[pfx] TLS issues

Emmanuel Seyman via Postfix-users Wed, 12 Jul 2023 02:10:41 -0700

Hello, all.

Last weekend, $WORK moved over to 2 smtp gateways running
postfix/clamav/spamassissin. This setup has been running with only one
issue: two domains refuse to accept mail from us.


Investigating this, we realized that both domains use the same mail
servers and that they both require TLS authentication. From the debug
trace, it appears that we successfully use TLS but that the server on
the other side keeps on requesting TLS authentification.

If anyone knows how to fix this, any help would be much appreciated.

I've attached my "postconf -n" output and log of one exchange. Both have
been slightly edited to protect the guilty and the innoncent alike.

Regards,
Emmanuel

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debug_peer_list = mx07-00096706.pphosted.com mx08-00096706.pphosted.com
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mail01.mydomain.com
mynetworks = 193.XX.YY.0/24
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
smtp_tls_security_level = may
smtpd_milters = 
unix:/run/clamav-milter/clamav-milter.socket,unix:/run/spamass-milter/spamass-milter.sock
smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/sender_access
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550
virtual_mailbox_domains = adomain.de anotherdomain.com mydomain.com 
yetanotherdomain.de
virtual_transport = smtp:internalsmtp.mydomain.com

Jul 11 17:18:42 ehlpg1fr postfix/smtp[519030]: D9B68665FC0: 
to=<usera.na...@mydomain.com>, 
relay=internalsmtp.mydomain.com[193.XX.YY.210]:25, delay=1.8, 
delays=1.6/0.08/0.02/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
47FE271083C)
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 17 got 
51
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 220 mx08-00096706.pphosted.com 
ESMTP mfa-m0240466
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: > 
mx08-00096706.pphosted.com[91.207.212.192]:25: EHLO mail01.mydomain.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 17 flush 
29
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 17 got 
167
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250-mx08-00096706.pphosted.com 
Hello mail01.mydomain.com [193.XX.YY.130], pleased to meet you
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250-ENHANCEDSTATUSCODES
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250-PIPELINING
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250-8BITMIME
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250 STARTTLS
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: server features: 0x1017 size 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: Using ESMTP PIPELINING, TCP send 
buffer size is 46080, PIPELINING buffer size is 4096
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: > 
mx08-00096706.pphosted.com[91.207.212.192]:25: STARTTLS
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 17 flush 
10
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 17 got 
30
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 220 2.0.0 Ready to start TLS
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: event_request_timer: reset 
0x7f363cfe23b0 0x5654d0945f10 5
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr request = seed
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr size = 32
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 9 flush 
22
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 9 got 
60
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: private/tlsmgr: wanted 
attribute: status
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute name: status
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute value: 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: private/tlsmgr: wanted 
attribute: seed
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute name: seed
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute value: 
Jw2rarPYZSjkYHbqMvxszmls2n/7yB9VJKb7lnha8LA=
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: private/tlsmgr: wanted 
attribute: (list terminator)
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute name: (end)
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: > 
mx08-00096706.pphosted.com[91.207.212.192]:25: EHLO mail01.mydomain.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 17 flush 
29
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 17 got 
123
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250-mx08-00096706.pphosted.com 
Hello mail01.mydomain.com [193.XX.YY.130], pleased to meet you
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 250 ENHANCEDSTATUSCODES
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: server features: 0x1001 size 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: > 
mx08-00096706.pphosted.com[91.207.212.192]:25: MAIL 
FROM:<userb.na...@anotherdomain.com>
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 17 flush 
44
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 17 got 
39
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: < 
mx08-00096706.pphosted.com[91.207.212.192]:25: 503 5.7.0 TLS authentication 
required
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: connect to subsystem 
private/bounce
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr nrequest = 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr flags = 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr queue_id = 06833662D1F
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr original_recipient = 
remote.em...@pwc.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr recipient = 
remote.em...@pwc.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr offset = 715
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr dsn_orig_rcpt = 
rfc822;remote.em...@pwc.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr notify_flags = 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr status = 5.7.0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr diag_type = smtp
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr diag_text = 503 5.7.0 
TLS authentication required
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr mta_type = dns
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr mta_mname = 
mx08-00096706.pphosted.com
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr action = failed
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: send attr reason = host 
mx08-00096706.pphosted.com[91.207.212.192] said: 503 5.7.0 TLS authentication 
required (in reply to MAIL FROM command)
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_fflush_some: fd 18 flush 
469
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: vstream_buf_get_ready: fd 18 got 
10
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: private/bounce socket: wanted 
attribute: status
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute name: status
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute value: 0
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: private/bounce socket: wanted 
attribute: (list terminator)
Jul 11 17:18:43 ehlpg1fr postfix/smtp[519030]: input attribute name: (end)

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] TLS issues

Reply via email to