I got a request by my mail provider to switch to secure communication. My setting at the mail server up to now was USE (or MAY use) TLS, but not to force it. So far I understand it, postfix fell back into an unencrypted connection. But I got trouble as I changed the setting to force TLS, no mails are able to deliver to my mail provider via smtp . I have to say I did all settings within YAST2.
Various error messages I found in /var/log/mail, e.g.
2014-02-05T21:57:13.884269+01:00 shuttle postfix/smtp[15012]: warning: connect to private/tlsmgr: Connection refused
2014-02-05T21:57:13.896772+01:00 shuttle postfix/smtp[15012]: warning: problem talking to server private/tlsmgr: Connection refused
2014-02-05T21:57:14.900666+01:00 shuttle postfix/smtp[15012]: warning: connect to private/tlsmgr: Connection refused
2014-02-05T21:57:14.902788+01:00 shuttle postfix/smtp[15012]: warning: problem talking to server private/tlsmgr: Connection refused
2014-02-05T21:57:14.907749+01:00 shuttle postfix/smtp[15012]: warning: no entropy for TLS key generation: disabling TLS support
2014-02-05T21:57:15.002238+01:00 shuttle postfix/smtp[15012]: A831C473AE: TLS is required, but our TLS engine is unavailable
2014-02-05T21:57:15.124226+01:00 shuttle postfix/smtp[15012]: A831C473AE: to=<xxx@gxxx.com>, relay=mail.gmx.net[212.227.17.168]:587, delay=1
.4, delays=0.11/1.1/0.17/0, dsn=4.7.5, status=deferred (TLS is required, but our TLS engine is unavailable)
or:
2014-02-05T21:58:05.178154+01:00 shuttle postfix/qmgr[15134]: 1FAB0473A7: from=<xxxxxx@gmx.net>, size=627, nrcpt=1 (queue active)
2014-02-05T21:58:05.458115+01:00 shuttle postfix/smtp[15140]: certificate verification failed for mail.gmx.net[212.227.17.190]:587: untrusted issue
r /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
2014-02-05T21:58:05.550335+01:00 shuttle postfix/smtp[15140]: 1FAB0473A7: Server certificate not trusted
2014-02-05T21:58:05.720818+01:00 shuttle postfix/smtp[15140]: certificate verification failed for mail.gmx.net[212.227.17.168]:587: untrusted issue
r /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
2014-02-05T21:58:05.850664+01:00 shuttle postfix/smtp[15140]: 1FAB0473A7: to=<xxx@gxxx.com>, relay=mail.gmx.net[212.227.17.168]:587, delay=3
70, delays=369/0.1/0.54/0, dsn=4.7.5, status=deferred (Server certificate not trusted)
Now it is working. What I’ve done?
At first I updated the ca-certficates packages.
Then I removed the postfix package
I deleted the /etc/postfix folder and the /etc/sysconfig/postfix
I did a rehash of /etc/ssl/certs (c_rehash /etc/ssl/certs)
I reinstalled a fresh copy of postfix
I went through the settings in YAST/mail server
After that I corrected two things:
ln -s /etc/ssl/certs /etc/postfix/ssl/cacerts
(since there was a reference to it in the postfix/main.cf)
- commenting out this line in postfix/master.cf (old: #tlsmgr unix - - n 1000? 1 tlsmgr):
tlsmgr unix - - n 1000? 1 tlsmgr
After a restart of the postfix demon all is working now.
I was a bit disappointed since this was a fresh install of OpenSuSE 13.1 (over an old system, but it wasn’t an update)
I want only to point the problems and the solution, but IMO it seems to be a bug in the configuration of the mail server via YAST2.
Regards
Lutz
