Carlos Williams wrote:
I am unable to understand why I can't get TLS / SASL working on my
Postfix server. I am using Postfix 2.3 (postfix-2.3.3-2.1.el5_2) on
CentOS 5 x64. I followed the CentOS guide and enabled this in my
main.cf & dovecot.conf. When I telnet into my server, I see the
following:
...
Transcript of session follows.
Out: 220 mail.iamghost.com ESMTP
In: EHLO [10.1.1.204]
Out: 250-mail.iamghost.com
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.3.0 TLS not available due to local problem
In: QUIT
Out: 221 2.0.0 Bye
Details of a problem are not divulged to outsiders, so the
transcript intentionally gives vague information.
Something broken in your config. Check your logs, postfix
probably tells you where to look further there.
I don't understand. Can someone please help me understand why this is
not working? I did notice that when I enter the below TLS settings,
'smtpd_tls_security_level = may' is a difference color from all the
other entries which usually means it can't read or determine that
value. Perhaps my Postfix version is too old to use this config for
TLS?
I am pasting an output of 'postfconf -n'
[r...@mail /]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, $mydomain, mail.$mydomain
mydomain = iamghost.com
myhostname = mail.iamghost.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
permit
you should add permit_sasl_authenticated just after
permit_mynetworks in the above restrictions.
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, reject_unlisted_recipient,
check_policy_service unix:postgrey/socket, check_sender_access
hash:/etc/postfix/sender_access, reject_rbl_client
zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unknown_reverse_client_hostname, permit
You should add permit_sasl_authenticated just after
permit_mynetworks in the above restrictions.
smtpd_tls_CAfile = /etc/ssl/intermediate.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
> smtpd_tls_key_file =
Not sure how postfix is supposed to do TLS without a
certificate or key file. This looks like the problem.
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
You can test TLS with
# openssl s_client -connect ip.add.re.ss:port -starttls smtp
after some TLS handshake garbage, you should get a
250 ...
greeting from postfix. If it gets that far, TLS is working
correctly.
-- Noel Jones
