Dan Phiffer wrote:
Hello list,
I'm trying to set up a mail server to use SMTP over SSL and for some
reason it's not working. It does work if I choose *not* to configure my
mail client to use SSL. I'm using a self-signed certificate, and when I
attempt to send something I get the usual warning message about
non-verified certificate CA, then I click continue and get a "could not
connect" message (this is in Apple Mail.app). I'm relatively new to
Postfix and have set things up according to the directions here:
http://articles.slicehost.com/email
I recommend these instructions for setting up postfix TLS:
http://www.postfix.org/TLS_README.html#quick-start
I can telnet to port 465, but I don't get anything beyond "Escape
character is '^]'." I am also able to login to IMAP over SSL, so I'm
pretty sure the certificate itself is not borked. Basically I'm not sure
what I should try tweaking to proceed with my debugging.
You can test tunneled TLS connections to port 465 with:
openssl s_client -connect hostname:465
You can test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect hostname:587 -starttls smtp
You can test your pem certificate with
openssl x509 -in mailcert.pem -inform pem -noout -text
If it displays the contents of your certificate without asking
for a password, it should be OK.
Thanks in advance for any help!
-Dan
From /etc/postfix/mail.log:
Oct 18 18:40:30 mail postfix/smtpd[10425]: initializing the server-side
TLS engine
Oct 18 18:40:30 mail postfix/smtpd[10425]: connect from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: setting up TLS connection
from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: xxxxx: TLS cipher list
"ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:before/accept
initialization
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 read client
hello A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write server
hello A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write
certificate A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write server
done A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 flush data
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept error from xxxxx: -1
Oct 18 18:40:30 mail postfix/smtpd[10425]: lost connection after CONNECT
from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: disconnect from xxxxx
My postconf -n:
...
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unauth_destination, reject_unauth_pipelining,
reject_unauth_destination should be just after
permit_sasl_authenticated.
reject_unauth_pipelining is ineffective here. Put it under
smtpd_data_restrictions instead.
reject_invalid_hostname, reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org, reject_rbl_client bl.spamcop.net,
opm.blitzed.org and list.dsbl.org are both inactive, remove
them.
reject_rbl_client sbl-xbl.spamhaus.org
Most people use zen.spamhaus.org instead of sbl-xbl.
You should evaluate your RBLs every once in a while to make
sure they are still appropriate.
smtpd_tls_loglevel = 2
This should be set to 1 or 0 in production; 2 is OK for
debugging but the messages logged by openssl can be somewhat
confusing.
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf,
mysql:/etc/postfix/mysql-email.cf
Use proxy: with both these maps.
I don't see any obvious TLS config errors. Test with openssl
as detailed above.
Good luck.
--
Noel Jones
