Unable to send mail using STARTTLS authentication: 4.7.0 TLS not available due to local problem

Created:

2016-11-16 13:02:12 UTC

Modified:

2017-06-14 13:46:13 UTC

7

Was this article helpful?


Have more questions?

Submit a request

Unable to send mail using STARTTLS authentication: 4.7.0 TLS not available due to local problem

Applicable to:

  • Plesk 12.5 for Linux
  • Plesk 10.4 for Linux
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Linux

Symptoms

Unable to send a mail message using STARTTLS authentication:

454 4.7.0 TLS not available due to local problem

The following error can be found in /usr/local/psa/var/log/maillog:

postfix/smtpd[26508]: warning: cannot get RSA certificate from file /etc/postfix/postfix_default.pem: disabling TLS support
postfix/smtpd[26508]: warning: TLS library problem: 26508:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/postfix/postfix_default.pem','r'):
postfix/smtpd[26508]: warning: TLS library problem: 26508:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
postfix/smtpd[26508]: warning: TLS library problem: 26508:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:

Cause

TLS misconfiguration in Postfix:

  • Certificate file postfix_default.pem does not contain valid SSL certificate, or is broken
  • Path to the certificates is incorrect in /etc/postfix/main.cf
  • TLS configuration parameters are missing from /etc/postfix/main.cf

Resolution

Compare the current configuration with the following steps and fix the configuration, if needed:

  1. Create tls directory, set correct ownership/permissions and create a certificate file:

    # mkdir /etc/postfix/tls
    # chown root:postfix /etc/postfix/tls
    # chmod u=rwx,go= /etc/postfix/tls
    # cd /etc/postfix/tls
    # openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
  2. Change /etc/postfix/main.cf accordingly:

    # grep _tls /etc/postfix/main.cf
    smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
    smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
    smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtpd_tls_security_level = may
    smtpd_use_tls = yes
    smtp_tls_security_level = may
    smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem
    smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem
    smtp_tls_key_file = /etc/postfix/tls/smtpd.pem
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_tls_received_header = yes
    smtpd_tls_ask_ccert = yes
    smtpd_tls_loglevel = 1
    tls_random_source = dev:/dev/urandom
  3. If smtpd_sasl_auth_enable = yes option is set in /etc/postfix/main.cf, make sure that saslauthd service is started.

  4. Reload Postfix configuration:

    # service postfix reload
Have more questions? Submit a request
Please sign in to leave a comment.