>> test tunneled TLS connections to port 465
>> openssl s_client -connect tn2.myserver.com:465 Appears to work
>> -----
>> From remote server
>> test STARTTLS connections on port 25 or 587 with:
>> openssl s_client -connect tn2.myserver.com:587 -starttls smtp
>appears
>> to work, shows a bunch of info and the certificate text.
>> Nothing
>> that looks like errors except a line that says:
>> verify error:num=18:self signed certificate
>> verify return:1
>> -----
>
>You can confirm or refute on your "appears to work" conclusions 2 ways:
>
>1. Look in your server logs for lines with content like this:
>
> postfix/smtpd[123]: Anonymous TLS connection established from
>host.example.com[192.0.2.1]: TLSv1 with cipher DHE-RSA-AES256-SHA
>2. When using openssl s_client, you should be left connected in a SMTP
>session so you can issue a EHLO command and should get a reasonable
>reply. If not, there's something wrong.
Well crap. Something I've done has caused the first test to port 465 to
stop working. I'm nearly positive it was working.
[root@tn1] # openssl s_client -connect tn2.myserver.com:465
CONNECTED(00000003)
26351:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:
When I run this command Anonymous is there.
openssl s_client -connect tn2.companypostoffice.com:587 -starttls smtp
Jul 23 19:23:59 tn2 postfix/smtpd[2007]: Anonymous TLS connection
established from tn1.myserver.com[xx.xx.xx.xx]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
I can also ehlo and issue smtp commands after above.
>> ------------------
>>
>> MS Outlook is happy using port 587 (SASL only I think)
>
>> I can deliver a test
>> message. POP also works and it will retrive same.
>
>POP and IMAP are irrelevant here, since they are not part of Postfix, but
it's
>good to know that you don't seem to have any issues with Dovecot
>complicating things and obscuring your Postfix issues...
Well, I spoke too soon there. I'm using Outlooks utilty to "test settings"
where it sends the message. If I send a message locally I can then get it
via POP.
I can only send the message via port 587 (no TLS I don't' think, about to
fix that). I can send and then POP a message using that port as is.
I had Dovecot jacked for a min trying to get mbox format to work, finally
got setting in each of them they were happy with. POPing again now. Can
fine tune that another day (want them in /var/spool/mail/user, have them in
HOME/mail/inbox).
>Serious question: why do you care? Port 465 SSL-wrapped SMTP was never
>made a standard and correctly never will be. No software that I'm aware of
>can use that botch and cannot use STARTTLS except for a few clients so
>outdated as to be inherently unsafe (e.g. antique versions of
>Outlook.) Make sure Outlook is using STARTTLS on port 587 and be happy
>with that: it's a service defined by a RFC which is supported by any client
>software that isn't a danger to its users. Since port 465 service owes its
>zombie existence to an early draft for SSLv3 that was never made into any
>sort of standard, it is formally improper to offer ANY TLS version over it,
while
>all versions of SSL should be treated as broken and obsolete. Do you see
the
>problem?
>
>Assuming you have a concrete need (e.g. The Boss uses Outlook Express on
>Windows ME and won't upgrade,) if s_client is working to port 465 and
>Outlook is not, you have an Outlook problem. Talk to your vendor about
that.
>Since you've not included your master.cf configuration for the smtps (port
>465) service, there's no hope of diagnosis here at present.
Re why do I care: I do not and will defer to your experience on this point
for sure. I was just replicating (trying to) what I had. If it's not
needed anymore I'm ALL FOR getting rid of it and making it simpler. I only
have a few local accounts on the box. Everything else is relayed . Old OL
versions are not an issue
So I need to get rid of the 465 setupand get 587 working right...Check.
But, I'm not sure how to do that right :(
So, here's my master.cf below. I'd be extremely grateful for any
pruning/editing
>1. Back off smtpd_tls_loglevel to 1. All of the above happened within a
>second and provides no useful clues.
How do I change the level? I only know how to add the -v
>2. Without knowing the config of the smtps service (i.e. the relevant lines
>from master.cf) it is impossible to do anything more than make wild
guesses.
>I'm going to make the wild guess that you didn't uncomment all of the
>essential continuation lines after the first one for smtps:
>the indented ones starting with '-o'.
I've been using my original config that I've used for years, and editing it
as I go trying to get it to work. I'm a little lost at this point. I'll
post what I have in its current state
>Side note on this:
>
>> Telnet to the server and STARTTLS seems happy:
>> 220 tn2.myserver.com ESMTP Postfix
>> ehlo sample.com
>> 250-tn2.myserver.com
>> 250-PIPELINING
>> 250-SIZE 10240000
>> 250-ETRN
>> 250-STARTTLS
>> 250-AUTH PLAIN LOGIN
>> 250-AUTH=PLAIN LOGIN
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>
>You didn't say which port that was, so it isn't clear which service config
>applies, but on a modern system there is rarely any good reason to have an
>EHLO response in any circumstance that includes both AUTH and STARTTLS.
>Modern best practice is to use STARTTLS and authenticate inside the
>encrypted tunnel with plaintext mechanisms that do not require the server
to
>store passwords in recoverable forms. The above response indicates that
>you are offering plaintext mechanisms over an unencrypted connection,
>which is an invitation to cracked accounts and a world of hurt. On most
mail
>systems, port 25 should offer STARTTLS and no AUTH even after TLS is
>established, with port 587 being the only place you accept authenticated
>message submission and then only after STARTTLS.
I've done above on 465 and 587, they appear the same in the telnet replies,
both accept smtp commands or START TLS. Agree, need to get that fixed.
It's the whole point of having this stuff.
>There's a chance that the above is in fact not dangerous because Dovecot
>will refuse to allow authentication due to its disable_plaintext_auth
setting
>but I don't recall whether it can 'see' whether there's TLS or not when
>servicing Postfix smtpd, and my guess would be not...
>
>In any case, a safer config if for some reason you do want to allow
>authentication over port 25 would use these settings:
>
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_sasl_tls_security_options = noanonymous
>
>One reason you might want this is if you're providing relay services for a
3rd
>party and want to apply the restrictions applied to inbound mail to their
>transiting mail rather than the different and maybe less strict ones
applied to
>initial submissions by your direct users.
Here's my master.cf Again, very grateful for any pointers on fixing it.
And current state of the main.cf I'm going to leave it alone.
I'm posting the bulk of master.cf. In case it's easier to see what I've
commented or not. I left off the tail end where I had nothing uncommented
from the stock file.
master.cf:
=================================
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#####################################
#####################################
#port 465
# my inbound mail comes here
smtps inet n - n - - smtpd -v
# next line below so I don't filter the mail I send in via 465
# -o content_filter=
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=yes
# -o syslog_name=postfix/smtps
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipi
ent_domain,permit_sasl_authenticated,reject
#port 587
submission inet n - n - - smtpd -v
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes
# -o smtpd_enforce_tls=yes
# -o smtpd_etrn_restrictions=reject
#
#
smtp-amavis unix - - n - 3 smtp
# -o smtpd_data_done_timeout=1200s
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes
# Amavis config:
# These are the usual input "smtpd" and local "pickup" servers already
# present in master.cf. We add an option to select a non-default
# cleanup service.
#
smtp inet n - n - - smtpd -v
-o cleanup_service_name=pre-cleanup
pickup fifo n - n 60 1 pickup
-o cleanup_service_name=pre-cleanup
#
#
# The following is the cleanup daemon that handles messages in front of
# the content filter. It does header_checks and body_checks (if any), but
# does no virtual alias or canonical address mapping, so that mail comes
# to a content filter with original recipient addresses still intact.
#
# Virtual alias or canonical address mapping happens in the second
# cleanup phase after the content filter. This gives the content_filter
# access to largely unmodified addresses for maximum flexibility.
#
# Note that some sites may specifically want to perform canonical and/or
# virtual address mapping in front of the content_filter. However, in that
# case you still have to enable address rewriting in the after-filter
cleanup
# instance in order to correctly process forwarded mail or bounced mail.
# handle both the canonicalization and virtual_alias_maps later
# (this will provide content filter with largely unmodified addresses)
#
pre-cleanup unix n - n - 0 cleanup
-o virtual_alias_maps=
-o canonical_maps=
-o sender_canonical_maps=
-o recipient_canonical_maps=
-o masquerade_domains=
# The following is the normal cleanup daemon. No header or body checks here,
# because these have already been taken care of by the pre-cleanup service
# before the content filter. The normal cleanup instance does all
# the virtual alias and canonical address mapping that was disabled
# in the pre-cleanup instance before the content filter.
#
cleanup unix n - n - 0 cleanup
-o mime_header_checks=
-o nested_header_checks=
-o body_checks=
# -o header_checks=
# or use second-stage header checks, to be able to place mail bombs on HOLD
# -o header_checks=pcre:/etc/postfix/header_checks2
# consider also:
# -o [email protected]
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
#######################################
######################################
#628 inet n - n - - qmqpd
###pickup unix n - n 60 1 pickup
###cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
#
=================================
Main.cf (postconf -n)
=================================
[root@tn2 shorton]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = mail/inbox
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, x.x.x.x./32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = nnnn.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
=================================
