Am 21.12.2013 20:14, schrieb (lists) Denis BUCHER:
> Le 16.12.2013 22:08, Erwan David a écrit :
>> Le 16/12/2013 22:05, (lists) Denis BUCHER a écrit :
>>> Dear all,
>>>
>>> I have a very strange problem with our postfix server. It has been
>>> working for years without problem, but suddenly we started to have
>>> errors with SMTP connexions from outside.
>>>
>>> On the client side (we tested with Thunderbird and Outlook), the
>>> connection lasts many minutes before showing a timeout error.
>>>
>>> On the server side, the logs are always the same :
>>>
>>>    * Dec 16 21:42:33 svrmail postfix/smtpd[8531]: connect from
>>>      x-x.195-178.cust.bluewin.ch[178.195.x.x]
>>>    * Dec 16 21:44:41 svrmail postfix/smtpd[8531]: lost connection after
>>>      UNKNOWN from x-x.195-178.cust.bluewin.ch[178.195.x.x]
>>>    * Dec 16 21:44:41 svrmail postfix/smtpd[8531]: disconnect from
>>>      x-x.195-178.cust.bluewin.ch[178.195.x.x]
>>>
>>> But the most strange point is that if I do "telnet ip_of_server 465" I
>>> am immediately connected, and can use normal SMTP commands.
>>>
>>> The configuration that used to work was :
>>>
>>>    * Port 465
>>>    * SSL/TLS
>>>    * Authentication : password
>>>
>>> Does someone has an idea about what could be the cause of such a
>>> strange problem ?
>>>
>>> Does it has something to do with SSL/TLS ?
>> Are you sure your clients connect directly to postfix ?
>>
>> No proxy, no anti-virus that could hijack the connection and behave
>> incorrectly with SSL/TLS ?
> Dear Erwan,
> 
> Yes I am almost sure, I also thought about that, but normally the only device 
> that is between the outside world and
> postfix is the firewall, and normally it doesn't do any analysis on the 
> connection...
> 
> Is there a way to check what happens really on the connection?

fix the wrong configuration that Port 465 accepts unencrypted connections
no mail client ever will connect without a TLS handshake on 465 which
*must* fail in your configuration

Am 21.12.2013 20:10, schrieb (lists) Denis BUCHER:> Le 16.12.2013 22:16, Wietse 
Venema a écrit :
>> Denis BUCHER:
>>> But the most strange point is that if I do "telnet ip_of_server 465" I
>>> am immediately connected, and can use normal SMTP commands.
>> That is absolutely wrong.
>> Someone screwed up and removed the "-o smtpd_tls_wrappermode=yes"
>> from the "smtps" entry in the Postfix master.cf file.
>> The port 465 (smtps) service must not support plaintext communication
>> (such as connecting with telnet).
> Dear Wietse,
>
> OK thank you for your hint, I will change that, but do you think it will
> solve the problem, or is this something different?

most likely

the client starts a encrypted connection which fails in your case
read about the differnece between TLS and STARTTLS
port 465 is *not* STARTTLS

Reply via email to