Olivier MJ Crepin-Leblond wrote:
Noel Jones said:
Don't trust your eyes. Show "postconf -n" output, those are the
settings postfix will use.
Point taken & also sorry to Wietse for not having properly read the
DEBUG_README
Here goes:
--- cut here ---
[EMAIL PROTECTED] ~]# /usr/sbin/postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 7
html_directory = /usr/share/doc/postfix-2.5.1-documentation/html
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = waikiki.gih.co.uk
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1-documentation/readme
relay_domains = gih.com, gih.co.uk
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/postfix/certs/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/foo-cert.pem
smtp_tls_key_file = /etc/postfix/certs/foo-key.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, check_client_access hash:/etc/postfix/access
check_relay_domains
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/certs/foo-cert.pem
smtpd_tls_key_file = /etc/postfix/certs/foo-key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_exchange_name = /var/db/postfix/prng_exch
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
[EMAIL PROTECTED] ~]#
--- cut here ---
/etc/postfix/certs/cacert.pem is self-signed CA
/etc/postfix/certs/foo-key.pem is self-generated RSA private key
/etc/postfix/certs/foo-cert.pem is self-generated Cert
What am I doing wrong? There's obviously something that's sticking
somewhere and I've spent 2 weeks on-off on this, with no success.
Thanks for all help!
Why do you think the other server supports TLS?
What makes you think it's not working?
Show logs and other evidence.
Okay, well from headers on a machine such as psg.com, when it receives
e-mail from elsewhere, I know that psg.com supports TLS.
Here's the transaction from my machine (salsa.gih.co.uk)
--- cut here ---
[EMAIL PROTECTED] ~]# openssl s_client -state -starttls smtp -debug -connect
psg.com:25
CONNECTED(00000003)
read from 0x9f1ac40 [0x9f158c8] (8192 bytes => 61 (0x3D))
0000 - 32 32 30 20 70 73 67 2e-63 6f 6d 20 45 53 4d 54 220 psg.com ESMT
0010 - 50 20 45 78 69 6d 20 34-2e 36 39 20 57 65 64 2c P Exim 4.69 Wed,
0020 - 20 32 37 20 41 75 67 20-32 30 30 38 20 31 36 3a 27 Aug 2008 16:
0030 - 31 34 3a 33 34 20 2b 30-30 30 30 0d 0a 14:34 +0000..
write to 0x9f1ac40 [-0x4010e678] (10 bytes => 10 (0xA))
where's the EHLO command and its response?
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0x9f1ac40 [0x9f138c0] (8192 bytes => 26 (0x1A))
0000 - 35 30 30 20 75 6e 72 65-63 6f 67 6e 69 7a 65 64 500 unrecognized
0010 - 20 63 6f 6d 6d 61 6e 64-0d 0a command..
not talking to psg.com here.
[snip]
--- cut here ---
Running the same command to psg.com from another computer elsewhere on
the Internet yields success, so I gather it's a problem on my side.
I am behind a firewall & NAT & port 25 is NAT'ed over properly. (CISCO 837)
It seems to be a problem others have experienced before but none of the
pointers found when I google the error are of any help.
maybe your firewall is playing bad esmtp games.
you can test with telnet:
$ telnet psg.com 25
...
220 psg.com ESMTP Exim 4.69 Wed, 27 Aug 2008 17:12:06 +0000
EHLO your.hostname.example
250-psg.com Hello your.hostname.example [your.ip]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250 HELP
QUIT
221 psg.com closing connection
