Postfix - TLS Engine unavailable

knorpot · November 5, 2009, 3:34pm

I’ve been trying for a long time to send emails via gmail, but without any success.

I always got the following error:
“Must issue a STARTTLS command first”

I then added the following to my main.cf file:
smtp_enforce_tls = yes

I now get this when running postqueue -p
(TLS is required, but our TLS engine is unavailable)

Anyone got an idea what I can try next?
Thus far I’ve tried a few tutorials on how to set up gmail, but none worked. This is what I added to main.cf:

#**************************************************

SASL SUPPORT FOR SERVERS

#**************************************************

Needed by postfix to enable Cyrus-SASL support

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
#smtp_tks_note_starttls_offer = yes

#tls
#for no logs, set to 0
smtp_tls_loglevel = 2

smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/itchy.pem
smtp_tls_key_file = /etc/postfix/certs/itchy.key
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache

smtpd_use_tls = yes
smtpd_enforce_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/itchy.pem
smtpd_tls_key_file = /etc/postfix/certs/itchy.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom

#SASL Settings
smtpd_sasl_auth_enable = no

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

ken_yap · November 5, 2009, 4:10pm

I use the sender dependent routing feature accomplish this. In /etc/sysconfig/postfix, I have:

POSTFIX_ADD_SENDER_DEPENDENT_RELAYHOST_MAPS="hash:/etc/postfix/sender_dependent_relayhost"

POSTFIX_ADD_SMTP_TLS_PER_SITE="hash:/etc/postfix/tls_per_site"

/etc/postfix/sender_dependent_relayhost contains:

myaccount@gmail.com [smtp.gmail.com]:587

/etc/postfix/tls_per_site contains:

smtp.gmail.com MUST

If you modified main.cf then you have to put the equivalent commands there. and of course run posthash on those two hash dictionary files above after each change or add them to the list to be automatically rehashed.

You still have to do the SASL password bit. These instructions only make postfix look at the sender address and decide which relayhost to use for which emails. I only had to put my gmail passwords in /etc/postfix/sasl_passwd and it became enabled.

knorpot · November 6, 2009, 10:31am

Thanks for the reply. I added the two lines to /etc/sysconfig/postfix, created /etc/postfix/sender_dependent_relayhost and /etc/postfix/tls_per_site
and hashed them, but I still get the following errors:

52010A360 891 Thu Nov 5 16:14:26 wwwrun@linux-sgt9.site
(TLS is required, but our TLS engine is unavailable)
user@xxxxx.co.za

04121A380 885 Fri Nov 6 11:26:24 wwwrun@linux-sgt9.site
(delivery temporarily suspended: TLS is required, but our TLS engine is unavailable)
user@gmail.com

Am I not perhaps missing a package or something? I thought it might have been openssl, but I do have the latest version.

ken_yap · November 6, 2009, 10:45am

I don’t know. The settings I added are the only additions to a stock sysconfig/postfix, or alternatively, main.cf. Perhaps you are trying to enable TLS in a server capacity. When you are using postfix as a client to relay to gmail using TLS, you don’t need to support server TLS. The settings starting with smtpd_ are to do with postfix as server, those starting with smtp_ are to do with postfix as a client.

ken_yap · November 13, 2009, 3:12pm

Ok, I discovered that I was by accident not enforcing TLS on gmail connections. Mail did go through however. However to fix it and make TLS enforced, all that’s needed is to add this directive to main.cf:

smtp_tls_CApath = /etc/ssl/certs

You then have to run

c_rehash /etc/ssl/certs

to make sure that the certs are hashed, then reload postfix. Then when smtp.gmail.com presents its cert, it will be checked against the Thawte cert in that directory. Using CApath instead of CAfile makes all the certs in /etc/ssl/certs valid, and you don’t have to choose one to put in cacert.pem and point CAfile to it as suggested by most tutes, which will fail if gmail switches to another CA.

As mentioned before, you only need to enable TLS on smtp, not smtpd if you only want to relay to gmail, and not be a secure mail server for road warriors. So all those steps about creating a self-signed cert in tutes are not required in this situation.

knorpot · November 16, 2009, 7:51am

I’m afraid I’ve still got no luck sending mail. I still get the same error:

EF0B5A360 892 Mon Nov 16 08:44:30 wwwrun@linux-sgt9.site
(TLS is required, but our TLS engine is unavailable)

Seems like it does try TLS, but for some reason it can’t…

ken_yap · December 21, 2009, 3:28pm

Having just installed 11.2 and configured postfix and got it working with gmail, I figured out what you are missing. Because you edited main.cf and master.cf yourself, the settings in /etc/sysconfig/postfix do not affect the configuration. In particular you haven’t started the tlsmgr process normally commented out in master.cf. If you had stuck to making mods only on /etc/sysconfig/postfix and using YaST to generate main.cf and master.cf, tlsmgr would be one of the processes started.

knorpot · February 23, 2010, 1:40pm

Finally got Postfix to work with Gmail!

I used yast to remove the Postfix packages
Deleted: etc/sysconfig/postfix and etc/postfix/ folder
Installed the latest Postfix packages with yast
Did the mail setup with yast, and everything worked first time

Thanks for your help!