docker-postfix icon indicating copy to clipboard operation
docker-postfix copied to clipboard

Remove default config for smtpd_tls_cert_file and smtpd_tls_key_file to avoid warning message in logs

Open guipe opened this issue 3 years ago • 1 comments

When TLS is not used, if we let default configuration:

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

These warning messages appears in /var/log/maillog:

Jul 29 14:24:01 postfix/smtpd[24123]: warning: cannot get RSA certificate from file "/etc/ssl/certs/ssl-cert-snakeoil.pem": disabling TLS support
Jul 29 14:24:01 postfix/smtpd[24123]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('/etc/ssl/certs/ssl-cert-snakeoil.pem','r'):
Jul 29 14:24:01 postfix/smtpd[24123]: warning: TLS library problem: error:20074002:BIO routines:file_ctrl:system lib:../crypto/bio/bss_file.c:290:
Jul 29 14:24:01 postfix/smtpd[24123]: warning: TLS library problem: error:140DC002:SSL routines:use_certificate_chain_file:system lib:../ssl/ssl_rsa.c:596:

As these files are removed from Dockerfile command, we must remove these ones from main.cf default configuration.

guipe avatar Jul 29 '22 12:07 guipe

As a note I too was trying to run with USE_TLS=no and I was additionally having some issues with clients connecting and running into the default values in main.cf for these 2: smtpd_tls_security_level=may smtp_tls_security_level=may

Setting them both to none solved the problem for me as found from here.

The provided params to use to tweak these settings (TLS_SECURITY_LEVEL && CLIENT_TLS_SECURITY_LEVEL) were not being consumed or set because of the overriding USE_TLS=no.

I am able to get around it by a few different ways - another set of seds in the dockerfile or an else condition on the USE_TLS if loop for when its no to update, or some other option I didn't think of but I figured I'd call this out for anyone else who was trying to fully disable TLS and running into problems still even after using the above fix.

mastamark avatar Apr 25 '23 19:04 mastamark