On Sun, Sep 10, 2023 at 10:38:27AM +0200, François Patte via Postfix-users wrote:
> > > > > Sep 9 16:50:49 myserver postfix/smtp[205832]: 92BEFB4BEA: > > > > > to=<francois.pa...@gmx.fr>, relay=my-fai-smtp[x.x.x.x]:465, > > > > > delay=0.22, > > > > > delays=0.04/0.08/0.08/0.02, dsn=5.0.0, status=bounced (host > > > > > my-fai-smtps[x.x.x.x] said: 530 Authentication required (in reply to > > > > > MAIL FROM command)) > > > > > > > > https://www.postfix.org/DEBUG_README.html#mail > > > > It looks like you "tampered" with the logs. They don't match your > > reported configuration below. If you continue to treat the hostname of your ISP's (FAI's) SMTP relay as restricted sensitive information, the help you'll receive will also be restricted to vague generalities. > > > smtp_enforce_tls = yes > > > smtp_use_tls = yes > > > > These are obsolete and redundant. You should have by now removed these settings from "main.cf" (so that these parameters no longer appear in "postconf -n" output). > > > smtp_tls_security_level = encrypt > > > > If the relay has a valid certificate, make that "secure". > > > > > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > > smtp_tls_CApath = /etc/pki/tls/certs > > > > Otherwise, no need to bother with CAfile / CApath. > > > > You should also have "smtp_tls_loglevel = 1". And updated the security level to "secure". > > > smtp_sasl_auth_enable = yes > > > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > > > > > smtp_tls_verify_cert_match = myhost.fqdn And switched to : smtp_tls_secure_cert_match = ... not so secret ISP relay ... [ definitely not your server's hostname, if that's what "myhost.fqdn" is supposed to be. ] > > > smtpd_sasl_auth_enable = yes > > > > You probably don't want this. > > > > > smtpd_tls_security_level = encrypt > > > > Nor this, except on the submission services in master.cf. And turned off SASL AUTH on your inbound port 25. > > You're obfuscating the essential hostnames, making help needlessly > > difficult. Did you read the text in SASL_README that explains the > > lookup key syntax for the password table, when using "[]" and/or ":port" > > in the relay name? > > > > You probably have the wrong lookup key syntax. You need to post the exact syntax of the lookup key in your "smtp_sasl_password_maps" table, and check that: # postmap -q "$(postconf -xh relayhost)" \ $(postconf -xh smtp_sasl_password_maps) | cat -etv returns the expected result. (The "cat -etv" should highlight any unexpected invisible characters). > #postconf -n > inet_interfaces = localhost Is your server supposed to receive any mail from outside? Or is it a "send-only" server? > myhostname = myhost.fqdn > relayhost = [smtp.myfai.fqdn]:465 More needless obfuscation. > smtp_enforce_tls = no > smtp_use_tls = yes See above. > smtp_sasl_auth_enable = yes > smtp_sasl_mechanism_filter = login Why insist on "login"? Any reason to not include "plain"? > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd See above for a test of the lookup key and content. > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > smtp_tls_CApath = /etc/pki/tls/certs Only useful with the security level set to "secure" (or "verify", given equal "*_cert_match" values). > smtp_tls_loglevel = 1 That's better. > smtp_tls_security_level = encrypt > smtp_tls_verify_cert_match = myhost.fqdn But these have not been fixed. > smtpd_sasl_auth_enable = yes And this remains in place. > smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem > smtpd_tls_key_file = /etc/pki/tls/private/postfix.key > smtpd_tls_security_level = secure This makes no sense, the Postfix SMTP server only supports "none", "may" and "encrypt". This was supposed to be "smtp" not "smtpd". > Sep 10 08:31:30 pingala postfix/smtp[216476]: > Trusted TLS connection established to smtp.myfai.fqdn[x.x.x.x]:465: > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) > key-exchange X25519 server-signature RSA-PSS (2048 bits) > server-digest SHA256 This is due to the security level being only "encrypt". You should be seeing "Verififed" not "Trusted", once your configuration is correct. > Sep 10 08:31:30 pingala postfix/smtp[216476]: 9A2ECB6DCF: SASL > authentication failed; server smtp.myfai.fqdn[x.x.x.x] said: 535 > Authentication credentials invalid So something was now found in the "smtp_sasl_password_maps" table matching the relay host, but the ISP did not accept the credentials. Perhaps they wanted a different mechanism? > It seems that the connection with the relay host is opened but why are > the credential rejected? These credentials work perfecctly if I use > ssmtp! Nobody can tell you why an undisclosed ISP rejected undisclosed credentials that haven't been checked for correctness. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
