info. and ChangeLog: *postfix-2.2.0 (09 Mar 2005) 09 Mar 2005; Tuấn Văn <langthang@gentoo.org> +postfix-2.2.0.ebuild: New postfix-2.2.0 release. This release includes IPV6 and TLS in the official release. "vda" has been removed as it isn't available for experimetal Postfix release. "vda" will be added as soon as it's available. Please review these document for more infomation: ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-2.2.0.RELEA SE_NOTES http://www.postfix.org/TLS_README.html http://www.postfix.org/IPV6_README.html Please review the mentioned docs. I read over the docs. The entries I was missing in my main.cf were: smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache Once I put those in, the SSL support starting working again. Thanks. > smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
> smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
not that. the default paramters should work. You don't have to do TLS session cache, unless you want to. From my working server with TLS support:
# postconf smtp_tls_session_cache_database
smtp_tls_session_cache_database =
# postconf smtpd_tls_session_cache_database
smtpd_tls_session_cache_database =
There are parameters that have been renamed/removed, for example:
# postconf smtp_sasl_tls_verified_security_options
postconf: warning: smtp_sasl_tls_verified_security_options: unknown parameter
you need to remove them from your main.cf
Anyway, resolved as WFM.
|
Trying to upgrade postfix from v2.1.5-r2 -> v2.2.2-r1. It compiled and instaled but on re-start of the daemon I get the following errors: postfix/postfix-script: starting the Postfix mail system postfix/master[24972]: daemon started -- version 2.2.2, configuration /etc/postfix postfix/smtpd[24976]: initializing the server-side TLS engine postfix/smtpd[24976]: warning: connect to private/tlsmgr: Connection refused postfix/smtpd[24976]: warning: problem talking to server private/tlsmgr: Connection refused postfix/smtpd[24976]: warning: connect to private/tlsmgr: Connection refused postfix/smtpd[24976]: warning: problem talking to server private/tlsmgr: Connection refused postfix/smtpd[24976]: warning: no entropy for TLS key generation: disabling TLS support # postconf | grep tls smtp_enforce_tls = no smtp_sasl_tls_security_options = $var_smtp_sasl_opts smtp_sasl_tls_verified_security_options = $var_smtp_sasl_tls_opts smtp_starttls_timeout = 300s smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_cipherlist = smtp_tls_dcert_file = smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_enforce_peername = yes smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_loglevel = 0 smtp_tls_note_starttls_offer = yes smtp_tls_per_site = smtp_tls_scert_verifydepth = 5 smtp_tls_session_cache_database = smtp_tls_session_cache_timeout = 3600s smtp_use_tls = no smtpd_enforce_tls = no smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_starttls_timeout = 300s smtpd_tls_CAfile = /etc/ssl/postfix/server.pem smtpd_tls_CApath = smtpd_tls_ask_ccert = no smtpd_tls_auth_only = no smtpd_tls_ccert_verifydepth = 5 smtpd_tls_cert_file = /etc/ssl/postfix/server.pem smtpd_tls_cipherlist = smtpd_tls_dcert_file = smtpd_tls_dh1024_param_file = smtpd_tls_dh512_param_file = smtpd_tls_dkey_file = $smtpd_tls_dcert_file smtpd_tls_key_file = /etc/ssl/postfix/server.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_session_cache_database = smtpd_tls_session_cache_timeout = 3600s smtpd_tls_wrappermode = no smtpd_use_tls = yes tls_daemon_random_bytes = 32 tls_daemon_random_source = tls_ipv6_version = 1.26 tls_random_bytes = 32 tls_random_exchange_name = ${config_directory}/prng_exch tls_random_prng_update_period = 60s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom Reproducible: Always Steps to Reproduce: 1. /etc/init.d/postfix stop 2. emerge postfix 3. etc-update 4. /etc/init.d/postfix start Portage 2.0.51.21-r1 (default-linux/amd64/2005.0/no-multilib, gcc-3.4.3-20050110, glibc-2.3.5-r0, 2.6.11-gentoo-r8 x86_64) ================================================================= System uname: 2.6.11-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3800+ Gentoo Base System version 1.6.11 dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.8 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r8 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.11 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fstack-protector" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/mail /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control /var/run/dspam /var/spool/dspam" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon64 -O2 -pipe -fstack-protector" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 acpi alsa apache2 berkdb bitmap-fonts crypt curl font-server fortran gd gdbm gif ipv6 jp2 jpeg ldap lzw lzw-tiff mp3 ncurses nls nptl pam png procmail python readline samba sasl slang ssl tcpd tiff truetype-fonts type1-fonts usb userlocales xml2 xpm xrandr zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS