On Fri, Nov 13, 2015 at 12:03:51PM -0600, Chris Boylan wrote:
> > > In the process of converting from courier to postfix. Test configuration
> > > receives email fine except from google (gmail) which drops us without
> > > really
> > > complaining:
> > >
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: initializing the server-side
> > > TLS
> > > engine
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: connect from
> > > mail-yk0-f172.google.com[209.85.160.172]
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: smtp_stream_setup:
> > > maxtime=300 enable_deadline=0
> >
> > No hand-off from postscreen(8), this smtpd(8) is a direct "inet" listener.
> >
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: auto_clnt_open: connected to
> > > private/anvil
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: event_enable_read: fd 18
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr request = connect
> > > Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr ident =
> > > submission:209.85.160.172
> >
> > This is the submission service on port 587. Not the inbound SMTP
> > service on port 25. No idea why google is connecting to port 587
> > on your machine, perhaps you have some sort of private arrangement
> > with Gmail to route mail for some domains via your own SMTP server.
> >
> > On port 587, they probably want a trusted certificate.
>
> Definitely nothing private with Google.
Regardless, Google are connecting to port 587 on your machine, I
don't know why. Users can configure additional non-gmail addresses
which Google will route out via the associated domain's MSA.
Perhaps one of your users has done that.
Most likely Google's submission client disconnects after not seeing
SASL AUTH at your port 587 service (which is not adequately configured
to be a submission service per your reported master.cf settings).
You should probably not have it enabled until it is more reasonably
configured.
> > This is the submission service on port 587. Not the inbound SMTP
> service on port 25.
>
> Where do you get this from out of the log? I realized from what you wrote
> that I don't see the port number in the log.
Read the log entries immediately above my reply. I carefully place
my replies in their proper context.
> We bought your basic organization ssl cert and it's the same cert that we're
> using with courier so no change there although the openssl output is slightly
> different which I don't get. This is the chain from openssl:
The SASL AUTH explanation makes more sense. Which leaves the
question of why Gmail is trying to relay out via your server.
--
Viktor.
