On Mon, May 10, 2010 at 3:31 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 5/10/2010 12:52 PM, Dave O'Larte wrote: >> >> Regarding using the right main.cf <http://main.cf>: >> I've only installed a single Postfix instance, and changes I make to >> main.cf <http://main.cf> do affect Postfix. (E.g. turning up logging, >> etc.) The Postfix log says I'm using the config in /etc/postfix. >> >> The output from postfinger: >> >> # ./postfinger >> postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010 >> version: 1.30 >> >> Warning: postfinger output may show private configuration information, >> such as ip addresses and/or domain names which you do not want to show >> to the public. If this is the case it is your responsibility to modify >> the output to hide this private information. [Remove this warning with >> the --nowarn option.] >> >> --System Parameters-- >> mail_version = 2.6.5 >> hostname = AA-DD-DDD-DDD-DDD >> uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13 >> 19:06:04 UTC 2009 i686 GNU/Linux >> >> --Packaging information-- >> looks like this postfix comes from deb package: postfix-2.6.5-3 >> >> --main.cf <http://main.cf> non-default parameters-- >> alias_maps = hash:/etc/aliases >> append_dot_mydomain = no >> biff = no >> bounce_queue_lifetime = 0 >> mailbox_size_limit = 0 >> maximal_backoff_time = 10s >> maximal_queue_lifetime = 0 >> mydestination = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa, localhost >> myhostname = aa-dd-ddd-ddd-ddd.aaa.aaaaaaaa >> mynetworks = 127.0.0.0/8 <http://127.0.0.0/8> [::ffff:127.0.0.0]/104 >> [::1]/128 >> myorigin = /etc/mailname >> readme_directory = no >> recipient_delimiter = + >> relay_clientcerts = hash:/etc/postfix/relay_client_certs >> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) >> smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject >> smtpd_tls_CAfile = /etc/postfix/cacert.pem >> smtpd_tls_cert_file = /etc/postfix/cert.pem >> smtpd_tls_fingerprint_digest = sha1 >> smtpd_tls_key_file = /etc/postfix/key.pem >> smtpd_tls_loglevel = 2 >> smtpd_tls_received_header = yes >> smtpd_tls_req_ccert = yes >> smtpd_tls_security_level = encrypt >> smtp_tls_CAfile = /etc/postfix/cacert.pem >> smtp_tls_cert_file = /etc/postfix/cert.pem >> smtp_tls_fingerprint_digest = sha1 >> smtp_tls_key_file = /etc/postfix/key.pem >> smtp_tls_loglevel = 2 >> smtp_tls_note_starttls_offer = yes >> smtp_tls_security_level = encrypt >> virtual_gid_maps = static:1004 >> virtual_mailbox_base = /var/mail/vhosts >> virtual_mailbox_domains = aaaaaaaaaaaaaaaaa.com >> <http://aaaaaaaaaaaaaaaaa.com> >> virtual_mailbox_maps = hash:/etc/postfix/vmailbox >> virtual_uid_maps = static:1004 >> >> --master.cf-- >> smtp inet n - - - - smtpd >> smtps inet n - - - - smtpd >> -o smtpd_sasl_path=smtpd >> -o smtp_tls_security_level=fingerprint >> -o smtpd_tls_security_level=encrypt >> -o smtpd_tls_auth_only=yes >> -o smtp_tls_note_starttls_offer=yes >> -o smtpd_tls_req_ccert=no >> -o smtpd_tls_received_header=yes >> -o smtpd_sasl_local_domain= >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_sasl_security_options=noanonymous >> -o broken_sasl_auth_clients=yes >> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject >> -o smtpd_client_restrictions= >> pickup fifo n - - 60 1 pickup >> cleanup unix n - - - 0 cleanup >> qmgr fifo n - n 300 1 qmgr >> tlsmgr unix - - - 1000? 1 tlsmgr >> rewrite unix - - - - - trivial-rewrite >> bounce unix - - - - 0 bounce >> defer unix - - - - 0 bounce >> trace unix - - - - 0 bounce >> verify unix - - - - 1 verify >> flush unix n - - 1000? 0 flush >> proxymap unix - - n - - proxymap >> proxywrite unix - - n - 1 proxymap >> smtp unix - - - - - smtp >> relay unix - - - - - smtp >> -o smtp_fallback_relay= >> showq unix n - - - - showq >> error unix - - - - - error >> retry unix - - - - - error >> discard unix - - - - - discard >> local unix - n n - - local >> virtual unix - n n - - virtual >> lmtp unix - - - - - lmtp >> anvil unix - - - - 1 anvil >> scache unix - - - - 1 scache >> maildrop unix - n n - - pipe >> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} >> uucp unix - n n - - pipe >> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail >> ($recipient) >> ifmail unix - n n - - pipe >> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) >> bsmtp unix - n n - - pipe >> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender >> $recipient >> scalemail-backend unix - n n - 2 pipe >> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store >> ${nexthop} ${user} ${extension} >> mailman unix - n n - - pipe >> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py >> ${nexthop} ${user} >> >> -- end of postfinger output -- >> >> >> >> Postfix logfile contents from a client connect: >> >> May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/postfix-script[5513]: >> refreshing the Postfix mail system >> May 10 17:32:14 aaaaaaaaaaaaaaaaa postfix/master[1040]: reload -- >> version 2.6.5, configuration /etc/postfix >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: initializing the >> server-side TLS engine >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: connect from >> localhost[127.0.0.1] >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: setting up TLS >> connection from localhost[127.0.0.1] >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> localhost[127.0.0.1]: TLS cipher list >> "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> SSL_accept:before/accept initialization >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> read client hello A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write server hello A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write certificate A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write key exchange A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write certificate request A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> flush data >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> localhost[127.0.0.1]: certificate verification depth=1 verify=1 >> >> subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaaaaa/emailaddress=a...@aaaaaa.com >> <mailto:a...@aaaaaa.com> >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> localhost[127.0.0.1]: certificate verification depth=0 verify=1 >> >> subject=/C=US/ST=aaaaaa/O=aaaaaa/OU=aaaaaa/CN=aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/emailaddress=a...@aaaaaa.com >> >> <http://aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com/emailaddress=a...@aaaaaa.com> >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> read client certificate A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> read client key exchange A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> read certificate verify A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> read finished A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write change cipher spec A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> write finished A >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: SSL_accept:SSLv3 >> flush data >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> >> subject=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=aaa-ddd-dd-ddd-ddd.aaaaaaaaa.aaaaaaaaa.com/emailaddress=...@aaaaaa.com >> >> <http://aaa-ddd-dd-ddd-ddd.aaaaaaaaa.aaaaaaaaa.com/emailaddress=...@aaaaaa.com> >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> >> issuer=/C=US/ST=aaaaaaaa/O=aaaaaa/OU=aaa/CN=aaaaaaaaa/emailaddress=...@aaaaaa.com >> <mailto:a...@aaaaaa.com> >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: >> localhost[127.0.0.1]: Trusted: >> subject_CN=aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com >> <http://aaa-nnn-nn-nnn-nnn.aaaaaa-n.aaaaaaaaa.com>, issuer=aaaaaaaaaaaa, >> fingerprint=nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn:nn >> May 10 17:33:14 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: Trusted TLS >> connection established from localhost[127.0.0.1]: TLSv1 with cipher >> DHE-RSA-AES256-SHA (256/256 bits) >> May 10 17:33:29 aaaaaaaaaaaaaaaaa postfix/smtpd[5521]: disconnect from >> localhost[127.0.0.1] >> >> The contents of relay_client_certs (containing acceptable fingerprints): >> >> # cat relay_client_certs >> 06:9E:FA:8A:49:A2:24:88:89:16:48:D4:C0:C2:F4:A3:54:D9:65:14 OK >> >> > > > > OK, now tell us why you think it's not working.
Because it doesn't matter what, if anything I put into the fingerprint file - /etc/postfix/relay_client_certs - the file can be empty, I can do a postmap on it, then restart Posfix, and the incoming TLS client connection is still successful. > > >
