Re: All my email are 5 minutes delayed

Tue, 23 Jul 2013 08:50:59 -0700 

On Tue, Jul 23, 2013 at 08:33:35AM -0700, sandrouin wrote:

> I have the same problem, the TLS work fine for the request of the mail and
> for send the mail but not for the DKIM relay.
> I tried with a self-signed certificate and with a CA signed certificate but
> none of them solve it.
> 
> content_filter = dksign:[127.0.0.1]:12027
> smtp_tls_security_level = may
> smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
> smtpd_tls_key_file = /etc/ssl/private/postfix.key
> smtpd_use_tls = yes

> dksign  unix    -       -       n       -       10      smtp
>  -o smtp_send_xforward_command=yes
>  -o smtp_discard_ehlo_keywords=8bitmime
> 
> 127.0.0.1:12028 inet    n       -       n       -       10      smtpd
>  -o content_filter=
>  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>  -o smtpd_helo_restrictions=
>  -o smtpd_client_restrictions=
>  -o smtpd_sender_restrictions=
>  -o smtpd_recipient_restrictions=permit_mynetworks,reject
>  -o mynetworks=127.0.0.0/8
>  -o smtpd_authorized_xforward_hosts=127.0.0.0/8

Notice that the back-end SMTP service accepting the mail is on port
12028, but your content filter delivers to 12027, thus there is a
transparent proxy in the middle, but it does not understand TLS.

> Jul 23 17:03:29 PC1 postfix/smtp[26341]: setting up TLS connection to
> 127.0.0.1[127.0.0.1]:12027
> Jul 23 17:03:29 PC1 postfix/smtpd[26342]: SSL_accept:before/accept
> initialization
> Jul 23 17:03:29 PC1 postfix/smtp[26341]: SSL_connect:before/connect
> initialization
> Jul 23 17:03:29 PC1 postfix/smtp[26341]: SSL_connect:SSLv2/v3 write client
> hello A
> Jul 23 17:03:31 PC1 postfix/smtpd[26335]: disconnect from
> dns.name.tld[xxx.xxx.xxx.xxx]
> Jul 23 17:04:30 PC1 postfix/smtpd[26342]: SSL_accept error from
> localhost.localdomain[127.0.0.1]: -1
> Jul 23 17:04:30 PC1 postfix/smtp[26341]: SSL_connect error to
> 127.0.0.1[127.0.0.1]:12027: -1

Not surprisingly this fails, and you need TLS for connections to 127.0.0.1,
that would be just a waste of CPU (if it worked).  So:

    main.cf:
        # Get rid of smtp_use_tls and smtpd_use_tls
        smtp_tls_security_level = may
        smtpd_tls_security_level = may

    master.cf:
        # Disable TLS for both the dkimsign transport and the back-end
        # SMTP server:

        dksign  unix    -       -       n       -       10      smtp
          -o smtp_tls_security_level=none
          ... plus existing options ...
        127.0.0.1:12028 inet    n       -       n       -       10      smtpd
          -o smtpd_tls_security_level=none
          ... plus existing options ...

Ideally the proxy would filter out the server's "STARTTLS" EHLO offer,
but really it is enough to configure the server and client correctly.

-- 
        Viktor.

Reply via email to