Hi, first of all, I am not an SSL expert, so I hope you could help me understanding something. I have Postfix configured as MSA/MTA with latest postfix experimental. On port 25 of the mx0.roessner-net, which is the main mail exchanger for other MTAs, I do not offer AUTH, but want to offer STARTTLS.
On the MSA side, the side to my clients, I wish to offer STARTTLS and AUTH. So
I put the smtpd_sasl_auth_enable=yes option into master.cf.
So far so good.
When I use telnet to connect to mx0.roessner-net.de 25, waiting for postscreen
to allow me sending EHLO, I only get the following list of commands:
Trying 78.46.253.227...
Connected to mx0.roessner-net.de.
Escape character is '^]'.
220-mx0.roessner-net.de ESMTP
220 mx0.roessner-net.de ESMTP
EHLO client.unitymedia.org
250-mx0.roessner-net.de
250-SIZE 31457280
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Where is the STARTTLS? When I look at the logs, I see that servers use TLS to
communicate with my server. So could someone tell me, how the trick works? To
do TLS without seeing the STARTTLS command? And I do not have 465 open. Only 25.
Thanks to anybody who might like to bring light into dark for me :-)
Christian
postconf -n:
alias_database = ${default_database_type}:/etc/aliases
alias_maps = ${default_database_type}:/etc/aliases
anvil_rate_time_unit = 60s
anvil_status_update_time = 1h
biff = no
bounce_queue_lifetime = 1d
bounce_template_file = ${config_directory}/bounce.de-DE.cf
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
default_database_type = btree
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = 78.46.253.227, 2A01:4F8:61:8222:0:0:0:50
inet_protocols = ipv4, ipv6
lmtp_bind_address = 127.0.0.1
lmtp_bind_address6 = ::1
mailbox_size_limit = 0
maximal_queue_lifetime = 1d
message_size_limit = 31457280
minimal_backoff_time = 5m
mydomain = roessner-net.de
myhostname = mx0.roessner-net.de
mynetworks = 127.0.0.0/8, 10.1.0.0/16, [::1]/128, [2A01:4F8:61:8222::]/64
owner_request_special = no
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_blacklist_networks = cidr:${map}/postscreen_blacklist.cidr
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org, spam.ipv6.kutukupret.com,
bl.spamcop.net, dnsbl.njabl.org, ix.dnsbl.manitu.net,
dsn.rfc-ignorant.org
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
proxy_read_maps = ${local_recipient_maps}, ${virtual_mailbox_maps},
${virtual_mailbox_domains}, ${virtual_alias_maps},
${ldap}/helo_access.cf, ${ldap}/relay_domains.cf,
${ldap}/relay_recipient_maps.cf
queue_minfree = 47185920
readme_directory = /usr/share/doc/postfix
recipient_bcc_maps = pcre:${map}/backup_bcc.pcre
recipient_delimiter = +
relay_domains = ${mydestination}, lists.roessner-net.de,
${ldap}/relay_domains.cf
relay_recipient_maps = ${ldap}/relay_recipient_maps.cf,
${default_database_type}:/var/lib/mailman/data/virtual-mailman
relay_transport = lmtp:[::1]:24
smtp_bind_address = 78.46.253.227
smtp_bind_address6 = 2A01:4F8:61:8222:0:0:0:50
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /ca/mx0.roessner-net.de/newcert.pem
smtp_tls_key_file = /ca/mx0.roessner-net.de/newkey.pem
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = sdbm:${data_directory}/smtp_session_cache
smtp_use_tls = yes
smtpd_banner = ${myhostname} ESMTP
smtpd_client_event_limit_exceptions = ${mynetworks}, 208.31.42.77
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_etrn_restrictions = reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_policy_service_timeout = 5m
smtpd_proxy_timeout = 300s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unknown_recipient_domain,
reject_unknown_sender_domain, reject_unlisted_recipient,
reject_unauth_destination, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, check_sender_access ${mapidx}/sender_access,
check_client_access pcre:${map}/client_access.pcre, check_client_access
cidr:${map}/client_access.cidr, check_policy_service inet:[::1]:12527,
check_sender_access ${mapidx}/backscatter, check_helo_access
pcre:${map}/helo_access.pcre, check_policy_service inet:[::1]:12526,
check_client_access pcre:${map}/dynamic_ip.pcre,
reject_unknown_reverse_client_hostname, reject_unknown_helo_hostname,
check_sender_ns_access ${mapidx}/bogus_dns, check_recipient_access
pcre:${map}/roleaccount_exceptions.pcre, check_helo_access
${ldap}/helo_access.cf check_sender_access pcre:${map}/greylist.pcre
smtpd_restriction_classes = greylist
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /ca/mx0.roessner-net.de/newcert.pem
smtpd_tls_dh1024_param_file = ${config_directory}/ssl/dh_1024.pem
smtpd_tls_dh512_param_file = ${config_directory}/ssl/dh_512.pem
smtpd_tls_key_file = /ca/mx0.roessner-net.de/newkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = sdbm:${data_directory}/smtpd_session_cache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_append_default_CA = no
transport_maps = ${mapidx}/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = ${ldap}/relay_recipient_maps.cf
master.cf:
smtpd pass - - - - 10 smtpd
-o smtp_bind_address=::1
-o smtpd_proxy_filter=[::1]:10024
-o smtpd_proxy_options=speed_adjust
-o smtpd_client_connection_rate_limit=5
-o smtpd_client_message_rate_limit=5
-o smtpd_client_recipient_rate_limit=30
dnsblog unix - - - - 0 dnsblog
PGP.sig
Description: Signierter Teil der Nachricht
