Issues with TLS | Copy SSL to Dovecot, Postfix

hi, there are issues with TLS when I do copy to Dovecot and Postfix for the SSL certificate (signed by CA certificate). Webmin 1.720 + Virtualmin 4.12

DecĀ  6 10:31:08 myhostname postfix/smtpd[22997]: warning: TLS library problem: 22997:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1257:SSL alert number 49:

Postfix didn't start because of the master.lock

...fatal: open lock file /var/lib/postfix/master.lock: unable to set exclusive lock: Resource temporarily unavailable

and also "fatal: bind 0.0.0.0 port 25: Address already in use"

I had to delete the /var/lib/postfix/master.lock, restore the self-signed certificate and reboot the server...

so it's not easy at all and you should understand why it happens...

thanks

p.s.:

  • googled for alert 49
"49 access_denied | Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. This message is always fatal."
  • maybe I have to reboot the server after the SSL certificate copy to Dovecot, Postfix? ...and so those TLS errors were caused by a NOT running Postfix?

  • After the copy, I tried to add a new email account in Thunderbird and even if the password for the user was correct, it reported that it was not...so I suspect that it was because of the stopped Postfix, but in that moment I didn't know that Postfix was not working...

  • and, above all, WHY Postfix was not running after the copy?

    Can you test yourself this procedure again, please?

Status: 
Active

Comments

  • SSL certificate from STARTSSL
  • here screenshots

as you can see this is for mail.xxx.com

http://i57.tinypic.com/n20sup.jpg

sub.class1.server.ca.pem :

http://i60.tinypic.com/etttld.jpg

when i copy to Dovecot, Postfix and then I try to set up the account in Thunderbird for mail.xxx.com for a user@example.com, it doesn't recognize the user+password and

error on maillog:

warning: TLS library problem: 7652:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1257:SSL alert number 49:
  • so, please, are you sure that you did test with certs class 1 from STARTSSL ?

  • you put sub.class1.server.ca.pem inside dovecot.ca.pem ? other to do?

  • the MX record for example.com is in matter here? i have to change it from mail.example.com to mail.xxx.com as in my certificate?

thanks

Howdy -- we're sorry to hear you're having problems with SSL!

StartSSL certificates do indeed work with Apache, Dovecot, Postfix, and Webmin/Virtualmin. They tend to be very popular in the Virtualmin community, there's a lot of folks here who use them.

You appear to be seeing a configuration issue of some kind, though unfortunately I've never run into that before and isn't something I've been able to reproduce. It's likely related to your domains being setup outside of Virtualmin, and later imported. That sort of setup can contain complications that don't exist in setups that were made entirely using Virtualmin.

Those sorts of issues are generally fixable, but may require some additional troubleshooting and tweaking.

One thing you could always try is to completely remove SSL from Apache, Dovecot, Postfix, and Virtualmin -- and then to re-add your SSL certificates into Virtualmin, using Server Configuration -> Manage SSL Certificates. Once you re-add them, you can then copy them to your various services.

Doing that should ensure that they paths and permissions are all correct.

The SSL certificates will at that point first be added into /home/USERNAME, and then copied into your various services.

If you had any followup questions, since you're not seeing a Virtualmin issue there, and StartSSL certificates are indeed supported by all the services running on your server -- you'd want to use the Forums for obtaining support. You can access the forums using the "Forums" link at the top of the page.

We monitor the Forums, along with lots of wonderful folks in the community. Thanks!

ok, SOLVED

Thunderbird 31.3.0 Windows 8.1 64bit

I don't know why... but I had to delete all the current certificates for my email accounts in Thunderbird settings.

Once I did that, no more errors... no security exception to confirm for my mail.domain.com certificate, which IS WORKING and it HAD TO work...

I got popups just for those email accounts which are mine and for which I don't need a signed cert...

the account setup now works as usual and it normally recognizes the user/password, immediately adds the account without security popups....

so, someone should talk to these people from Mozilla to understand why it happens... really I should not need to delete anything...

:-( a waste of time with that software...for nothing

thank you for your help