Postfix "warning: cannot get RSA private key from file"

ssl-certificate postfix

The content of main.cf does not necessarily represent your active Postfix configuration. Check the output of postconf -n for the following two parameters:

smtpd_recipient_restrictions = 
  permit_mynetworks, 
  permit_sasl_authenticated, 
  reject_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

If $mynetworks is restricted to localhost and $smtpd_recipient_restrictions shows permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination as the first three restrictions, then you are not an open relay.

Verify that /etc/ssl/private/postfix.pem contains a valid key and /etc/ssl/certs/postfix.pem contains a valid certificate:

openssl rsa -in /etc/ssl/private/postfix.pem -check -noout
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

You also need to check if Postfix can access the file. On my server, the permissions on /etc/ssl/private are

drwx--x---  2 root ssl-cert  4096 Aug 03 01:55 private/

Thus simply chowning the key file won't do you any good, because the directory permissions prevent Postfix from accessing any file in it.

Try simplifying your setup. Put certificate and key into a single file:

cat /etc/ssl/*/postfix.pem > /etc/postfix/server.pem
chmod 640 /etc/postfix/server.pem
chown postfix:postfix /etc/postfix/server.pem

and change your main.cf like this:

smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

Restart Postfix and see if the server can access the key.


Those instructions have chmod o= /etc/ssl/private/postfix.pem but say nothing about which user owns the file.

On my boxes, the smtpd process runs as the postfix user. Check that the postfix user can access /etc/ssl/private/postfix.pem. Or possibly just chown postfix:postfix /etc/ssl/private/postfix.pem.

The other obvious problem is exactly what the error message says: There isn't a valid RSA key in that file. Have a look in /etc/ssl/private/postfix.pem and make sure it contains at least something that looks like an RSA key. Don't paste it into your question.

Actually, I just noticed that the error message is for /etc/ssl/certs/postfix.pem, not /etc/ssl/private/postfix.pem. Check the ownership, permissions and content of /etc/ssl/certs/postfix.pem as well.

That error message is a little confusing. It says cannot get RSA private key from file /etc/ssl/certs/postfix.pem but the private key should be in /etc/ssl/private/postfix.pem. I don't have enough experience with Postfix using TLS to know whether this is a bug Postfix or a mistake in your config.


Cert has to match key, in my case had nothing to do with permissions

create a self signed cert and key https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/

Hope this helps

Related

Resetting a queue discipline back to the default pfifo_fast one?
What would cause Apache to display a bomb icon for a specific directory?
Improvements for small business network?
Unable to change vm.max_map_count for elasticsearch
2 ELBs (ALBs) to 1 target group, possible?
Can't access windows share when in security group assigned to share
What's the required to make a normal user can create schema on PostgreSQL?
With SQL Server (2008), can you grant create table permission within a schema?
How to start a reverse tunnel with PuTTY?
How does mysql determine the hostname of its clients?
Debugging fstab problems on reboot
Can one have multiple name servers that don't all belong to the same TLD/provider?