Postfix "warning: cannot get RSA private key from file"

Solution 1:

The content of main.cf does not necessarily represent your active Postfix configuration. Check the output of postconf -n for the following two parameters:

smtpd_recipient_restrictions = 
  permit_mynetworks, 
  permit_sasl_authenticated, 
  reject_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

If $mynetworks is restricted to localhost and $smtpd_recipient_restrictions shows permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination as the first three restrictions, then you are not an open relay.

Verify that /etc/ssl/private/postfix.pem contains a valid key and /etc/ssl/certs/postfix.pem contains a valid certificate:

openssl rsa -in /etc/ssl/private/postfix.pem -check -noout
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

You also need to check if Postfix can access the file. On my server, the permissions on /etc/ssl/private are

drwx--x---  2 root ssl-cert  4096 Aug 03 01:55 private/

Thus simply chowning the key file won't do you any good, because the directory permissions prevent Postfix from accessing any file in it.

Try simplifying your setup. Put certificate and key into a single file:

cat /etc/ssl/*/postfix.pem > /etc/postfix/server.pem
chmod 640 /etc/postfix/server.pem
chown postfix:postfix /etc/postfix/server.pem

and change your main.cf like this:

smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

Restart Postfix and see if the server can access the key.

Solution 2:

Those instructions have chmod o= /etc/ssl/private/postfix.pem but say nothing about which user owns the file.

On my boxes, the smtpd process runs as the postfix user. Check that the postfix user can access /etc/ssl/private/postfix.pem. Or possibly just chown postfix:postfix /etc/ssl/private/postfix.pem.

The other obvious problem is exactly what the error message says: There isn't a valid RSA key in that file. Have a look in /etc/ssl/private/postfix.pem and make sure it contains at least something that looks like an RSA key. Don't paste it into your question.

Actually, I just noticed that the error message is for /etc/ssl/certs/postfix.pem, not /etc/ssl/private/postfix.pem. Check the ownership, permissions and content of /etc/ssl/certs/postfix.pem as well.


That error message is a little confusing. It says cannot get RSA private key from file /etc/ssl/certs/postfix.pem but the private key should be in /etc/ssl/private/postfix.pem. I don't have enough experience with Postfix using TLS to know whether this is a bug Postfix or a mistake in your config.