Hi
Looks like i solved it, but have some strange behavior that i am not able
to explain.
Below is config info ---
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost
myhostname = ml.w8timez.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relayhost =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/httpd/ssl/ssl.crt
smtpd_tls_key_file = /etc/httpd/ssl/private.key
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
Master.cf (main ssl/tls configs shown here)
smtp inet n - n - - smtpd -o
content_filter=spamassassin
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
With this config telnet domain 465 does not work, it just loses connection
as soon as i hit ehlo.
telnet ml.w8timez.com 465
Trying 127.0.1.1...
Connected to ml.w8timez.com.
Escape character is '^]'.
ehlo w8timez.com
Connection closed by foreign host.
The error for above telnet connection is below
Jun 11 21:10:59 ml postfix/smtps/smtpd[26289]: setting up TLS connection
from c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]
Jun 11 21:11:09 ml postfix/smtps/smtpd[26289]: SSL_accept error from
c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]: -1
Jun 11 21:11:09 ml postfix/smtps/smtpd[26289]: warning: TLS library
problem: 26289:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:650:
Jun 11 21:11:09 ml postfix/smtps/smtpd[26289]: lost connection after
CONNECT from c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]
Irony is now the opera client works perfectly using port 465 to send mails
:), but telnet does not work which was not working earlier.
This does not work - telnet ml.w8timez.com 465
This works - openssl s_client -connect ml.w8timez.com:465
Changes i did that i could recollect to get this working for 465 using
opera client is
Main.cf
smtpd_use_tls=yes - added this parameter
Master.cf (added these values)
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
With this info, if someone can educate me on why it started working fine
with the opera client but telnet is broken, it would help me understand
better and kill my curiosity?
Thank you
Jithesh
On Thu, 11 Jun 2015 13:20:38 -0700, Noel Jones <njo...@megan.vbhcs.org>
wrote:
On 6/11/2015 2:30 PM, Jithesh AP wrote:
Hi,
Apologies for long mail, wanted to give all the info i have.
Followed this URL to configure SASL -
http://www.postfix.org/SASL_README.html. Followed the dovecot
portion, did not setup cyrus, as i was bit confused.
postconf-n is at this location -
https://www.dropbox.com/s/4ktakqpwe89y50m/postconf-n.txt?dl=0
Please paste inline.
Here is what i am seeing.
1 ----When i telnet with above config in postconf-n, i get the below
result
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Looks good as it shows 2 AUTH. I checked auth plain when in telnet
and authentication was successful
I don't see STARTTLS offered above, so no encryption offered on port 25.
Note you can use "openssl s_client" to test encrypted connections.
See google for testing details.
Now when i try to use my opera client and configure to use 465 port
and also with secure connection (TLS) checked, nothing happens, it
I don't know about the opera client, but most desktop clients use
the term "TLS" to refer to STARTTLS support, and the term "SSL" to
refer to wrappermode encryption as used on port 465 (but supports
TLS). Maybe you need to check a different box in your client.
does not tell me auth failed in the client or in the logs as shown
below. Is it an issue with the client maybe? As soon as i change it
to port 25 then the mails go out fine from opera client, even though
i had commented out mynetworks.
Jun 11 11:23:42 ml dovecot: imap(j...@w8timez.com): Disconnected:
Disconnected in IDLE bytes=886/3033
Jun 11 11:23:42 ml dovecot: imap(j...@w8timez.com): Disconnected:
Disconnected in IDLE bytes=134/1270
unrelated dovecot logs.
Jun 11 11:23:44 ml postfix/smtpd[23152]: connect from
c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]
A postfix connection, nothing else. This could be an encryption
mismatch -- the client trying to use STARTTLS and the server
expecting wrappermode. Or maybe there are further postfix entries
not included here. Hard to tell...
There's no indication what port is being used here. Set something
like " -o syslog_name=postfix/smtps" in your master.cf smtps service
entry to differentiate the logs.
Jun 11 11:23:44 ml dovecot: auth: mysql: Connected to 127.0.0.1
(servermail)
...
Unrelated dovecot logs.
2 -----Now if i enable this config "smtpd_tls_auth_only=yes", then
the AUTH values disappear in telnet as given below
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
With this auth plain does not work and also opera client is the same
as first scenario, no change, So i dont know if it means the AUTH is
not working.
As expected. With smtpd_tls_auth_only=yes, AUTH is neither offered
nor allowed unencrypted, and this connection does not offer STARTTLS.
Now i am stuck, dont know what i am missing :(.
Jun 11 06:18:41 ml postfix/smtpd[20765]: connect from
c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]
Jun 11 06:18:41 ml postfix/smtpd[20765]: setting up TLS connection
from c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]
Jun 11 06:18:42 ml postfix/smtpd[20765]: Anonymous TLS connection
established from c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]: TLSv1
with cipher DHE-RSA-AES256-SHA (256/256 bits)
TLS worked at this point in time, but it's unclear if this is port
465 or STARTTLS on another port.
"TLS connection established" proves it worked. Or used to.
Jun 11 06:18:44 ml postfix/smtpd[20765]: warning:
c-24-6-42-3.hsd1.ca.comcast.net[24.6.42.3]: SASL LOGIN
authentication
failed: authentication failure
But your credentials were somehow wrong at that point in time. Some
desktop mail clients have separate credentials for IMAP and SMTP.
Check your client setup.
-- Noel Jones
--
Using Opera's mail client: http://www.opera.com/mail/
