Postfix "warning: cannot get RSA private key from file"
The content of
main.cf does not necessarily represent your active Postfix configuration. Check the output of
postconf -n for the following two parameters:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
$mynetworks is restricted to localhost and
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination as the first three restrictions, then you are not an open relay.
/etc/ssl/private/postfix.pem contains a valid key and
/etc/ssl/certs/postfix.pem contains a valid certificate:
openssl rsa -in /etc/ssl/private/postfix.pem -check -noout openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout
You also need to check if Postfix can access the file. On my server, the permissions on
drwx--x--- 2 root ssl-cert 4096 Aug 03 01:55 private/
chowning the key file won't do you any good, because the directory permissions prevent Postfix from accessing any file in it.
Try simplifying your setup. Put certificate and key into a single file:
cat /etc/ssl/*/postfix.pem > /etc/postfix/server.pem chmod 640 /etc/postfix/server.pem chown postfix:postfix /etc/postfix/server.pem
and change your
main.cf like this:
smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_key_file = $smtpd_tls_cert_file
Restart Postfix and see if the server can access the key.
Those instructions have
chmod o= /etc/ssl/private/postfix.pem but say nothing about which user owns the file.
On my boxes, the
smtpd process runs as the
postfix user. Check that the
postfix user can access
/etc/ssl/private/postfix.pem. Or possibly just
chown postfix:postfix /etc/ssl/private/postfix.pem.
The other obvious problem is exactly what the error message says: There isn't a valid RSA key in that file. Have a look in
/etc/ssl/private/postfix.pem and make sure it contains at least something that looks like an RSA key. Don't paste it into your question.
Actually, I just noticed that the error message is for
/etc/ssl/private/postfix.pem. Check the ownership, permissions and content of
/etc/ssl/certs/postfix.pem as well.
That error message is a little confusing. It says
cannot get RSA private key from file /etc/ssl/certs/postfix.pem but the private key should be in
/etc/ssl/private/postfix.pem. I don't have enough experience with Postfix using TLS to know whether this is a bug Postfix or a mistake in your config.