Error (MTA): Unable to set STARTTLS

From Zimbra :: Wiki

Jump to: navigation, search
   Article-check.png  - This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.


Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 5.0 Article  ZCS 5.0

Contents

Introduction

The Postfix MTA will fail to relay mail if it cannot successfully connect to the backend LDAP server. In ZCS version 5.0, TLS communication between the MTA and LDAP is enabled which requires proper configuration of the TLS/SSL subsystem. A problem will be indicated in /opt/zimbra/log/zimbra.log.

Jan 15 11:12:37 server postfix/trivial-rewrite[20653]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem
Jan 15 11:12:37 server postfix/trivial-rewrite[20654]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error
Jan 15 11:12:37 server last message repeated 2 times

Impact

If the TLS/SSL subsystem is not properly configured, the Postfix MTA will fail to relay mail in and out of the server.

Possible Cause

  • CA chain can be appended in reverse creating invalid Certificate. See this article.
  • Expired CA certs. See this article.
  • Too many files in /opt/zimbra/conf/ca. If Postfix detects files or directories that do not belong in the ca directory, it will fail to negotiate TLS.

Make sure /opt/zimbra/conf/ca looks similar to this

[zimbra@server conf]$ ls -la /opt/zimbra/conf/ca
total 16
drwxr-xr-x  2 zimbra zimbra 4096 Jan 10 04:14 .
drwxrwxr-x  7 zimbra zimbra 4096 Jan 12 11:16 ..
lrwxrwxrwx  1 root   root      6 Jan 10 04:14 67504c4f.0 -> ca.pem
-rw-r--r--  1 zimbra zimbra  887 Jan 10 04:14 ca.key
-rw-r--r--  1 zimbra zimbra  785 Jan 10 04:14 ca.pem

Related Articles

Problem with Certificate can cause MTA Failure SSL Certificate Problems



Keywords: mta, postfix, fatal, ldap

Verified Against: Zimbra Collaboration Suite 5.0.0 Date Created: 1/15/2008
Article ID: http://wiki.zimbra.com/index.php?title=Error_(MTA):_Unable_to_set_STARTTLS Date Modified: 04/15/2010
Personal tools