On Mon, Jun 22, 2015 at 09:40:58AM -0400, James B. Byrne wrote:
> However, postfix had already been
> under git control as a separate repository when etckeeper was
> installed and, unbeknownst to me git considered that a submodule so
> when etckeeper did its update commits the postfix directory was not
> updated with the rest.
Have you considered using git to go back to the previous configuration?
Start with:
git log
> INET07 = local delivery
> [root@inet07 etc]# postconf -n
> ...
> relay_clientcerts = hash:/etc/postfix/relay_clientcerts
Does the ".db" file exist (did you "postmap" the file)?
> relay_domains = hash:/etc/postfix/relay_domains
Ditto.
> relayhost = smtp.hamilton.harte-lyne.ca
Typically, you'd want that in []:
relayhost = [smtp.hamilton.harte-lyne.ca]
unless that really is intended to be an MX RRset and not a hostname.
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Generally this is left empty.
> smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.$TLSHOST.crt
> smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.$TLSHOST.key
What is this "$TLSHOST"? I notice it is set in the "INET07" main.cf
file but not in this one.
> smtp_tls_ciphers = medium
> smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2,
> RC5
> smtp_tls_protocols = !SSLv2, !SSLv3
Exchange 2003 interoperability mode, that's fine.
> smtp_tls_security_level = dane
Not useful without:
smtp_dns_support_level = dnssec
and "127.0.0.1" as the only "nameserver" entry in /etc/resolv.conf
and a validating resolver running on 127.0.0.1. Otherwise, use
"may", not "dane".
> smtp_use_tls = yes
Obsolete.
> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Often can be left empty instead. Why load a pile of certificates
you don't use. If you must a pile of certificates, use CApath,
not CAfile.
> smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt
> smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key
This is more reasonable (no $TLSHOST), do the key and certificate
match? Any signs of trouble in the logs:
http://www.postfix.org/DEBUG_README.html#logging
> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
Did you generate that parameter file?
> INET08 - MX host unable to connect to INET07 (timeout)
> # postconf -n
> TLSHOST = smtp
What's the point of this "TLSHOST" business.
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Why?
> smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.$TLSHOST.crt
> smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.$TLSHOST.key
Why not just use the exact file name without a "$TLSHOST" variable?
> smtp_use_tls = yes
Obsolete.
> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Empty is better.
> smtpd_tls_ask_ccert = yes
Do you plan to support client certs? For submission? Or
on port 25?
> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
Did you generate the parameter file?
> smtpd_use_tls = yes
Obsolete.
--
Viktor.
