Certificate problem during the creation of STARTTLS connection to Postfix mail server

I have followed to the best of ability the procedures RHCE Series: Implementing HTTPS through TLS using Network Security Service (NSS) for Apache-Part 8] and Setting Up an Email Server with Antivirus and AntiSPAM Protection:
Part 1: How to Create and Setup Postfix Mail Server Database (MariaDB) Securely
Part 2: Configuring Postfix Mail Server and Dovecot

I can’t seem to fi:unlock:nd out why it’s not possible to create a STARTTLS connection to my Postfix mail server mail.example.com. I find no fault with the certificate or key, the rights put on them as well as on the password file/etc/httpd/nss-db-password.conf. The error appears in Telnet and Mozilla Thunderbird under the authentication of the user account and password.

Telnet from the mail server

telnet smtp.gmail.com 587

Trying 74.125.25.108…
Connected to smtp.gmail.com 587
Escape character is ‘^]’.
220 smtp.gmail.com ESMTP ru9sm3894161bb.3 - gsmtp
HELO <stein@example.com/>
250 smtp.gmail.com at your service
STARTTLS

No problem with creating TLS connection to smtp.gmail.com with port 587.

nc –v localhost 25

Ncat Version 640 )
Ncat: Connected to::1:25
220 mail.example.com ESMTP Postfix (CentOS)
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 4194304
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:<root@example.com >
250 2.1.0 Ok
RPCT TO:<stein@example.com >
250 2.1.5 Ok
DATA
354 End data with .
Subject: test message
This is the body of the message!
.
250 2.0.0 Ok: queued as 45A0955DB
QUIT
221 2.0.0 Bye

With SMTP and port 25, there were no difficulties with sending mail to a local mail address.

nc –v localhost 587

Ncat Version 640 (http://nmap.org/ncat )
Ncat: Connected to::1:587
220 mail.example.com ESMTP Postfix (CentOS)
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 4194304
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
454 4.7.0 TLS not available due to local problem
MAIL FROM:<root@example.com >
530 5.7.0 Must issue a STARTTLS command first
QUIT
221 2.0.0 Bye

The error code indicates a certificate problem via TLS and IPv6, but this also occurs with IPv4. The error message is confirmed in/var/log/maillog

#Documentation, log and reflections
Code Description
What do the SMTP error / reply codes mean?
454 TLS not available due to temporary reason - encryption is required for requested authentication mechanism
530 Must issue a STARTTLS command first - encryption required for requested authentication mechanism.

SMTP Server specific settings
Server-side certificate and private key configuration
In order to use TLS, the Postfix SMTP server generally needs a certificate and a** private key**. Both must be in “PEM” format. The private key must not be encrypted, meaning: the key must be accessible without a password. The certificate and private key may be in the same file, in which case the certificate file should be owned by “root” and not be readable by any other user. If the key is stored separately, this access restriction applies to the key file only, and the certificate file may be “world-readable”.
This paragraph obviously relates directly to my problem.

To implement the HTPS, certificate and key I have followed create-apache-https-self-signed-certificate-using-nss/

And set NSSNickname box1 in File: /etc/httpd/conf.d/nss.conf
nss.conf – Configuration File
/etc/httpd/nss-db-password.conf # root:apache 0640
Dovecot SSL configuration
/etc/pki/dovecot/certs/dovecot.pem # root:root 0444
/etc/pki/dovecot/private/dovecot.pem # root:root 0400

#Ports open:
Starting Nmap 7.01 at 2015-12-16 15:15 Romance Standard Time
Nmap scan report for mail.example.com (192.168.187.86)
Host is up (0.0022s latency).
Not shown: 994 filtered ports

PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
587/tcp closed submission

MAC Address: 00:0C:29:E2:10:3A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 7.18 seconds

#netstat -t -a | grep LISTEN
tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN
tcp 0 0 mail.algrim.:submission 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:pop3 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:imap 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 mail.algrim.net:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:imaps 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:pop3s 0.0.0.0:* LISTEN
tcp6 0 0 [::]:pop3 [::]:* LISTEN
tcp6 0 0 [::]:imap [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:imaps [::]:* LISTEN
tcp6 0 0 [::]:pop3s [::]:*

#Logs
Log file: /var/log/maillog

$ tail -f /var/log/maillog
Dec 16 15:58:06 mail postfix/submission/smtpd[4954]: warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS support
Dec 16 15:58:06 mail postfix/submission/smtpd[4954]: warning: TLS library problem: 4954:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen(’/etc/pki/dovecot/certs/dovecot.pem’,‘r’):
Dec 16 15:58:06 mail postfix/submission/smtpd[4954]: warning: TLS library problem: 4954:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Dec 16 15:58:06 mail postfix/submission/smtpd[4954]: warning: TLS library problem: 4954:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:
Dec 16 15:58:06 mail postfix/submission/smtpd[4954]: connect from localhost[::1]
Dec 16 15:58:55 mail postfix/cleanup[4956]: 6C8C59825A: message-id=<20151216145855.6C8C59825A@mail.example.com >
Dec 16 15:58:55 mail postfix/qmgr[3720]: 6C8C59825A: from=double-bounce@mail.example.com, size=903, nrcpt=1 (queue active)
Dec 16 15:58:55 mail postfix/submission/smtpd[4954]: disconnect from localhost[::1]
Dec 16 15:58:55 mail postfix/local[4963]: 6C8C59825A: to=<root@mail.example.com >, orig_to=, relay=local, delay=0.15, delays=0.13/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)lib:ssl_rsa.c:722:

Here is the** postconf -n** output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 4194304
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (CentOS)
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mariadb-valias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mariadb-vdomains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mariadb-vusers.cf
virtual_transport = dovecot

Here is the postconf -a output

cyrus
dovecot

Here is the dovecot -n output

2.2.10: /etc/dovecot/dovecot.conf
OS: Linux 3.10.0-327.3.1.el7.x86_64 x86_64 CentOS Linux release 7.2.1511 (Core) xfs
auth_mechanisms = plain login
log_path = /var/log/dovecot.log
mail_location = maildir:/home/vmail/%d/%n/Maildir
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox “Sent Messages” {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = /etc/dovecot/dovecot-sql.conf.ext
driver = sql
}
service auth-worker {
user = vmail
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
}
user = dovecot
}
service imap-login {
inet_listener imap {
port = 143
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
}
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%d/%n/Maildir
driver = static
}

Here is the postconf –M output

smtp inet n - n - - smtpd
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}

ps aux|grep postfix

root 1498 0.0 0.0 91084 272 ? Ss 12:43 0:00 /usr/libexec/postfix/master -w
postfix 3720 0.0 0.0 91364 1348 ? S 14:20 0:00 qmgr -l -t unix -u
postfix 3727 0.0 0.0 91200 1504 ? S 14:21 0:00 tlsmgr -l -t unix -u
postfix 5940 0.0 0.2 91188 3876 ? S 17:39 0:00 pickup -l -t unix -u
root 6147 0.0 0.0 112640 960 pts/0 R+ 17:49 0:00 grep --color=auto postfix

journalctl -u postfix

Dec 16 14:20:50 mail.example.com systemd[1]: Reloading Postfix Mail Transport Agent.
Dec 16 14:20:50 mail.example.com postfix/master[1498]: reload – version 2.10.1, configuration /etc/postfix
Dec 16 14:20:50 mail.example.com systemd[1]: Reloaded Postfix Mail Transport Agent.
Dec 16 14:21:59 mail.example.com postfix/submission/smtpd[3725]: warning: cannot get RSA certificate from file /etc/pki/dovecot/certs/dovecot.pem: disabling TLS suppor
Dec 16 14:21:59 mail.example.com postfix/submission/smtpd[3725]: warning: TLS library problem: 3725:error:0200100D:system library:fopen:Permission denied:bss_file.c:39
Dec 16 14:21:59 mail.example.com postfix/submission/smtpd[3725]: warning: TLS library problem: 3725:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
Dec 16 14:21:59 mail.example.com postfix/submission/smtpd[3725]: warning: TLS library problem: 3725:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:syst
Dec 16 14:21:59 mail.example.com postfix/submission/smtpd[3725]: connect from localhost[::1]
Dec 16 14:27:20 mail.example.com postfix/submission/smtpd[3725]: timeout after STARTTLS from localhost[::1]
Dec 16 14:27:20 mail.example.com postfix/cleanup[3729]: 8D5359825A: message-id=<20151216132720.8D5359825A@mail.example.com >
Dec 16 14:27:20 mail.example.com postfix/qmgr[3720]: 8D5359825A: from=<double-bounce@mail.example.com >, size=873, nrcpt=1 (queue active)
Dec 16 14:27:20 mail.example.com postfix/submission/smtpd[3725]: disconnect from localhost[::1]
Dec 16 14:27:20 mail.example.com postfix/local[3736]: 8D5359825A: to=<root@mail.example.com >, orig_to=, relay=local, delay=0.04, delays=0.02/0.01/0/0, dsn=2
Dec 16 14:27:20 mail.example.com example.com postfix/qmgr[3720]: 8D5359825A: removed
Dec 16 15:00:01 mail.example.com postfix/pickup[3719]: 990E29825A: uid=0 from=
Dec 16 15:00:01 mail.example.com postfix/cleanup[4069]: 990E29825A: message-id=<20151216140001.990E29825A@mail.example.com >

The Certificate have been verified by the command:** openssl s_client -connect localhost:443 -tls1**, with no error.

All the help received with great thanks.