Postfix 2.5.6-1
Cyrus SASL 2.1.22-8
I receive the following error when attempting to connect on port 465:
-- snip --
$ openssl s_client -connect mail.MYDOMAIN:465
CONNECTED(00000003)
...
verify error:num=19:self signed certificate in certificate chain
verify return:0
...
No client certificate CA names sent
...
554 5.7.1 <bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]>:
Client host rejected: Access denied
-- snip --
I also tried with starttls:
$ openssl s_client -connect mail.MYDOMAIN:465 -starttls smtp
CONNECTED(00000003)
... and it just hangs here. I tried imap, also. I'm not sure what the
difference is in this context, though.
mail log:
Jan 5 22:36:42 logi postfix/smtpd[29718]: connect from
bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]
Jan 5 22:36:42 logi postfix/smtpd[29718]: setting up TLS connection
from bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]
Jan 5 22:36:42 logi postfix/smtpd[29718]: Anonymous TLS connection
established from bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]:
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jan 5 22:36:42 logi postfix/smtpd[29718]: NOQUEUE: reject: CONNECT from
bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]: 554 5.7.1
<bas12-kitchener06-1242508381.dsl.bell.ca[74.15.44.93]>: Client host
rejected: Access denied; proto=SMTP
But (and this is where my ignorance shines through) because this is an
SSL connection, how can I check that I can connect without providing the
cert? Or should s_client be handling that part of the handshake for me?
I'm thoroughly confused. Will my mail client (thunderbird) be passing a
local cert to authenticate, or my username & password? If the latter,
how can I test the connection?
master.cf:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
main.cf:
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
Anyone know what I might be missing here?
Background: I'm fed up with using my ISP (Sympatico.ca) for outgoing
mail from home. I'd like to instead use this remote server for SMTP.
However, as I understand it, Sympatico blocks port 25, so I must use
some other.
As I don't want to be an open relay, I also want to authenticate with
the server to allow me to relay my outgoing mail. I've already got SASL
working for my Cyrus mailboxes, so I figured I was half-way there for
SMTP. But I'm stumped on this.
To be honest, I'm not entirely certain that I need to be using SMTPS for
this. I feel like I'm groping for solutions rather than really
understanding what it is I'm doing. Which is never a good thing. I'd
appreciate any pointers on how to achieve this.
