Am 21.12.2013 20:14, schrieb (lists) Denis BUCHER: > Le 16.12.2013 22:08, Erwan David a écrit : >> Le 16/12/2013 22:05, (lists) Denis BUCHER a écrit : >>> Dear all, >>> >>> I have a very strange problem with our postfix server. It has been >>> working for years without problem, but suddenly we started to have >>> errors with SMTP connexions from outside. >>> >>> On the client side (we tested with Thunderbird and Outlook), the >>> connection lasts many minutes before showing a timeout error. >>> >>> On the server side, the logs are always the same : >>> >>> * Dec 16 21:42:33 svrmail postfix/smtpd[8531]: connect from >>> x-x.195-178.cust.bluewin.ch[178.195.x.x] >>> * Dec 16 21:44:41 svrmail postfix/smtpd[8531]: lost connection after >>> UNKNOWN from x-x.195-178.cust.bluewin.ch[178.195.x.x] >>> * Dec 16 21:44:41 svrmail postfix/smtpd[8531]: disconnect from >>> x-x.195-178.cust.bluewin.ch[178.195.x.x] >>> >>> But the most strange point is that if I do "telnet ip_of_server 465" I >>> am immediately connected, and can use normal SMTP commands. >>> >>> The configuration that used to work was : >>> >>> * Port 465 >>> * SSL/TLS >>> * Authentication : password >>> >>> Does someone has an idea about what could be the cause of such a >>> strange problem ? >>> >>> Does it has something to do with SSL/TLS ? >> Are you sure your clients connect directly to postfix ? >> >> No proxy, no anti-virus that could hijack the connection and behave >> incorrectly with SSL/TLS ? > Dear Erwan, > > Yes I am almost sure, I also thought about that, but normally the only device > that is between the outside world and > postfix is the firewall, and normally it doesn't do any analysis on the > connection... > > Is there a way to check what happens really on the connection?
fix the wrong configuration that Port 465 accepts unencrypted connections no mail client ever will connect without a TLS handshake on 465 which *must* fail in your configuration Am 21.12.2013 20:10, schrieb (lists) Denis BUCHER:> Le 16.12.2013 22:16, Wietse Venema a écrit : >> Denis BUCHER: >>> But the most strange point is that if I do "telnet ip_of_server 465" I >>> am immediately connected, and can use normal SMTP commands. >> That is absolutely wrong. >> Someone screwed up and removed the "-o smtpd_tls_wrappermode=yes" >> from the "smtps" entry in the Postfix master.cf file. >> The port 465 (smtps) service must not support plaintext communication >> (such as connecting with telnet). > Dear Wietse, > > OK thank you for your hint, I will change that, but do you think it will > solve the problem, or is this something different? most likely the client starts a encrypted connection which fails in your case read about the differnece between TLS and STARTTLS port 465 is *not* STARTTLS