TLS auth failure from iPhone

Mon, 14 Sep 2009 06:53:14 -0700 

Hi
I have a Postfix 2.3.3 server on CentOS 5.3. Incoming mail is working fine, and has been for a year or so. The mail server sits at mail.simonandkate.net, which is port forwarded on port 25 to the Postfix server on port 25. 


Most email is done through Horde (running on same box) which just  
calls local sendmail binary.



I also have an iPhone which I use for mail sending. It uses secure  
IMAP for reading, and secure SMTP for sending - this is where things  
are coming unstuck. I'm not sure if an iPhone upgrade has broken it,  
as it worked when I set it up last year. I don't that often send from  
off the network with the iPhone though, so haven't noticed this issue.



When the iPhone is connected on the local wireless LAN the SMTP  
configuration to send mail works fine. It is configured to connect to  
mail.simonandkate.net, Use SSL, and use port 25. That resolves to the  
external interface of my router, the router supports NAT loopback, and  
the connection is successful:


Sep 14 22:46:26 server04 postfix/smtpd[4146]: connect from
mail.simonandkate.net[59.167.212.191] Sep 14 22:46:26 server04
postfix/smtpd[4146]: setting up TLS connection from
mail.simonandkate.net[59.167.212.191] Sep 14 22:46:26 server04
postfix/smtpd[4146]: TLS connection established from
mail.simonandkate.net[59.167.212.191]: TLSv1 with cipher AES128-SHA
(128/128 bits) Sep 14 22:46:27 server04 postfix/smtpd[4146]:
9F24F57509: client=mail.simonandkate.net[59.167.212.191],
sasl_method=PLAIN, sasl_username=simon


However, if I disable the wireless on the iPhone so it connects truly  
from outside:



Sep 14 23:13:22 server04 postfix/smtpd[4691]: connect from  
unknown[120.152.28.100]
Sep 14 23:13:54 server04 postfix/smtpd[4691]: lost connection after  
UNKNOWN from unknown[120.152.28.100]
Sep 14 23:13:54 server04 postfix/smtpd[4691]: disconnect from  
unknown[120.152.28.100]



And it never succeeds. If I set smtpd_tls_auth_only to no and disable  
Use SSL on the iPhone it auths over SMTP (insecurely) and sends fine.



Sep 14 23:17:59 server04 postfix/smtpd[4774]: connect from  
unknown[120.152.28.100]
Sep 14 23:18:00 server04 postfix/smtpd[4774]: 233D6573DF:  
client=unknown[120.152.28.100], sasl_method=PLAIN, sasl_username=simon


This used to work, and I am just not sure what has changed...

So I have enabled port 587 in postfix master.cf,so now I have:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd


Port forward 587 on the router, and tell the iPhone to use 587 instead  
of 25 and now it works... ?!?



Do I need to change anything else in main.cf, or master.cf, or will  
everything else still work the same as per if it had been submitted on  
25?


Thanks
Simon

Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man

masquerade_domains = !system.simonandkate.net, simonandkate.net,  
simonandkate.lan

message_size_limit = 26214400

mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net

myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining      permit
smtpd_helo_required = yes
smtpd_helo_restrictions =

smtpd_recipient_restrictions = permit_mynetworks,        
permit_sasl_authenticated,      reject_unauth_destination,        
reject_unauth_pipelining,        reject_invalid_helo_hostname,    
reject_non_fqdn_helo_hostname,  reject_non_fqdn_sender,  
reject_unknown_sender_domain,     reject_non_fqdn_recipient,       
reject_unknown_recipient_domain,        check_sender_access  
hash:/etc/postfix/sender_access,       reject_rbl_client  
zen.spamhaus.org,       reject_rbl_client bl.spamcop.net,        
check_policy_service unix:postgrey/socket,     check_policy_service  
unix:private/policy        permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550



--
Simon Wilson
www.simonandkate.net

Links:
------
[1] http://mail.simonandkate.net
























					Reply via email to