On Dec 12, 2012, at 7:10 PM, Will wrote:
On 12/12/12 18:05, Tony Nelson wrote: I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 2.9.1-4. The postfix server sits behind my firewall, in front of my corporate Exchange servers. After the upgrade I found that my exchange servers would/could no longer send mail. I got the following error: Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM/>[192.168.43.19] A bit of googling pointed me to TLS issues. After trying several things, I commented out my TLS configuration parameters, and sure enough all of the mail flowed out of my Exchange servers, so the problem is definitely TLS related. These are my commented out TLS parameters: # TLS parameters # smtp_tls_security_level = may # smtpd_tls_security_level = may # smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt # smtpd_tls_key_file = /etc/ssl/private/starpoint.key # smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt # smtpd_tls_loglevel = 2 # smtpd_use_tls=yes # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache The certificate I am using for the TLS on the Postfix server is a wildcard certificate for starpoint.com<http://starpoint.com/> from GoDaddy. The certificate that Exchange uses is a specific certificate for exchange.starpoint.com<http://exchange.starpoint.com/>, also from GoDaddy. I think it's in my best interest to get TLS operational again. I've re-read http://www.postfix.org/TLS_README.html again and nothing is jumping out at me. What is my best next step to solve this problem. Thank you very much for any advice. Tony Nelson Starpoint Solutions Changing smtpd_tls_loglevel to 3 might provide more useful debugging output, which could help you find any issues between Exchange and Postfix. -Will Thanks for the suggestion. I'm going to paste the result here, but I don't see anything helpful. Right after an anonymous connection is made, the connection is dropped. Thank you very much for the help. root@mail:/var/log# cat /tmp/t Dec 12 19:21:13 mail postfix/smtpd[4660]: connect from NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.19] Dec 12 19:21:13 mail postfix/smtpd[4660]: setting up TLS connection from NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.19] Dec 12 19:21:13 mail postfix/smtpd[4660]: NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.19]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:before/accept initialization Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] (11 bytes => 11 (0xB)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01 00 68 01 00 00|64 03 01 ....h... d.. Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF1E] (98 bytes => 98 (0x62)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 50 c9 1f 71 79 91 a0 59|57 55 30 a6 32 a9 fa d2 P..qy..Y WU0.2... Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 5a ac 9b f5 a7 7f e6 0c|37 58 42 cc 9d 4b f8 7a Z....... 7XB..K.z Dec 12 19:21:13 mail postfix/smtpd[4660]: 0020 20 5a 3f f3 e5 79 b7 89|7e cf b9 e3 87 11 21 5a Z?..y.. ~.....!Z Dec 12 19:21:13 mail postfix/smtpd[4660]: 0030 f7 24 f0 17 1d b7 4d ad|e7 40 31 85 bf cd bf 5a .$....M. .@1....Z Dec 12 19:21:13 mail postfix/smtpd[4660]: 0040 f3 00 16 00 04 00 05 00|0a 00 09 00 64 00 62 00 ........ ....d.b. Dec 12 19:21:13 mail postfix/smtpd[4660]: 0050 03 00 06 00 13 00 12 00|63 01 00 00 05 ff 01 00 ........ c....... Dec 12 19:21:13 mail postfix/smtpd[4660]: 0060 01 . Dec 12 19:21:13 mail postfix/smtpd[4660]: 0061 - <SPACES/NULLS> Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com<http://ny-hubt02.win.starpoint.com>[192.168.43.19]: looking up session 5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp in smtpd cache Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com<http://ny-hubt02.win.starpoint.com>[192.168.43.19]: reloaded session 5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp from smtpd cache Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 read client hello A Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write server hello A Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write change cipher spec A Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write finished A Dec 12 19:21:13 mail postfix/smtpd[4660]: write to 7FC3AA00E840 [7FC3AA021C10] (129 bytes => 129 (0x81)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01 00 51 02 00 00|4d 03 01 50 c9 1f 79 3b ....Q... M..P..y; Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 bb 8a 38 f6 af 46 74 9c|fa 99 69 18 bd 23 7d b4 ..8..Ft. ..i..#}. Dec 12 19:21:13 mail postfix/smtpd[4660]: 0020 68 e8 da 79 b6 2b af 00|d6 cb 44 20 5a 3f f3 e5 h..y.+.. ..D Z?.. Dec 12 19:21:13 mail postfix/smtpd[4660]: 0030 79 b7 89 7e cf b9 e3 87|11 21 5a f7 24 f0 17 1d y..~.... .!Z.$... Dec 12 19:21:13 mail postfix/smtpd[4660]: 0040 b7 4d ad e7 40 31 85 bf|cd bf 5a f3 00 04 00 00 .M..@1.. ..Z..... Dec 12 19:21:13 mail postfix/smtpd[4660]: 0050 05 ff 01 00 01 00 14 03|01 00 01 01 16 03 01 00 ........ ........ Dec 12 19:21:13 mail postfix/smtpd[4660]: 0060 20 51 e3 37 e6 93 90 fb|49 3d 0c 2b 78 5b e3 a7 Q.7.... I=.+x[.. Dec 12 19:21:13 mail postfix/smtpd[4660]: 0070 ca 0e 2a 52 2a 3e d3 75|e6 af ff 8c fa 49 18 89 ..*R*>.u .....I.. Dec 12 19:21:13 mail postfix/smtpd[4660]: 0080 58 X Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 flush data Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => 5 (0x5)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 14 03 01 00 01 ..... Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF18] (1 bytes => 1 (0x1)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 01 . Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => 5 (0x5)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01 ... Dec 12 19:21:13 mail postfix/smtpd[4660]: 0003 - <SPACES/NULLS> Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF18] (32 bytes => 32 (0x20)) Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 24 c8 f3 9d 9b df 37 c9|d8 de 52 aa fa 0f a5 21 $.....7. ..R....! Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 c9 f3 59 55 ad 82 8a 49|f7 77 db a9 94 bf 13 8e ..YU...I .w...... Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 read finished A Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com<http://ny-hubt02.win.starpoint.com>[192.168.43.19]: Reusing old session Dec 12 19:21:13 mail postfix/smtpd[4660]: Anonymous TLS connection established from ny-hubt02.win.starpoint.com<http://ny-hubt02.win.starpoint.com>[192.168.43.19]: TLSv1 with cipher RC4-MD5 (128/128 bits) Dec 12 19:21:13 mail postfix/smtpd[4660]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.19] Dec 12 19:21:13 mail postfix/smtpd[4660]: disconnect from NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.19] root@mail:/var/log# ________________________________ Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility ________________________________ This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
