Re: SMTP fails with SSL_accept error

Sun, 19 Oct 2008 06:17:22 -0700

One thing I should have specified in my last message is that I still can't send email using SMTP over SSL. Mail.app behaves exactly the same as before and I'm still seeing "SSL_accept error" in mail.log. 

Thanks in advance for any more clues,
-Dan

On Oct 18, 2008, at 10:51 PM, Dan Phiffer wrote:


Thanks for the quick reply! More below...

On Oct 18, 2008, at 5:38 PM, Noel Jones wrote:


Dan Phiffer wrote:

Hello list,
I'm trying to set up a mail server to use SMTP over SSL and for some reason it's not working. It does work if I choose *not* to configure my mail client to use SSL. I'm using a self-signed certificate, and when I attempt to send something I get the usual warning message about non-verified certificate CA, then I click continue and get a "could not connect" message (this is in Apple Mail.app). I'm relatively new to Postfix and have set things up according to the directions here: http://articles.slicehost.com/email 

I recommend these instructions for setting up postfix TLS:
http://www.postfix.org/TLS_README.html#quick-start
I regenerated my certificate following those directions. Still not working, but maybe the configuration changes will do some good.
I can telnet to port 465, but I don't get anything beyond "Escape character is '^]'." I am also able to login to IMAP over SSL, so I'm pretty sure the certificate itself is not borked. Basically I'm not sure what I should try tweaking to proceed with my debugging. 

You can test tunneled TLS connections to port 465 with:
openssl s_client -connect hostname:465

You can test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect hostname:587 -starttls smtp


Does this reveal anything?

$ openssl s_client -connect mail.gridfilter.com:465
CONNECTED(00000003)
depth=0 /C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
  i:/C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9zCCAmCgAwIBAgIJAKBkyO6g0XtdMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV
BAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazETMBEGA1UEChMKR3JpZEZpbHRlcjEN
MAsGA1UECxMETWFpbDEUMBIGA1UEAxMLRGFuIFBoaWZmZXIxIzAhBgkqhkiG9w0B
CQEWFGFkbWluQGdyaWRmaWx0ZXIuY29tMB4XDTA4MTAxOTAyMDEzN1oXDTA5MTAx
OTAyMDEzN1owfzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRMwEQYD
VQQKEwpHcmlkRmlsdGVyMQ0wCwYDVQQLEwRNYWlsMRQwEgYDVQQDEwtEYW4gUGhp
ZmZlcjEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ3JpZGZpbHRlci5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAKAy/v7HvpwbfE/vwcpVs+J1PCWmdozwo2z8
NX+x9b8YOuMR3WcmJTIRBwyp6IXfbb8/g0xe+OZPIsZxJIxG+MwJ0IOP3qrB0+J+
f9w4Ib8NRh2AB6LPZ31bXY3+3yiFgCNZ5Y/1uCBo3TG2wqZ9oNefs2a3cRijO4/n
a0ENEMKjAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5T
U0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQce3pWeIXnEeLCqm+T
vv2AkRdWSjAfBgNVHSMEGDAWgBS4EWGNgSzBu62z5bfrpbEn0mkNrDANBgkqhkiG
9w0BAQUFAAOBgQBzT+zkTg76bhvjsrjGVpE2wGCpsmiBjtgtEWNIkhJqMHJdvKGG
CnSzl5ilrkXlFmiQfaOfuDZWzbu6cra6HquuT4qFiyq2VQdTrP4QRfAFV0Np2R9B
uAgR12Bw3VBo0HfZs587b13BBYD4HyeAMhZwrA8VhtEyCBJ5ojEeKgSZfw==
-----END CERTIFICATE-----
subject=/C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
issuer=/C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1327 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1
   Cipher    : DHE-RSA-AES256-SHA
Session-ID: 7AA9A6FB01D5ACE0BF6F24B923561252F15BA75203091F959193CCA07E636D25 
   Session-ID-ctx:
Master-Key: 6C69173B04ADB47013A9C18DEFE7E7C644A36235BFE7CECE601F526EFDF8503E06CDD78FCE1EE535983444922F897B86 
   Key-Arg   : None
   Start Time: 1224383317
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---
220 mail.gridfilter.com ESMTP Postfix (Ubuntu)
HELO mail.gridfilter.com
250 mail.gridfilter.com
MAIL FROM:<[EMAIL PROTECTED]>
250 2.1.0 Ok
RCPT TO:<[EMAIL PROTECTED]>
RENEGOTIATING
depth=0 /C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=New York/O=GridFilter/OU=Mail/CN=Dan Phiffer/[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
DATA
554 5.5.1 Error: no valid recipients
QUIT
DONE
I'm not sure if I should have typed in different commands at that point, or if the RENEGOTIATING message indicates something is wrong? The "verify error:num=21:unable to verify the first certificate" part sounds off. 



You can test your pem certificate with
openssl x509 -in mailcert.pem -inform pem -noout -text
If it displays the contents of your certificate without asking for a password, it should be OK. 

Yes, that seems to work fine.

Here is my postconf after making the changes you suggested:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination =
myhostname = mail.gridfilter.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps 
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ smtp_tls_session_cache 
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_invalid_hostname, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org 
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/gridfilter-cert.pem
smtpd_tls_key_file = /etc/postfix/gridfilter-key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/ smtpd_tls_session_cache 
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, proxy:mysql:/etc/postfix/mysql-email.cf 
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_transport = virtual
virtual_uid_maps = static:5000

Reply via email to