greetings
i have setup a secure relay, and I want to pass the mail through amavisd. my
problem is with forcing my users to use TLS amavis fails.
How do I enforce encryption from the client but allow amavis to speak to the
MTA without TLS?
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = /usr/lib/dovecot/deliver -c
/etc/dovecot/conf.d/01-mail-stack-delivery.conf -m "${EXTENSION}"
mailbox_size_limit = 0
mydestination = smtp5.example.com, localhost.example.com, localhost
myhostname = smtp5.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (BASD_smtp5)
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_senders.cf
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/local_transport
#content_filter = smtp-amavis:[127.0.0.1]:10024
I didn't thought the local ports 10024 and 10025 should be able to communicate.
But I guess it's when amavis is injecting back into postfix that the TLS error
appears.
same log
postfix/smtpd[3689]: connect from nc1-100.example.com[10.1.1.100]
postfix/smtpd[3689]: Anonymous TLS connection established from
nc1-100.example.com[10.1.1.100]: TLSv1 with cipher ECDHE-RSA-AES128-SHA
(128/128 bits)
postfix/smtpd[3689]: 4D80234051C: client=nc1-100.example.com[10.1.1.100],
sasl_method=PLAIN, sasl_username=lukeskywalker
postfix/cleanup[3696]: 4D80234051C:
message-id=<33620a61-a31b-44f0-8908-cf21cf499...@example.com>
postfix/qmgr[3688]: 4D80234051C: from=<lukeskywal...@example.com>, size=14831,
nrcpt=1 (queue active)
postfix/smtpd[3700]: connect from localhost[127.0.0.1]
amavis[1330]: (01330-04) Negative SMTP resp. to DATA: 530 5.7.0 Must issue a
STARTTLS command first
postfix/smtpd[3700]: disconnect from localhost[127.0.0.1]
amavis[1330]: (01330-04) discarding unprocessed reply: 221 2.0.0 Bye
amavis[1330]: (01330-04) (!)FWD via SMTP: <lukeskywal...@example.com> ->
<petergrif...@example.com>,BODY=7BIT 451 4.5.0 From MTA([127.0.0.1]:10025)
during fwd-rundown-1 (Negative SMTP response to RSET: 530 5.7.0 Must issue a
STARTTLS command first at (eval 98) line 1140.): id=01330-04
amavis[1330]: (01330-04) Blocked MTA-BLOCKED, LOCAL [10.1.1.100] [10.1.1.100]
<lukeskywal...@example.com> -> <petergrif...@example.com>, Message-ID:
<33620a61-a31b-44f0-8908-cf21cf499...@example.com>, mail_id: ul2+k6lIy9Fx,
Hits: -1.01, size: 14831, 4571 ms
postfix/smtp[3697]: 4D80234051C: to=<petergrif...@example.com>,
relay=127.0.0.1[127.0.0.1]:10024, delay=4.6, delays=0.02/0.01/0.01/4.6,
dsn=5.7.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 530 5.7.0
id=01330-04 - Rejected by MTA on relaying, from MTA([127.0.0.1]:10025): 530
5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command))
postfix/cleanup[3696]: E29FF340626:
message-id=<20120524023508.e29ff340...@smtp5.example.com>
postfix/qmgr[3688]: E29FF340626: from=<>, size=17017, nrcpt=1 (queue active)
postfix/bounce[3701]: 4D80234051C: sender non-delivery notification: E29FF340626
postfix/qmgr[3688]: 4D80234051C: removed
postfix/smtp[3702]: E29FF340626: to=<lukeskywal...@example.com>,
relay=imap.example.com[10.1.1.28]:25, delay=0.34, delays=0/0.01/0.21/0.11,
dsn=2.0.0, status=sent (250 Ok: queued as DDF795F059F8)
postfix/qmgr[3688]: E29FF340626: removed
I have read setting the smtpd_tls_security_level = encrypt to
smtpd_tls_security_level = may would allow the connection, but doesn't that
allow my clients to Auth only without encryption ?
any assistance would be helpful.
thanks
-j
