> Oops, while the "umask 077" is indeed required, this does produce a PEM > file with a usable key and certificate, provided the OpenSSL library > behind the pkcs12 command is not substantially newer than the one > Postfix > is linked with. If the command is from OpenSSL 1.0.0, it will generate > a new-style PKCS#8 "generic" private key, while Postfix linked against > 0.9.8 will probably want an RSA key. > > You may need to run "openssl rsa" to convert this to an RSA key, which > then needs to replace the > > -----BEGIN PRIVATE KEY----- > ... > -----END PRIVATE KEY----- > > with: > > -----BEGIN RSA PRIVATE KEY----- > ... > -----END RSA PRIVATE KEY----- > > -- > Viktor.
Viktor, Thanks for the follow up. Here is a little more information as well as what I have done since your last email. The OS is opensuse 11.3 with openssl 1.0 which I assume they linked postfix against as well. When I made the changes below the log file stopped spewing out the RSA invalid errors that it did before (and was quiet). I'm not sure what the correct way to test is. I'm using openssl s_client to do the test. Am I testing wrong at this point or is there still an error? > ( umask openssl pkcs12 -nodes -nocerts -out hsserver01.pem -in original.pfx ) > ( umask 077 openssl pkcs12 -nodes -nocerts -out certkey.pem -in original.pfx ) > openssl pkcs12 -nokeys -in original.pfx >> certkey.pem > cp *.pem /etc/postfix/ssl/ edited main.cf: # Public key in PEM format # TRIED IS WITH certkey.pem as well... smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem # Private key in crt format smtpd_tls_cert_file = /etc/postfix/ssl/certkey.pem > openssl s_client -showcerts -state -quiet -status -connect localhost:465 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A 3075593864:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:683: # no errors at all in the mail log > openssl version OpenSSL 1.0.0 29 Mar 2010 Postconf -n stuff: smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_tls_cert_file = /etc/postfix/ssl/certkey.pem smtpd_tls_key_file = /etc/postfix/ssl/hsserver01.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom
