Postfix TLS Error: Fixing “cannot get RSA private key from file” and Configuring SMTPS Properly


2 views

When configuring Postfix with Dovecot and MySQL backend, many administrators encounter the critical TLS error:

warning: cannot get RSA private key from file /etc/ssl/certs/postfix.pem: disabling TLS support
warning: TLS library problem: error:0906D06C:PEM routines:PEM_read_bio:no start line

This occurs specifically during SMTPS (port 465) connections while IMAPS/POP3S might work fine. The root cause typically lies in certificate file permissions, formatting, or configuration mismatches.

First, verify your certificate and key files using OpenSSL:

# Check certificate
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

# Verify private key
openssl rsa -in /etc/ssl/private/postfix.pem -check

# Test key/cert match
openssl x509 -noout -modulus -in /etc/ssl/certs/postfix.pem | openssl md5
openssl rsa -noout -modulus -in /etc/ssl/private/postfix.pem | openssl md5

The MD5 hashes must match. If they don't, regenerate your certificate.

The correct way to generate Postfix certificates:

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem \
  -keyout /etc/ssl/private/postfix.pem -subj "/CN=$(hostname -f)"
  
chmod 600 /etc/ssl/private/postfix.pem
chown postfix:postfix /etc/ssl/private/postfix.pem
chown postfix:postfix /etc/ssl/certs/postfix.pem

Ensure these settings in /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

# For SMTPS (port 465)
smtpd_tls_wrappermode = yes

And in /etc/postfix/master.cf:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Postfix runs chrooted in some distributions. Verify permissions with:

namei -l /etc/ssl/private/postfix.pem
namei -l /etc/ssl/certs/postfix.pem

All parent directories must have execute (x) permission for Postfix to access the files.

After changes, test with:

postfix check
postfix reload
openssl s_client -connect localhost:465 -starttls smtp

You should see the certificate details and SMTP negotiation.

Some administrators prefer combining certificate and key:

cat /etc/ssl/private/postfix.pem /etc/ssl/certs/postfix.pem > /etc/ssl/postfix-combined.pem
chmod 600 /etc/ssl/postfix-combined.pem

Then configure:

smtpd_tls_cert_file = /etc/ssl/postfix-combined.pem
smtpd_tls_key_file = $smtpd_tls_cert_file

This often resolves permission-related access issues.

Monitor logs in real-time during testing:

tail -f /var/log/mail.log | grep -E 'postfix/smtpd|TLS'

Look for successful TLS handshake messages indicating proper configuration.

When configuring Postfix with TLS encryption, the error "warning: cannot get RSA private key from file" typically indicates either:

  • Incorrect file permissions
  • Malformed certificate/key files
  • Configuration pointing to wrong paths

First, verify your certificate and key files are properly formatted:

# Check certificate
openssl x509 -in /etc/ssl/certs/postfix.pem -text -noout

# Verify private key
openssl rsa -in /etc/ssl/private/postfix.pem -check

The most common solution involves setting proper permissions:

chmod 600 /etc/ssl/private/postfix.pem
chown postfix:postfix /etc/ssl/private/postfix.pem
chmod 644 /etc/ssl/certs/postfix.pem

Ensure your main.cf contains these critical settings:

smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may

Check your configuration with:

postconf -n | grep tls
postfix check
postfix reload

If issues persist, regenerate certificates with this improved method:

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem \
  -keyout /etc/ssl/private/postfix.pem \
  -subj "/CN=$(hostname -f)"

Verify SMTP TLS is working with:

openssl s_client -connect localhost:465 -starttls smtp

Your master.cf should include:

smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  • Ensure no typos in configuration paths
  • Verify certificate and key file contents aren't swapped
  • Check for SELinux/AppArmor restrictions
  1. Files exist in specified locations
  2. Proper permissions are set
  3. Postfix configuration is correct
  4. Services are reloaded after changes