Hello,
Still stuck. I've got the below not sure if it helps, it does show
that on 143 and 587 client wise no peer is being sent or verified.
openssl s_client -starttls smtp -connect localhost:587
CONNECTED(00000003)
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 220 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
openssl s_client -starttls smtp -connect localhost:587e� �� �� �� �� �:143
CONNECTED(00000003)
didn't found starttls in server response, try anyway...
34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 238 bytes and written 332 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here's my postfix tls and sasl configuration:
main.cf:
# Dovecot sasl authentication
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
#smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
check_client_access cidr:/usr/local/etc/postfix/spamfarms
check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
reject_unknown_reverse_client_hostname
reject_non_fqdn_sender
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_helo_hostname
reject_unlisted_recipient
reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org
reject_rhsbl_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
check_policy_service unix:private/spf-policy
# Postfix Quota status service
check_policy_service inet:127.0.0.1:12345
smtpd_data_restrictions = reject_unauth_pipelining
# TLS parameters
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtpd_tls_eecdh_grade = strong
# Offer opportunistic TLS (STARTTLS) to connections to this mail server.
#smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt
# for smtpd pfs
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_received_header = yes
# Use opportunistic TLS (STARTTLS) for outgoing mail if the remote
server supports it.
#smtp_tls_security_level = may
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_CAfile = /etc/ssl/certs/cacert.crt
Any help appreciated.
Thanks.
Dave.
On 10/31/15, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sat, Oct 31, 2015 at 03:35:14PM -0400, David Mehler wrote:
>
>> Thank you. I apologize, let me clarify my statement. I have created my
>> own CA on an offline machine which I use to sign all of my
>> certificates.
>
> Good, that removes ambiguity.
>
>> When you say the client doesn't trust the server certificate, that's
>> not the webmail, that's the submission service not trusting the
>> postfix ServerCertificate, ServerKey, and ServerCAfile options?
>
> Whatever connects to your port 587 submission service is what's
> not trusting the certificate, and sending an alert to that effect,
> which the server logs.
>
>> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: SSL_accept error
>> >> from
>> >> localhost[::1]: 0
>> >> Oct 30 12:12:01 ohio postfix/submission/smtpd[4795]: warning: TLS
>> >> library
>> >> problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>> >> unknown
>> >> ca:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1300:SSL
>> >> alert number 48:
>
> In this case the client is "[::1]".
>
> More light on this problem is shed in the client logs, rather than
> the server logs.
>
> --
> Viktor.
>
