No STARTTLS with Dovecot and Postfix

Robert A. Ober asked:

I have done a lot of searching and am not finding a solution.

I had to reload Mageia 6 on my email server. I am using dovecot-2.2.34-1.mga6 and postfix-3.1.6-1.mga6. Openssl is openssl-1.0.2o-1.mga6.

I can send and receive email from Postbox (based on Thunderbird)with password and no encryption but when trying STARTTLS from a telnet to 587 or 465 I get:

454 4.7.0 TLS not available due to local problem

This was working before the filesystem got corrupt and I had to reinstall Mageia. The old config files do not work with the new install.

From telnet:

Escape character is '^]'.
220 ESMTP Postfix (3.1.6) (Linux)
250-SIZE 252400000
250 DSN
454 4.7.0 TLS not available due to local problem

Dovecot is supposed to be doing the auth.

# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.18 (29cc74d)
# OS: Linux 4.14.65-desktop-1.mga6 i686 Mageia 6 
# Hostname:
auth_debug = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
listen = *
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-              character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
mbox_write_locks = fcntl
passdb {
driver = pam
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
vsz_limit = 512 M
service imap-login {
process_min_avail = 10
service_count = 1
vsz_limit = 2 G
service imap {
vsz_limit = 640 M
service managesieve-login {
process_min_avail = 10
service managesieve {
vsz_limit = 640 M
service pop3-login {
process_min_avail = 10

    service pop3 {
    vsz_limit = 640 M

ssl_cert = </etc/pki/tls/certs/dovecot.pem
ssl_key =  # hidden, use -P to show it

userdb {
driver = passwd

protocol lda {
postmaster_address = [email protected]

Help would be greatly appreciated as I have been working on this for about 30 hours with very little sleep. I have a few users and would not want them to connect insecurely.


        # Please be sure to read the /usr/share/doc/postfix/README.MDK file
# to learn about differences from stock postfix to Mandriva package.
# This file contains only the parameters changed from a default install
# see /etc/postfix/ for a commented, fuller version of this file.

# These are changed by postfix install script
readme_directory = /usr/share/doc/postfix/README_FILES
html_directory = /usr/share/doc/postfix/html
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
queue_directory = /var/spool/postfix
mail_owner = postfix

# User configurable parameters

mydomain =
mydestination = $myhostname, localhost.$mydomain, $mydomain,
#inet_interfaces = localhost
#mynetworks_style = host
#delay_warning_time = 4h
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Linux)
unknown_local_recipient_reject_code = 450
smtp-filter_destination_concurrency_limit = 2
lmtp-filter_destination_concurrency_limit = 2
data_directory = /var/lib/postfix
mailbox_size_limit = 2000000000
message_size_limit = 252400000
#mailbox_command = /usr/bin/procmail  -a "$EXTENSION"
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_spool_directory = /var/spool/mail
relay_domains = $mydestination /etc/postfix/relay_domains
mynetworks =,
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
maps_rbl_domains =
smtpd_sasl_auth_enable = yes
ssl_cert = /etc/pki/tls/certs/dovecot.pem
ssl_key = /etc/pki/tls/private/dovecot.pem
smtp_tls_cert_file = /etc/pki/tls/certs/dovecot.pem
ssl_key = /etc/pki/tls/private/dovecot.pem
smtpd_sasl_type = dovecot
#smtpd_sasl_path = smtpd
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client, reject_rbl_client, reject_rbl_client
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains, reject_unauth_destinationa, reject_rbl_client
broken_sasl_auth_clients = yes
inet_protocols = ipv4

I have tried it a number of ways. The current config is supposed to let Dovecot do the auth. I appreciate the clarification. So, Dovecot does the auth and then Postfix negotiates the encryption? I tried cyrus sasl earlier and that did not work either so I removed it.


My answer:

You have what appears to be a typo in your Postfix configuration.

smtp_tls_cert_file = /etc/pki/tls/certs/dovecot.pem

Directives starting with smtp_ are used when Postfix makes outgoing SMTP connections to other servers. In particular, this directive is used only when Postfix is meant to authenticate to another SMTP server with client certificates. This is an extremely rare situation, and is not the situation you are in.

You probably meant to type smtpd_tls_cert_file. Directives starting with smtpd_ apply to incoming SMTP connections.

You also need to provide the private key corresponding to the certificate, in the smtpd_tls_key_file directive.

And you may need yet other configuration changes. Read the relevant Postfix documentation carefully.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.