Dear Viktor. sorry but I'll try to be more explicite because I have to put to work the submission and I can't:
main.cf: # TLS parameters (server side) smtpd_tls_cert_file=/etc/ssl/certs/relay.pem smtpd_tls_key_file=/etc/ssl/private/key.pem smtpd_tls_security_level = may smtpd_tls_loglevel = 2 # TLS parameters (client side) smtp_tls_security_level = may smtp_tls_cert_file = /etc/postfix/SSL/publica.crt smtp_tls_key_file = /etc/postfix/SSL/privada.pem smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_starttls_timeout = 300s smtp_tls_CApath = /etc/ssl/certs master.cf: submission inet n - - - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING And when I send a message with mailx from client 172.1.1.1: $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com I get this log in Postfix: Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect from unknown[172.1.1.1] Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up TLS connection from unknown[172.1.1.1] Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept error from unknown[172.1.1.1]: lost connection Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost connection after STARTTLS from unknown[172.1.1.1] Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect from unknown[172.1.1.1] Thanks a lot, Jelo On Mon, Mar 13, 2017 at 7:53 PM, Jeronimo L. Cabral <jelocab...@gmail.com> wrote: > Daer Viktor, I´ve followed your instructions and setup the submission port > in master.cf as you said: > > Mail client ---STARTTLS ---- Postfix listening on Port TCP/587 - Internet > SMTP servers > > But when I execute from a client 172.1.1.1 to the Postfix server 10.1.1.1: > > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S > smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com > > the command never ends in the shell and the Postfix log just says: > > Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the > server-side TLS engine > Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from > unknown[172.1.1.1] > Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection > from unknown[172.1.1.1] > Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS > cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" > Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept > initialization > > The mail doesn't go out from Postfix. > > What can be the reason I can't send a mail using STARTTLS through the > Postfix server ??? > > On Mon, Mar 13, 2017 at 5:18 PM, Viktor Dukhovni < > postfix-us...@dukhovni.org> wrote: > >> On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote: >> >> > At the moment, the mail relay is reached just from inside our company >> and >> > several applications use it to send mail through Internet. >> >> If the submission port is only reachable from internal trusted >> networks, then authentication is optional. You'll need to make >> sure that Postfix will not be listening for port 587 on any public >> IP addresses. >> >> > Using mailx is in this manner: >> >> My first encounter with "heirloom-mailx", with SMTP and TLS bolted >> in mailx, my is the world getting fancy... >> >> > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.10.12.5:587" >> -S >> > smtp-use-starttls -S ssl-verify=ignore u...@gmail.com >> >> This is fine, provided that 10.10.12.5 is not reachable from outside via >> NAT, and no other IP address reaches the same port 587 service. >> >> -- >> Viktor. >> > >
