I'm trying to set up a mail server with Postfix (3.3.0) with virtual domains, queried against an Amazon RDS MySQL (8.0.11) instance, with SSL between the mail server and the RDS instance.
I'm just at the very beginning of setting this up, so haven't turned on any advanced services; I just got Postfix and Dovecot up and running, and tried to send a mail via telnet from local to the mail server. This fails (which is fine, that's the point of testing), but I'm having trouble pinpointing the origin of the failure. In particular, postfix doesn't want to work, but postmap seems to work fine!
The core error returned when done via postfix seems to be "SSL_CTX_set_default_verify_paths". Looking around here, I can only find two really relevant questions, one of which was answered by a simple typo in the config file; the other of which seemed to do with postfix read permissions on the CA file. I don't have (at least that particular) typo, and I'm pretty sure it's not a file permission problem, but, maybe I'm wrong.
Here's what the failure from postfix looks like:
$telnet localhost 25
EHLO <my.working.mailserver>
MAIL FROM: <me@example.com>
RCPT TO: postmaster@localhost
And here's what the mail log says:
Nov 2 11:09:31 ip-172-31-7-179 postfix/smtpd[11883]: connect from localhost[127.0.0.1]
Nov 2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: connect to mysql server <my.rds.endpoint>:<myport>: SSL connection error: SSL_CTX_set_default_verify_paths failed
Nov 2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov 2 11:09:45 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov 2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains: mysql:/etc/postfix/mysql_alias.cf: table lookup problem
Nov 2 11:09:58 ip-172-31-7-179 postfix/trivial-rewrite[11879]: warning: virtual_alias_domains lookup failure
Nov 2 11:09:58 ip-172-31-7-179 postfix/smtpd[11883]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <postmaster@localhost>: Temporary lookup failure; from=<me@example.com> to=<postmaster@localhost> proto=ESMTP helo=<my.working.mailserver>
BUT, if I try and lookup postmaster@localhost with postmap, it seems to work just fine:
$sudo -upostfix postmap -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf
root@localhost
and with some verbosity:
$sudo -upostfix postmap -v -q postmaster@localhost mysql:/etc/postfix/mysql_alias.cf
postmap: name_mask: all
postmap: inet_addr_local: configured 2 IPv4 addresses
postmap: inet_addr_local: configured 2 IPv6 addresses
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: user = postfix
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: password = <password>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: dbname = <db_name>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: result_format = %s
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: option_group = client
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_key_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_cert_file = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_CApath = <NULL>
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: tls_ciphers = <NULL>
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: tls_verify_cert = on
postmap: cfg_get_bool: /etc/postfix/mysql_alias.cf: require_result_set = on
postmap: cfg_get_int: /etc/postfix/mysql_alias.cf: expansion_limit = 0
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: domain =
postmap: cfg_get_str: /etc/postfix/mysql_alias.cf: hosts = <my.rds.endpoint>:<myport>
postmap: dict_open: mysql:/etc/postfix/mysql_alias.cf
postmap: dict_mysql_get_active: attempting to connect to host <my.rds.endpoint>:<myport>
postmap: dict_mysql: successful connection to host <my.rds.endpoint>:<myport>
postmap: mysql:/etc/postfix/mysql_alias.cf: successful query result from host <my.rds.endpoint>:<myport>
postmap: dict_mysql_lookup: retrieved 1 rows
root@localhost
As I said, I don't think it's a file permission problem, because I'm sudo-ing as postfix, and all of the postfix services except for master are running as that user
$ps -auxw | grep postfix
root 11864 0.0 0.4 67376 4100 ? Ss 11:09 0:00 /usr/lib/postfix/sbin/master -w
postfix 11874 0.0 0.5 73808 5172 ? S 11:09 0:00 pickup -l -t unix -u -c
postfix 11875 0.0 0.5 73856 5428 ? S 11:09 0:00 qmgr -l -t unix -u
postfix 11877 0.0 0.6 88668 6608 ? S 11:09 0:00 cleanup -z -t unix -u -c
postfix 11879 0.0 0.6 88500 6288 ? S 11:09 0:00 trivial-rewrite -n rewrite -t unix -u -c
postfix 11884 0.0 0.7 87248 7988 ? S 11:09 0:00 tlsmgr -l -t unix -u -c
postfix 11972 0.0 0.6 88668 6496 ? S 11:51 0:00 cleanup -z -t unix -u -c
cwr 11974 0.0 0.1 14856 1080 pts/1 S+ 11:53 0:00 grep postfix
Am I missing something simple? How can postmap running as the postfix user work fine when reading the same configuration as postfix itself, but postfix not work?
For completeness, note the postmap command was reading mysql:/etc/postfix/mysql_alias.cf. Here's the key bits of main.cf:
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
# this specifies where the virtual mailbox folders will be located
virtual_mailbox_base = /var/spool/mail/virtual
# this is for the mailbox location for each user
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
# and this is for aliases
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
# and this is for domain lookups
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
Those three files are all fairly straightforward, I think:
$sudo cat /etc/postfix/mysql_alias.cf
hosts = <my.rds.endpoint>:<myport>
user = <postfix_db_user>
password = <postfix_db_user_pass>
dbname = <db_name>
query = SELECT destination FROM aliases WHERE mail = '%s' AND enabled=1
tls_CAfile = /etc/mysql/ssl/rds-combined-ca-bundle.pem
tls_verify_cert = yes
Any thoughts on how to either fix, or debug this further, would be greatly appreciated.
