Postfix "warning: cannot get RSA private key from file"
Solution 1:
The content of main.cf
does not necessarily represent your active Postfix configuration. Check the output of postconf -n
for the following two parameters:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
If $mynetworks
is restricted to localhost and $smtpd_recipient_restrictions
shows permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
as the first three restrictions, then you are not an open relay.
Verify that /etc/ssl/private/postfix.pem
contains a valid key and /etc/ssl/certs/postfix.pem
contains a valid certificate:
openssl rsa -in /etc/ssl/private/postfix.pem -check -noout
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout
You also need to check if Postfix can access the file. On my server, the permissions on /etc/ssl/private
are
drwx--x--- 2 root ssl-cert 4096 Aug 03 01:55 private/
Thus simply chown
ing the key file won't do you any good, because the directory permissions prevent Postfix from accessing any file in it.
Try simplifying your setup. Put certificate and key into a single file:
cat /etc/ssl/*/postfix.pem > /etc/postfix/server.pem
chmod 640 /etc/postfix/server.pem
chown postfix:postfix /etc/postfix/server.pem
and change your main.cf
like this:
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
Restart Postfix and see if the server can access the key.
Solution 2:
Those instructions have chmod o= /etc/ssl/private/postfix.pem
but say nothing about which user owns the file.
On my boxes, the smtpd
process runs as the postfix
user. Check that the postfix
user can access /etc/ssl/private/postfix.pem
. Or possibly just chown postfix:postfix /etc/ssl/private/postfix.pem
.
The other obvious problem is exactly what the error message says: There isn't a valid RSA key in that file. Have a look in /etc/ssl/private/postfix.pem
and make sure it contains at least something that looks like an RSA key. Don't paste it into your question.
Actually, I just noticed that the error message is for /etc/ssl/certs/postfix.pem
, not /etc/ssl/private/postfix.pem
. Check the ownership, permissions and content of /etc/ssl/certs/postfix.pem
as well.
That error message is a little confusing. It says cannot get RSA private key from file /etc/ssl/certs/postfix.pem
but the private key should be in /etc/ssl/private/postfix.pem
. I don't have enough experience with Postfix using TLS to know whether this is a bug Postfix or a mistake in your config.