Join Log in
Score:1
Valerica avatar Server

Malformed BASE64 value in vmail_ssl.map.db

cn flag
Valerica

I'm using postfix in Ubuntu 20.04.5 . Here's my vmail_ssl.map file, with domain names redacted:

mail.domain.org /etc/letsencrypt/live/mail.domain.org/privkey.pem /etc/letsencrypt/live/mail.domain.org/fullchain.pem
mail.domain.net /etc/letsencrypt/live/mail.domain.net/privkey.pem /etc/letsencrypt/live/mail.domain.net/fullchain.pem

Each time I use postmap to create vmail_ssl.map.db, it truncates the .net domain. It seems to be getting only the first three letters of the domain name in the BASE64 value. For example, if the FQDN is "mail.domain.net", the BASE64 value is only "mail.dom". Here are the lines the syslog keeps repeating, with some parts redacted:

postfix/smtpd[656104]: connect from unknown[172.17.X.X]
postfix/smtpd[656104]: warning: table hash:/etc/postfix/vmail_ssl.map.db: key mail.domain.net: malformed BASE64 value: /etc/letsencrypt/live/mail.dom
postfix/smtpd[656104]: warning: tls_server_sni_maps: mail.domain.net map lookup problem
postfix/smtpd[656104]: SSL_accept error from unknown[172.17.X.X]: -1
postfix/smtpd[656104]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:../ssl/statem/extensions.c:1006:
postfix/smtpd[656104]: lost connection after STARTTLS from unknown[172.17.X.X]
postfix/smtpd[656104]: disconnect from unknown[172.17.X.X] ehlo=1 starttls=0/1 commands=1/2

I've run these commands:

sudo postmap /etc/postfix/vmail_ssl.map
sudo postmap -r /etc/postfix/vmail_ssl.map
sudo systemctl reload postfix
sudo systemctl restart postfix

I've even removed the existing vmail_ssl.map.db before creating a new one. The syslog messages haven't changed. Any ideas for fixing the malformed BASE64 value?

Out put of 'postconf -n' with domain redacted:

postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 30720000
milter_default_action = accept
mydestination = localhost, localhost.localdomain
myhostname = domain.net
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_use_tls = yes
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_create_maildirsize=yes
postconf: warning: /etc/postfix/main.cf: unused parameter: virtual_maildir_extended=yes

Output of 'postconf -M':

postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
postconf: warning: /etc/postfix/main.cf: undefined parameter: virtual_mailbox_limit_maps
smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
dovecot    unix  -       n       n       -       -       pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
425
1 + 1
anx avatar
fr flag
anx
Go look into those "undefined parameter" warnings! You are overriding some options in `master.cf`, but while doing so referencing parameters that are not actually defined in your `main.cf` file!
1
Reply
Score:1
anx avatar Server
fr flag
anx

You have not generated the map as instructed, so postfix is trying to lookup base64 values, but sees the verbatim domains and filenames. It is then failing to read beyond characters which are not valid base64.

postmap -F hash:/etc/postfix/vmail_ssl.map

The -F option switches the mode from indexing the values verbatim, to putting the keys in base64 and the values as the contents of the referenced files. Your vmail_ssl.map file should contain domain names on the left side, and file names referencing the relevant certificates on the right side.

Note also the hint about putting the names in the A-label form (xn--dmin-moa0i.example) as that is what will be received and looked up - there should not be any non-US-ASCII characters in your lookup.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.