Olivier MJ Crepin-Leblond wrote:
Hi,
I am running Postfix 2.5.1 with OpenSSL on an email gateway and I
configured the mailer to use STARTTLS whenever it is possible. My config
works fine *receiving* emails and I therefore receive TLS
mails. I am using self-signed certificate etc.
However, it doesn't work when sending email out. ie. when I send to a
mailer that I know accepts TLS encrypted e-mail, my mailer just sends it
out normally. Not even a mention of a failed handshake or whatever on
the maillog file. Just sends out like normal ESMTP.
Here's my TLS-specific config on main.cf:
smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only =
no smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem smtpd_tls_key_file =
/etc/postfix/certs/foo-key.pem smtpd_tls_cert_file =
/etc/postfix/certs/foo-cert.pem smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s
smtpd_enforce_tls = no smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert =
no tls_random_source = dev:/dev/urandom smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes smtp_tls_CAfile =
/etc/postfix/certs/cacert.pem smtp_tls_key_file =
/etc/postfix/certs/foo-key.pem smtp_tls_cert_file =
/etc/postfix/certs/foo-cert.pem tls_random_exchange_name =
/var/db/postfix/prng_exch
Don't trust your eyes. Show "postconf -n" output, those are
the settings postfix will use.
/etc/postfix/certs/cacert.pem is self-signed CA
/etc/postfix/certs/foo-key.pem is self-generated RSA private key
/etc/postfix/certs/foo-cert.pem is self-generated Cert
What am I doing wrong? There's obviously something that's sticking
somewhere and I've spent 2 weeks on-off on this, with no success. Thanks
for all help!
Why do you think the other server supports TLS?
What makes you think it's not working?
Show logs and other evidence.
Test TLS connection to the other server with
# openssl s_client -connect hostname:25 -starttls smtp
If that doesn't work, it's unlikely postfix will work either...
http://www.postfix.org/DEBUG_README.html#mail
--
Noel Jones
