So: you've got a connection, a plaintext EHLO and reply, STARTTLS command and complete setup of a strong TLS session, another EHLO & reply inside the TLS session, but then:
> Nov 12 20:00:41 mail0 postfix/smtpd[24249]: smtp_get: EOF > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: > mail-yk0-f172.google.com ~? 10.1.0.0/16 > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: > 209.85.160.172 ~? > 10.1.0.0/16 > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: > mail-yk0-f172.google.com ~? 71.39.104.224/29 > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: > 209.85.160.172 ~? > 71.39.104.224/29 > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: > mail-yk0-f172.google.com: no match > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: > 209.85.160.172: > no match > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr request = > disconnect > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr ident = > submission:209.85.160.172 That seems wrong. Not sure what those last 2 lines mean, but they smell bad... > I remember we had some issues with gmail when we installed courier > that I > thought were related to ssl but comparing the results of > openssl s_client -connect localhost:25 -starttls smtp >& courier > vs. > openssl s_client -connect localhost:25 -starttls smtp >& postfix > > seem "the same": And since you got the TLS going enough for Google to send you an EHLO that you answered, this isn't anything like a normal SSL/TLS problem: that part works. Was that a test message that you sent & can characterize? One possibility is that GMail was trying to send something bigger than 10MB and so bailed at your SIZE reply (in a bad way.) > Interesting bits from main.cf: postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 4 debug_peer_list = google.com debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname localhost.$mydomain localhost $mydomain alertcast.com broadcast-fax.com faxbank.com battlespot.com febx.com summitponds.com youthsailing.org faxreceive.com faxrecieve.com mynetworks = 10.1.0.0/16 71.39.104.224/29 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = zem.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce proxy_interfaces = 71.39.104.229 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/ssl/actualsoftware.pem smtpd_tls_exclude_ciphers = EXPORT smtpd_tls_key_file = /etc/postfix/ssl/actualsoftware.key smtpd_tls_loglevel = 2 smtpd_tls_security_level = may soft_bounce = yes unknown_local_recipient_reject_code = 450 postconf -M smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy submission inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache Google test messages were one word messages and there were no other messages in the way. Google test messages are delayed and so there is no feedback on the Google side. My test messages from a yahoo account work fine so it's "just" Google. Again, I remember Google being terribly pedantic about certificates when we installed courier and we just stumbled our way through that. Feel free to point out anything dumb. I have looked stupid before and lived to talk about it. I should probably say that I don't have dovecot running and all I'm testing at this point is simple in-bound message delivery off to Maildir. I do have some basic spam stuff included (working fine) to cut down the chaff. Also, I have deliberately made the minimum changes to the postfix defaults, trusting the author knows what he's doing more than I do, so I'm subject to "under configured mistakes" maybe more than other people. Thanks for the help.
