On 11/12/2013 9:03 PM, Viktor Dukhovni wrote:
On Wed, Dec 11, 2013 at 08:42:29PM +1100, Mark Jamsek wrote:
And, the glaringly obvious absence of SMTP auth mechanisms:
220 mail.bsdbox.co ESMTP Postfix
ehlo bsdbox.co
250-mail.bsdbox.co
250-STARTTLS
Only when not using TLS.
I'm not sure I understand what you mean here. I am using TLS, and
there is no SMTP authentication.
You're not "using" TLS in the above session. The server supports
TLS, but "telnet host 25" does not *use* TLS. To really use TLS
you need a client program that supports TLS. I use "posttls-finger"
(because I wrote it to suit my needs). You could make some progress
with "openssl s_client -starttls smtp -connect somehost:25", though
the latter shows less SMTP oriented output, you don't have to
compile it from source.
$ posttls-finger "[mail.bsdbox.co]"
posttls-finger: Connected to mail.bsdbox.co[110.146.148.136]:25
posttls-finger: < 220 mail.bsdbox.co ESMTP Postfix
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.bsdbox.co
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 10240000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: mail.bsdbox.co[110.146.148.136]:25 Matched CommonName
mail.bsdbox.co
posttls-finger: certificate verification failed for
mail.bsdbox.co[110.146.148.136]:25: self-signed certificate
posttls-finger: mail.bsdbox.co[110.146.148.136]:25:
subject_CN=mail.bsdbox.co, issuer_CN=mail.bsdbox.co,
fingerprint=26:79:C0:78:CE:0E:DE:7C:83:6C:32:D4:4F:02:EF:72:51:2B:08:7A,
pkey_fingerprint=80:B8:24:5B:EF:E4:B9:44:E9:EC:A6:40:0C:6A:6C:D7:9C:5E:B0:6F
posttls-finger: Untrusted TLS connection established to
mail.bsdbox.co[110.146.148.136]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
posttls-finger: > EHLO amnesiac.example
posttls-finger: < 250-mail.bsdbox.co
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 10240000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-AUTH=PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
It sure offers AUTH (PLAIN and LOGIN) to clients that use TLS.
On Wed, Dec 11, 2013 at 08:58:10PM +1100, Mark Jamsek wrote:
Wait. I think I understand what you're saying: my ISP perhaps blocks
my connections, so I need to use them as my $relayhost? Is it
possible to work around this somehow? I would rather not relay my
mail through my ISP.
Now you're beginning to see the light. No you can't bypass the
ISP filter. Either they are willing to turn the filter off for
you, or you need to relay through their submission service.
http://www.postfix.org/SOHO_README.html
http://www.postfix.org/SASL_README.html
http://www.postfix.org/OVERVIEW.html
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/DEBUG_README.html
http://www.postfix.org/QSHAPE_README.html
Thank you, sir! Using the $relayhost option to relay through my ISP has
worked! I can't believe I didn't at least try that already. And,
overlooking that I configured auth to only commence AFTER TLS, I
foolishly expected auth mechanisms to be apparent using telnet (25). And
thank you, again, for those links; I'll read them tonight and draft a
letter to my ISP to request disabling the filter. Running your own mail
server only to relay mail through a third party sort of defeats the
purpose of running your own mail server.
n.b. Please forgive my elementary requests for help -- I am really
really new to this. Thanks again, Viktor. Much appreciated, my friend.
While I have your ear, do you know if Postfix developers take bitcoin
donations? I'd love to contribute something to this great FOSS service.
