Hi,
> > I only see information on smtpd_tls_wrapper_mode in TLS_README. Am I
> > missing it?
>
> That's the one. http://www.postfix.org/TLS_README.html#server_enable
> follow the instructions as written.
Okay, I believe I have it working properly, but wanted to be sure, and also
that my understanding of it all is correct.
I have the following in master.cf, which was already there, just now
uncommented:
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
I've enabled debug for my test host, and after restart postfix, I've tested
it with the following openssl command:
# openssl s_client -connect mail.example.com:465
It connects, displays the certificate, but it also says
depth=0 OU = Domain Control Validated, CN = mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
Is this something wrong with how I have the certificate set up?
At the end, it says the following:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5C056C6F9E8528EBBCA...7D60A82EC9FF
Session-ID-ctx:
Master-Key: 688EDF0C592501E88D328...A11C2D05DE05318
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1407896713
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I have a similar error when connecting to port 587 using openssl, however,
it doesn't produce the complete certificate output, which I was expecting:
# openssl s_client -quiet -starttls smtp -connect mail:587
depth=0 OU = Domain Control Validated, CN = mail.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
250 DSN
On the server side, I have the following:
Aug 12 22:37:50 email postfix/smtps/smtpd[10664]: Anonymous TLS connection
established from sage[192.168.1.7]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I have the complete log output here:
http://pastebin.com/7wafUchT
I think the problem I'm still having is that I thought I would also test
with Thunderbird, and it doesn't work. When I test with port 587 it works
okay, however, port 465 produces the following:
Aug 12 22:52:13 mail01 postfix/smtps/smtpd[13529]: warning: TLS library
problem: 13529:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1257:SSL alert number 42:
submission on 587 works with the same key/cert pair, so I can't figure out
what's wrong, and whether it's a Thunderbird problem or a postfix problem.
I'm also having a problem with IMAP using STARTTLS on 143 working, but
that's probably a dovecot problem. They do share the same cert, though.
Any ideas greatly appreciated.
Thanks,
Alex
