> > My TLS setup is a bigger mess. The maillog tells me that a SSL > session has > > been established, but then the connection seems to get cleared by the > client > > (Droid). I've looked at many Postfix TLS How-to's, and some of them > seem to > > contradict the other. > > Again: "postconf -n".
OK, thanks for the reply. Couple of updates: 1. It's SASL, not SALS -- sorry, it had been a long 16 hour day with 8 hours on the road driving. 2. I did get SASL working perfectly -- at some point I had accidently commented out the "permit_sasl_authenticated". 3. I have TLS working with name/pass auth, on port 587 if the client UNCHECKS "Use SSL". For some reason that I don't understand, if the client has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL session is established. My main concern is that the client/server connection is safe and encrypted. It appears to be even with the SSL option not selected by the client. I used tcpdump to snoop the connection. I see the EHLO and STARTTLS message being sent in the clear, but the rest of the data for the duration of the connection is encrypted. The log messages in /var/log/maillog indicates that encryption is being used. I suspect the "Use SSL" option on the client doesn't mean encrypt the connection but rather it means "verify certificate" (I have a self signed certificate). My main question at this point: is my SASL and TLS setup secure (encrypted) with my current configuration below? Here is the output of "postconf -n" (log output is below that): alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases body_checks = pcre:/etc/postfix/body_checks broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks html_directory = no mail_owner = postfix mailbox_size_limit = 1000000000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 25000000 mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, www.$mydomain, ftp.$mydomain, metaphysical-store.com, www.metaphysical-store.com, oamcs.metaphysical-store.com, metaphysicalstore.com, www.metaphysicalstore.com, oamcs.com, www.oamcs.com, korzell.com, korzells.com, agasha.org, www.agasha.org, ahsaga12.com, www.ahsaga12.com connectforpeace.org www.connectforpeace.org avatartools.com www.avatartools.com avatarroad.com www.avatarroad.com mynetworks = 199.33.206.0/24,127.0.0.1/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix recipient_delimiter = + sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_client_connection_count_limit = 5 smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 20 smtpd_client_recipient_rate_limit = 20 smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_access_ok, check_client_access hash:/etc/postfix/client_access_ok, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_pipelining, check_recipient_access pcre:/etc/postfix/recipient_access_regexp_rej, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes swap_bangpath = no tls_random_source = dev:/dev/urandom unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 550 I have included log entries from 2 different connects. The first one is from a droid 2 phone, usaing name/pass authenticate, port 587, but SSL NOT selected. This works fine: Oct 27 16:22:29 ns postfix/smtpd[15850]: initializing the server-side TLS engine Oct 27 16:22:30 ns postfix/smtpd[15850]: connect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:22:30 ns postfix/smtpd[15850]: setting up TLS connection from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:22:30 ns postfix/smtpd[15850]: 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:before/accept initialization Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read client hello B Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write server hello A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write certificate A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write key exchange A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write server done A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 flush data Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read client key exchange A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read finished A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write change cipher spec A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write finished A Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 flush data Oct 27 16:22:30 ns postfix/smtpd[15850]: Anonymous TLS connection established from 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Oct 27 16:22:31 ns postfix/smtpd[15850]: C3486AC4001: client=108.sub-97-48-178.myvzw.com[97.48.178.108], sasl_method=PLAIN, sasl_username=kory Oct 27 16:22:32 ns postfix/cleanup[15855]: C3486AC4001: message-id=<b74522da-1ea8-4494-be2c-cd9517d92...@blur> Oct 27 16:22:32 ns postfix/qmgr[9043]: C3486AC4001: from=<k...@avatar.com>, size=1238, nrcpt=1 (queue active) Oct 27 16:22:32 ns postfix/smtpd[15850]: disconnect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Failed log entry, same as before but SSL enabled on the phone (client): Oct 27 16:47:30 ns postfix/smtpd[16395]: initializing the server-side TLS engine Oct 27 16:47:30 ns postfix/smtpd[16395]: connect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:31 ns postfix/smtpd[16395]: lost connection after UNKNOWN from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:31 ns postfix/smtpd[16395]: disconnect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:36 ns postfix/smtpd[16395]: connect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:36 ns postfix/smtpd[16395]: lost connection after UNKNOWN from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:36 ns postfix/smtpd[16395]: disconnect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:42 ns postfix/smtpd[16395]: connect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:42 ns postfix/smtpd[16395]: lost connection after UNKNOWN from 108.sub-97-48-178.myvzw.com[97.48.178.108] Oct 27 16:47:42 ns postfix/smtpd[16395]: disconnect from 108.sub-97-48-178.myvzw.com[97.48.178.108] Any help would be grealy appreciated! Kory
