Victor Duchovni a écrit :
Try again, with a more useful log sample, and configuration settings
for the receiving side. The log sample should include multiple lines
of logging from the SMTP client, showing any TLS handshake, ...
Alright, please take a look at the end of this email for the
configuration files for mta1 and mta2. They're almost identical.
In attachments, there are the logs.
relayhost = 10.0.0.6
Per the documentation, this must be:
relayhost = [10.0.0.6]
and the SMTP client password table:
[10.0.0.6] user:pass
It's done. I thought it was only optional the [ ]. I don't recall
exactly, something to do with MX.
smtp_tls_loglevel = 2
Too verbose.
Yes, I know but I set it only for the tests.
smtp_use_tls = yes
Obsolete, with 2.3 and later, use:
smtp_tls_security_level = may
Agreed.
-- permissions for /etc/postfix/sasl_passwd --
-rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd
This should NOT be world-readable.
Yes, I know but at this time, it's for the tests, so I don't care. But
thanks anyway !
I hope you have enough information now.
Gregory.
Configuration files :
*** MTA 1 ***
mta1:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = mta1.local, localhost.local, , localhost
myhostname = mta1.local
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [10.0.0.6]
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/CA/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certificate/postfix_mta1.crt
smtpd_tls_key_file = /etc/postfix/certificate/postfix_mta1.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
*** MTA 2 ***
mta2:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = mta2.local, localhost.local, , localhost
myhostname = mta2.local
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = [10.0.0.5]
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/CA/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certificate/postfix_mta2.crt
smtpd_tls_key_file = /etc/postfix/certificate/postfix_mta2.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: Anonymous TLS connection established from unknown[10.0.0.2]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure: no secret in database
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL CRAM-MD5 authentication failed: authentication failure
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: SASL authentication failure: no secret in database
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: warning: unknown[10.0.0.2]: SASL NTLM authentication failed: authentication failure
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: 9356961EE: client=unknown[10.0.0.2], sasl_method=PLAIN, sasl_username=dest
Apr 20 12:02:00 mta1 postfix/cleanup[2953]: 9356961EE: message-id=<4bcd7b9d.9040...@mta1.local>
Apr 20 12:02:00 mta1 postfix/qmgr[2937]: 9356961EE: from=<d...@mta1.local>, size=638, nrcpt=1 (queue active)
Apr 20 12:02:00 mta1 postfix/smtp[2954]: initializing the client-side TLS engine
Apr 20 12:02:00 mta1 postfix/smtpd[2949]: disconnect from unknown[10.0.0.2]
Apr 20 12:02:00 mta1 postfix/smtp[2954]: setting up TLS connection to 10.0.0.6[10.0.0.6]:25
Apr 20 12:02:00 mta1 postfix/smtp[2954]: 10.0.0.6[10.0.0.6]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
Apr 20 12:02:00 mta1 postfix/smtp[2954]: looking for session smtp:10.0.0.6:25:mta2.local&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL in smtp cache
Apr 20 12:02:00 mta1 postfix/tlsmgr[2941]: lookup smtp session id=smtp:10.0.0.6:25:mta2.local&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:before/connect initialization
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv2/v3 write client hello A
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv3 read server hello A
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv3 read server key exchange A
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv3 read server done A
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv3 write client key exchange A
Apr 20 12:02:00 mta1 postfix/smtp[2954]: SSL_connect:SSLv3 write change cipher spec A
Apr 20 12:02:00 mta1 xxx/pkcs11: SSL_connect:SSLv3 write finished A
Apr 20 12:02:00 mta1 xxx/pkcs11: SSL_connect:SSLv3 flush data
Apr 20 12:02:00 mta1 xxx/pkcs11: SSL_connect:SSLv3 read server session ticket A
Apr 20 12:02:00 mta1 xxx/pkcs11: SSL_connect:SSLv3 read finished A
Apr 20 12:02:00 mta1 xxx/pkcs11: Untrusted TLS connection established to 10.0.0.6[10.0.0.6]:25: TLSv1 with cipher ADH-XXX-SHA (256/256 bits)
Apr 20 12:02:00 mta1 xxx/pkcs11: warning: SASL authentication failure: No worthy mechs found
Apr 20 12:02:00 mta1 xxx/pkcs11: 9356961EE: to=<d...@mta2.local>, relay=10.0.0.6[10.0.0.6]:25, delay=0.14, delays=0.09/0/0.04/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server 10.0.0.6[10.0.0.6]: no mechanism available)
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: initializing the server-side TLS engine
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: connect from mta1.local[10.0.0.5]
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: setting up TLS connection from mta1.local[10.0.0.5]
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: mta1.local[10.0.0.5]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:before/accept initialization
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 read client hello B
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 write server hello A
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 write key exchange A
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 write server done A
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 flush data
Apr 20 12:02:01 mta2 postfix/smtpd[2954]: SSL_accept:SSLv3 read client key exchange A
Apr 20 12:02:01 mta2 xxx/pkcs11: SSL_accept:SSLv3 read finished A
Apr 20 12:02:01 mta2 xxx/pkcs11: SSL_accept:SSLv3 write session ticket A
Apr 20 12:02:01 mta2 xxx/pkcs11: SSL_accept:SSLv3 write change cipher spec A
Apr 20 12:02:01 mta2 xxx/pkcs11: SSL_accept:SSLv3 write finished A
Apr 20 12:02:01 mta2 xxx/pkcs11: SSL_accept:SSLv3 flush data
Apr 20 12:02:01 mta2 xxx/pkcs11: Anonymous TLS connection established from mta1.local[10.0.0.5]: TLSv1 with cipher ADH-XXX-SHA (256/256 bits)
Apr 20 12:02:01 mta2 xxx/pkcs11: disconnect from mta1.local[10.0.0.5]
