Knowledge Base

Unable to send mail from Plesk server using STARTTLS authentication: 4.7.0 TLS not available due to local problem

 
emailmailplesk for linuxplesk serverpostfix

Symptoms

  • Unable to send an email using the STARTTLS authentication:

    454 4.7.0 TLS not available due to local problem

  • The following error can be found in the /var/log/maillog file:

    postfix/smtpd[26508]: warning: cannot get RSA certificate from file /etc/postfix/postfix_default.pem: disabling TLS support
     postfix/smtpd[26508]: warning: TLS library problem: 26508:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/postfix/postfix_default.pem','r'): 
     postfix/smtpd[26508]: warning: TLS library problem: 26508:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357: 
     postfix/smtpd[26508]: warning: TLS library problem: 26508:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:

Cause

TLS misconfiguration in Postfix:

  • The postfix_default.pem certificate file does not contain the valid SSL certificate or it is broken.

  • The path to the certificate is incorrect in the /etc/postfix/main.cf file.

  • TLS configuration parameters are missing in the /etc/postfix/main.cf file.

Resolution

via Plesk

  1. Log in to Plesk.

  2. Go to Tools & Settings > SSL/TLS Certificates.

  3. Click the Change link opposite the Certificate for securing mail option:
    cert.png

  4. Specify the correct certificate in the Select Certificate drop-down menu.

  5. Press the OK button to apply changes.

  6. If the issue still persists, compare the current configuration with the steps from the “via SSH” section and fix the configuration if it is required.

via SSH

  1. Connect to the server via SSH.

  2. Create the /etc/postfix/tls directory, set correct ownership, group, permissions and create a certificate file:

    # mkdir /etc/postfix/tls
    # chown root:postfix /etc/postfix/tls
    # chmod u=rwx,go= /etc/postfix/tls
    # cd /etc/postfix/tls
    # openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

  3. Change /etc/postfix/main.cf accordingly:

    smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
     smtpd_tls_cert_file = /etc/postfix/tls/smtpd.pem
     smtpd_tls_key_file = /etc/postfix/tls/smtpd.pem
     smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
     smtpd_tls_security_level = may
     smtpd_use_tls = yes
     smtp_tls_security_level = may
     smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem
     smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem
     smtp_tls_key_file = /etc/postfix/tls/smtpd.pem
     smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
     smtp_use_tls = yes
     smtpd_tls_received_header = yes
     smtpd_tls_ask_ccert = yes
     smtpd_tls_loglevel = 1
     tls_random_source = dev:/dev/urandom

  4. If the smtpd_sasl_auth_enable = yes option is set in the /etc/postfix/main.cf file, make sure that the saslauthd service is started:

    # service saslauthd status

  5. Reload Postfix configuration:

    # service postfix restart

Read the full article
Related Posts
Knowledge Base

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2021 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WordPress Toolkit

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt