Solved postfix error 'No erver certs available' (postfix not using master.cf -o values)

I was following this seemingly simple solution for using multiple IP's and separate domain names to setup a mail server that was originally just serving one domain. I am using the same certificates and key files I was using for a single domain and had smtpd_tls_cert_file and smtpd_tls_key_file set correctly in main.cf. It worked perfectly. Updating master.cf following this blog post http://blog.wpkg.org/2013/07/31/postfix-and-multiple-ssl-certificates/comment-page-1/#comment-311726 to add in the second domain and IP I ended up with neither submissions working. "No certificates available, TLS not enabled" on both IP/Domain address. I am obviously missing something, but I can not see it and I really do not fully understand how to navigate postfix to find the issue. Please advise

When google tries to send mail to my mail server I get this in /var/log/maillog
Code:
$tail -f /var/log/maillog
Feb 14 21:38:47 tyr postfix/smtpd[98753]: warning: No server certs available. TLS won't be enabled
Feb 14 21:38:47 tyr postfix/smtpd[98753]: connect from mail-ig0-f169.google.com[209.85.213.169]
Feb 14 21:38:47 tyr postfix/smtpd[98753]: lost connection after STARTTLS from mail-ig0-f169.google.com[209.85.213.169]

while /usr/local/etc/ssl contains
Code:
$ ls -al /usr/local/etc/ssl
-rw-r--r--   1 root  wheel    1765 Jan  8 17:52 mail.example1.com.crt
-rw-r--r--   1 root  wheel    3871 Jan  8 17:54 mail.example1.com.pem
-rw-r--r--   1 root  wheel    1679 Feb 12 12:08 wild.exmaple2.key
-rw-r--r--   1 root  wheel    4005 Feb 12 12:05 wild.example2.pem

main.cf
Code:
virtual_mailbox_domains = /usr/local/etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps
virtual_minimum_uid = 5002
virtual_uid_maps = static:5002
virtual_gid_maps = static:5003

# SASL
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination

# TLS parameters
smtpd_use_tls = yes
#smtp_use_tls = yes
# Allow incoming and outgoing
smtpd_tls_security_level = may
#smtp_tls_security_level = may
# requires senders to use TLS
smtpd_tls_auth_only = yes
# location of TLS certificate and key files
#smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
#smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
# Increase the logging level incoming outgoing
smtpd_tls_loglevel = 4
smtp_tls_loglevel = 4
# location of the Certificate Authority bundle for incoming and outgoing
#smtpd_tls_CAfile = /usr/local/etc/ssl/cacert.pem
#smtpd_tls_CApath = /usr/local/etc/ssl/
#smtp_tls_CAfile = $smtpd_tls_CAfile
# add TLS information to headers
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# Amavisd
content_filter = amavisfeed:[127.0.0.1]:10024

master.cf
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
127.0.0.1:smtp      inet  n       -       n       -       -       smtpd
192.*.*.*:smtp  inet  n       -       n       -       -       smtpd
192.*.*.*:smtp  inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
# ===== Loopback submission =====
127.0.0.1:submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_tls_cert_file=/usr/local/etc/ssl/mail.example1.com.pem
  -o smtpd_tls_key_file=/usr/local/etc/ssl/mail.exampl1.key
  -o milter_macro_daemon_name=ORIGINATING
# ===== example2.com SSL =====
192.*.*.*:submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_tls_cert_file=/usr/local/etc/ssl/mail.example1.com.pem
  -o smtpd_tls_key_file=/usr/local/etc/ssl/mail.example1.key
#  -o milter_macro_daemon_name=ORIGINATING
# ===== example2.com SSL =====
192.*.*.*:submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_tls_cert_file=/usr/local/etc/ssl/wild.example2.pem
  -o smtpd_tls_key_file=/usr/local/etc/ssl/wild.example2.key
#  -o milter_macro_daemon_name=ORIGINATING
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

amavisfeed unix - - n - 2 lmtp
        -o lmtp_data_done_timeout=1200
        -o lmtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - - smtpd
        -o content_filter=
        -o smtpd_delay_reject=no
        -o smtpd_client_restrictions=permit_mynetworks,reject
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=reject_unauth_pipelining
        -o smtpd_end_of_data_restrictions=
        -o smtpd_restriction_classes=
        -o mynetworks=127.0.0.0/8
        -o smtpd_error_sleep_time=0
        -o smtpd_soft_error_limit=1001
        -o smtpd_hard_error_limit=1000
        -o smtpd_client_connection_count_limit=0
        -o smtpd_client_connection_rate_limit=0
        -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
        -o local_header_rewrite_clients=
        -o smtpd_milters=
        -o local_recipient_maps=
        -o relay_recipient_maps=

Postconf output

Code:
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example1.com
myhostname = tyr.example1.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, 127.0.0.1
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_loglevel = 4
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_gid_maps = static:5003
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/vhosts
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps
virtual_minimum_uid = 5002
virtual_uid_maps = static:5002

Code:
postconf -P
$ postconf -P
127.0.0.1:submission/inet/milter_macro_daemon_name = ORIGINATING
127.0.0.1:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
127.0.0.1:submission/inet/smtpd_reject_unlisted_recipient = no
127.0.0.1:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
127.0.0.1:submission/inet/smtpd_sasl_auth_enable = yes
127.0.0.1:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
127.0.0.1:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
127.0.0.1:submission/inet/smtpd_tls_security_level = encrypt
127.0.0.1:submission/inet/syslog_name = postfix/submission
192.*.*.*:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_reject_unlisted_recipient = no
192.*.*.*:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_sasl_auth_enable = yes
192.*.*.*:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
192.*.*.*:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
192.*.*.*:submission/inet/smtpd_tls_security_level = encrypt
192.*.*.*:submission/inet/syslog_name = postfix/submission
192.*.*.*:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_reject_unlisted_recipient = no
192.*.*.*:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_sasl_auth_enable = yes
192.*.*.*:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/wild.example2.pem
192.*.*.*:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/wild.example2.key
192.*.*.*:submission/inet/smtpd_tls_security_level = encrypt
192.*.*.*:submission/inet/syslog_name = postfix/submission
amavisfeed/unix/lmtp_data_done_timeout = 1200
amavisfeed/unix/lmtp_send_xforward_command = yes
127.0.0.1:10025/inet/content_filter =
127.0.0.1:10025/inet/local_header_rewrite_clients =
127.0.0.1:10025/inet/local_recipient_maps =
127.0.0.1:10025/inet/mynetworks = 127.0.0.0/8
127.0.0.1:10025/inet/receive_override_options = no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
127.0.0.1:10025/inet/relay_recipient_maps =
127.0.0.1:10025/inet/smtpd_client_connection_count_limit = 0
127.0.0.1:10025/inet/smtpd_client_connection_rate_limit = 0
127.0.0.1:10025/inet/smtpd_client_restrictions = permit_mynetworks,reject
127.0.0.1:10025/inet/smtpd_data_restrictions = reject_unauth_pipelining
127.0.0.1:10025/inet/smtpd_delay_reject = no
127.0.0.1:10025/inet/smtpd_end_of_data_restrictions =
127.0.0.1:10025/inet/smtpd_error_sleep_time = 0
127.0.0.1:10025/inet/smtpd_hard_error_limit = 1000
127.0.0.1:10025/inet/smtpd_helo_restrictions =
127.0.0.1:10025/inet/smtpd_milters =
127.0.0.1:10025/inet/smtpd_recipient_restrictions = permit_mynetworks,reject
127.0.0.1:10025/inet/smtpd_restriction_classes =
127.0.0.1:10025/inet/smtpd_sender_restrictions =
127.0.0.1:10025/inet/smtpd_soft_error_limit = 1001
 
Last edited:
It looks to me as if your SMTP MTA daemons simply don't have any TLS keys configured (none in main.cf, and no -o smtpd_tls_… options on them in master.cf), and I'm not seeing any obvious sign of the problem in the thread's subject ("postfix not using master.cf -o values"). External mail inbound to your server does not use the submission (SMTP MSA) service (that is only for end users to submit messages from their clients (SMTP MUA)).

You need to add certificate configuration options for the two normal SMTP daemons:
Code:
192.249.59.83:smtp  inet  n       -       n       -       -       smtpd
192.184.82.63:smtp  inet  n       -       n       -       -       smtpd

The standard SMTP flow is as follows:

[FONT=Courier New]MUA (client)
|
V
MSA (submission)
|
V
MTA (transfer outbound, the default "smtp" service)
|
V
MTA* (optional intermediate MTAs)
|
V
MTA (transfer inbound, the default "smtp" service)
|
V
MDA (delivery, i.e. /var/mail, Cyrus, Dovecot, etc)
|
V
MUA (client)[/FONT]
 
This has everything to do with submission

Inbound mail from example@gmail.com does not use the submission service, it uses the smtp service. Is the problem with email coming in from miscellaneous Gmail users (or Google staff), or is it something else? Your syslog extract where it is complaining about a lack of certificate configuration tells me that the connection is not to the submission service.

According to your postconf -P, the certificate configuration options on submission are being recognised correctly, as you have configured them.
 
Yes, I see now what is happening. It just wasn't clear to me until you pointed out the obvious. This explains why removing the lines in main.cf break smtpd for inbound mail.

I was under the assumption, wrongly, that smtpd_tls... had nothing to do with smtp service.
 
Back
Top