On Mon, Jul 20, 2009 at 1:25 PM, Noel Jones<njo...@megan.vbhcs.org> wrote: > Details of a problem are not divulged to outsiders, so the transcript > intentionally gives vague information. > > Something broken in your config. Check your logs, postfix probably tells > you where to look further there.
That makes sense why it's so vague. I checked my "/var/log/maillog" and can't find any notification for the error. > you should add permit_sasl_authenticated just after permit_mynetworks in the > above restrictions. > You should add permit_sasl_authenticated just after permit_mynetworks in the > above restrictions. I added "permit_sasl_authenticated" to all 3 checks in my main.cf file right after "permit_mynetworks". - smtpd_helo_restrictions = - smtpd_recipient_restrictions = - smtpd_sender_restrictions = >> smtpd_tls_CAfile = /etc/ssl/intermediate.crt >> smtpd_tls_auth_only = yes >> smtpd_tls_cert_file = >> smtpd_tls_key_file = > > Not sure how postfix is supposed to do TLS without a certificate or key > file. This looks like the problem. I omitted this from my postconf -n output but I do have a valid path to the certificates. > >> smtpd_tls_loglevel = 1 >> smtpd_tls_security_level = may >> smtpd_tls_session_cache_database = >> btree:/var/spool/postfix/smtpd_tls_cache >> smtpd_tls_session_cache_timeout = 3600s >> tls_random_source = dev:/dev/urandom >> unknown_local_recipient_reject_code = 550 > > > You can test TLS with > > # openssl s_client -connect ip.add.re.ss:port -starttls smtp > > after some TLS handshake garbage, you should get a > 250 ... > greeting from postfix. If it gets that far, TLS is working correctly. I tested TLS as you noted above and here was my results: (not good) [r...@mail ~]# openssl s_client -connect 127.0.0.1:25 -starttls smtp CONNECTED(00000003) 22646:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583: I removed all SASL / TLS configuration from main.cf and started from scratch again using the CentOS guide: http://wiki.centos.org/HowTos/postfix_sasl I appear to have SASL working fine since I test it as noted in the link above and I get what I expect to see. It's when I configure TLS on Postfix, I get the problems: I am re-posting my latest postconf -n output: postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavisfeed:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix home_mailbox = Maildir/ html_directory = no inet_interfaces = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, $mydomain, mail.$mydomain mydomain = iamghost.com myhostname = mail.iamghost.com mynetworks = $config_directory/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES relay_domains = sample_directory = /usr/share/doc/postfix-2.3.3/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_banner = $myhostname ESMTP smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, check_policy_service unix:postgrey/socket, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, permit smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/mail.iamghost.com.crt smtpd_tls_key_file = /etc/ssl/mail.iamghost.com.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 So my Postfix server is still allowing me to send mail when I have my mail client use no "secure authentication" setting in Thunderbird when sending (SMTP) mail. I would think that the "smtpd_tls_auth_only = yes" setting would not allow me to send mail if I have no authentication configured unless I am just confused. Any thoughts? I am lost...
