Jesús Manuel Loaiza Vidal wrote:
Hi guys.
My system specs:
Gentoo Linux
Postfix 2.5.5
I have the problem below:
When using TLS postfix sometimes (most the times) disconnects the client
just after it issues the RCPT command.
When I try to re-send the test email just after the error or when not
using TLS the problem doesn't happen at all and the mail sends successfully.
I'm sure its not MTU related cuz all the path between my mail server and
the client is ethernet using the same MTU of 1500.
I guess its TLS session related or something related to race conditions.
I'm using PostgreSQL and LDAP lookup tables to do user mailbox lookup
and various other things and Dovecot SASL for authentication
My 'postconf -n' output
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin;
(strace -s 1000 -p $process_id 2>&1 | logger -p mail.debug) &
sleep 5
2bounce_notice_recipient = [EMAIL PROTECTED]
bounce_notice_recipient = [EMAIL PROTECTED]
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_warning_time = 4h
error_notice_recipient = [EMAIL PROTECTED]
local_recipient_maps = $virtual_mailbox_maps proxy:unix:passwd.byname
$alias_maps
mailbox_size_limit = 104857600
message_size_limit = 20480000
milter_default_action = accept
myhostname = test.test.bg
mynetworks = 127.0.0.0/8
notify_classes = bounce, resource
recipient_delimiter = +
smtp_helo_name = test.test.bg
smtpd_banner = test.bg Test ESMTP Server
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated check_client_access
pgsql:/etc/postfix/pgsql-accesspolicy-client.cf, reject_rbl_client
zen.spamhaus.org
smtpd_data_restrictions = sleep 1, permit_mynetworks,
permit_sasl_authenticated, reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated check_client_access
pgsql:/etc/postfix/pgsql-accesspolicy-helo-client.cf,
check_helo_access pgsql:/etc/postfix/pgsql-accesspolicy-helo.cf,
check_helo_mx_access
pgsql:/etc/postfix/pgsql-accesspolicy-helo-mx.cf,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:2501
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-sendermaps.cf
smtpd_sender_restrictions = permit_mynetworks,
reject_sender_login_mismatch, permit_sasl_authenticated,
check_sender_access pgsql:/etc/postfix/pgsql-senderpolicy.cf,
reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/pem/ICH_SSL_CA_chain.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/pem/mail.test.bg.crt
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/pem/mail.test.bg.pem
smtpd_tls_loglevel = 2
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
tls_random_source = dev:/dev/urandom
virtual_alias_maps = pgsql:/etc/postfix/pgsql-aliases.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /
virtual_mailbox_domains = test.bg
virtual_mailbox_limit = 104857600
virtual_mailbox_maps = pgsql:/etc/postfix/pgsql-mbox.cf,
ldap:/etc/postfix/ldap-mbox.cf
virtual_minimum_uid = 1000
virtual_uid_maps = static:1001
Below are the links to my mail log files and tcpdump network capture
with/out TLS with debug info using strace and 'smtpd -v -D'
Postfix Log without TLS <http://www.ich.edu.mx/attachments/postfix.txt>
TCP network capture without TLS <http://www.ich.edu.mx/attachments/tcp.cap>
Postfix Log with TLS and mail retry
<http://www.ich.edu.mx/attachments/postfix-tls.txt>
TCP network capture with TLS and mail retry
<http://www.ich.edu.mx/attachments/tcp-tls.cap>
OpenSSL s_client test <http://www.ich.edu.mx/attachments/s_client.txt>
Your server is fine; the only thing you missed in your
investigation is the s_client man page.
# man s_client
...
CONNECTED COMMANDS
When used interactively (which means neither -quiet nor
-ign_eof have been given), the session will be renegotiated
if the line begins with an R, and if the line begins with a
Q or if end of file is reached, the connection will be
closed down.
...
The "R" in "RCPT TO" triggers a TLS renegotiation, disrupting
your connection. s_client is a great tool to see if you have
TLS connectivity, but it falls a little short trying to
emulate a whole SMTP session.
You can test postfix using lower-case "rcpt to", but be
careful of any other line that might start with "R".
--
Noel Jones
