Error (MTA): Unable to set STARTTLS: Difference between revisions
m (Fixing typo) |
No edit summary |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{ZC}} | {{BC|Certified}} | ||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Unable to set STARTTLS= | |||
{{KB|{{ZC}}|{{ZCS 5.0}}||}} | |||
{{Archive}}{{WIP}} | |||
= Introduction = | = Introduction = |
Latest revision as of 23:43, 10 July 2015
Unable to set STARTTLS
Introduction
The Postfix MTA will fail to relay mail if it cannot successfully connect to the backend LDAP server. In ZCS version 5.0, TLS communication between the MTA and LDAP is enabled which requires proper configuration of the TLS/SSL subsystem. A problem will be indicated in /opt/zimbra/log/zimbra.log.
Jan 15 11:12:37 server postfix/trivial-rewrite[20653]: fatal: ldap:/opt/zimbra/conf/ldap-vad.cf(0,lock|fold_fix): table lookup problem Jan 15 11:12:37 server postfix/trivial-rewrite[20654]: error: dict_ldap_connect: Unable to set STARTTLS: -11: Connect error Jan 15 11:12:37 server last message repeated 2 times
Impact
If the TLS/SSL subsystem is not properly configured, the Postfix MTA will fail to relay mail in and out of the server.
Possible Cause
- CA chain can be appended in reverse creating invalid Certificate. See this article.
- Expired CA certs. See this article.
- Too many files in /opt/zimbra/conf/ca. If Postfix detects files or directories that do not belong in the ca directory, it will fail to negotiate TLS.
Make sure /opt/zimbra/conf/ca looks similar to this
[zimbra@server conf]$ ls -la /opt/zimbra/conf/ca total 16 drwxr-xr-x 2 zimbra zimbra 4096 Jan 10 04:14 . drwxrwxr-x 7 zimbra zimbra 4096 Jan 12 11:16 .. lrwxrwxrwx 1 root root 6 Jan 10 04:14 67504c4f.0 -> ca.pem -rw-r--r-- 1 zimbra zimbra 887 Jan 10 04:14 ca.key -rw-r--r-- 1 zimbra zimbra 785 Jan 10 04:14 ca.pem
Related Articles
Problem with Certificate can cause MTA Failure SSL Certificate Problems
Keywords: mta, postfix, fatal, ldap