Good day.
I have installed a new postfix server w/ virtual users, mysql
accounts and courier. All seems works fine except that I can not send
mail using secure connection. If connect to port 25 - it connects and
send the mail, but if I try to do so checking in my claws-mail client
"Use SSL for SMTP connection"
then it gives me error on connection. Interesting that I see no any
error in /var/log/mail.log, so I suppose may I have to open other port
in my firewall, for now I opened 25 and 465.
Here what I have:
# postconf -n
alias-database = hash:/etc/aliases
alias-maps = hash:/etc/aliases
append-dot-mydomain = no
biff = no
broken-sasl-auth-clients = yes
config-directory = /etc/postfix
content-filter = amavis:[127.0.0.1]:10024
html-directory = /usr/share/doc/postfix/html
inet-interfaces = all
mailbox-command = procmail -a "$EXTENSION"
mailbox-size-limit = 0
message-size-limit = 30720000
mydestination = localhost, localhost.localdomain
mydomain = minehost.org
myhostname = minehost.org
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy-read-maps = $local-recipient-maps $mydestination
$virtual-alias-maps $virtual-alias-domains $virtual-mailbox-maps
$virtual-mailbox-domains $relay-recipient-maps $relay-domains
$canonical-maps $sender-canonical-maps $recipient-canonical-maps
$relocated-maps $transport-maps $mynetworks $virtual-mailbox-limit-maps
readme-directory = /usr/share/doc/postfix receive-override-options =
no-address-mappings recipient-delimiter = + relayhost =
smtp-tls-session-cache-database = btree:${data-directory}/smtp-scache
smtpd-banner = The eMail Service
smtpd-client-restrictions = check-client-access
hash:/etc/postfix/whitelist, check-client-access
hash:/etc/postfix/blacklist smtpd-recipient-restrictions =
permit-mynetworks, permit-sasl-authenticated, reject-unauth-destination
smtpd-sasl-auth-enable = yes smtpd-sasl-authenticated-header = yes
smtpd-sasl-local-domain = minehost.org smtpd-sasl-security-options =
noanonymous smtpd-tls-CAfile = /etc/ssl/ca.crt smtpd-tls-cert-file
= /etc/postfix/smtpd.cert smtpd-tls-key-file = /etc/postfix/smtpd.key
smtpd-tls-loglevel = 1 smtpd-tls-received-header = yes
smtpd-tls-session-cache-database = btree:${data-directory}/smtpd-scache
smtpd-tls-session-cache-timeout = 600s
tls-random-source = dev:/dev/urandom
transport-maps = proxy:mysql:/etc/postfix/mysql-virtual-transports.cf
virtual-alias-domains =
virtual-alias-maps =
proxy:mysql:/etc/postfix/mysql-virtual-forwardings.cf,
mysql:/etc/postfix/mysql-virtual-email2email.cf virtual-gid-maps =
static:5000 virtual-mailbox-base = /home/vmail virtual-mailbox-domains
= proxy:mysql:/etc/postfix/mysql-virtual-domains.cf
virtual-mailbox-maps =
proxy:mysql:/etc/postfix/mysql-virtual-mailboxes.cf virtual-uid-maps =
static:5000
How I can fix that? Thank You for Your time.
Re: Impossible to send mail using SSL for SMTP connection. by mouss on
2009-05-22T12:27:54+00:00
Sthu Pous a écrit :
> Good day.
>
> I have installed a new postfix server w/ virtual users, mysql
> accounts and courier. All seems works fine except that I can not send
> mail using secure connection. If connect to port 25 - it connects and
> send the mail, but if I try to do so checking in my claws-mail client
>
> "Use SSL for SMTP connection"
>
Instead of this, use the 3d option: "Use the STARTTLS command ..."
STARTTLS is the standard method for doing SSL/TLS in ESMTP.
the option you tried to select means using old smtp inside a
pre-established SSL session ("wrapper mode SSL") and is not a standard.
it is needed by some non standard compliant mail software (mostly in the
MS world, although outlook 2007 has been reported to support STARTTLS)
> then it gives me error on connection. Interesting that I see no any
> error in /var/log/mail.log, so I suppose may I have to open other port
> in my firewall, for now I opened 25 and 465.
>
by default, smtps is disabled in master.cf. you can enable it if you
want to support non-compliant mailers (mostly outlook prior to 2007).
> [snip]
Re: Impossible to send mail using SSL for SMTP connection. by Sthu Pous on
2009-05-23T08:17:03+00:00
Nice to see You here, Mouss! Thank You for Your time and answer, again:
> Instead of this, use the 3d option: "Use the STARTTLS command ..."
>
> STARTTLS is the standard method for doing SSL/TLS in ESMTP.
Ok. So I've done and here what I see:
. Client's part:
[14:59:19] SMTP< 220 The eMail Service
[14:59:19] ESMTP> EHLO localhost
[14:59:20] ESMTP< 250-myhost.org
[14:59:20] ESMTP< 250-PIPELINING
[14:59:20] ESMTP< 250-SIZE 30720000
[14:59:20] ESMTP< 250-VRFY
[14:59:20] ESMTP< 250-ETRN
[14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
[14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
[14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
[14:59:20] ESMTP< 250-8BITMIME
[14:59:20] ESMTP< 250 DSN
[14:59:20] ESMTP> STARTTLS
[14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
** error occurred on SMTP session
*** Error occurred while sending the message:
502 5.5.1 Error: command not implemented
The same I get when I check "Use not blocking SSL".
. Server's side (/var/log/mail.log):
myhost postfix/smtpd[30187]: connect from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: lost connection after STARTTLS from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: disconnect from unknown[2.3.4.5]
The same I get when I check "Use not blocking SSL".
> the option you tried to select means using old smtp inside a
> pre-established SSL session ("wrapper mode SSL") and is not a
> standard. it is needed by some non standard compliant mail software
> (mostly in the MS world, although outlook 2007 has been reported to
> support STARTTLS)
>
> > then it gives me error on connection. Interesting that I see no any
> > error in /var/log/mail.log, so I suppose may I have to open other
> > port in my firewall, for now I opened 25 and 465.
> >
>
> by default, smtps is disabled in master.cf. you can enable it if you
> want to support non-compliant mailers (mostly outlook prior to 2007).
No, I do not want to support not standard stuff! If it is not correct,
I better tune up my server for the correct one.
And therefore, no need to allow port 465, correct? - Therefore I can
safely close it?
Also, as I see, it is impossible to protect postfix from password
finding fit a login by reducing connections per some period by
iptables - as in both cases - to get email from another email server
and send our email through our own server - we use the same port - 25
- for sever users authorizing and getting new mail from other servers,
is it? If so, then how to protect the server from password
finding fit a login to postfix?
Thank You, for You precious to me answers!
Re: Impossible to send mail using SSL for SMTP connection. by Wietse Venema on
2009-05-23T15:05:57+00:00
Sthu Pous:
> [14:59:19] ESMTP> EHLO localhost
> [14:59:20] ESMTP< 250-myhost.org
> [14:59:20] ESMTP< 250-PIPELINING
> [14:59:20] ESMTP< 250-SIZE 30720000
> [14:59:20] ESMTP< 250-VRFY
> [14:59:20] ESMTP< 250-ETRN
> [14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
> [14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
> [14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
> [14:59:20] ESMTP< 250-8BITMIME
> [14:59:20] ESMTP< 250 DSN
> [14:59:20] ESMTP> STARTTLS
> [14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
This server has a broken STARTTLS implementation, or it is behind
a broken firewall that mis-handles SMTP.
Wietse
Re: Impossible to send mail using SSL for SMTP connection. by Wietse Venema on
2009-05-23T22:48:34+00:00
Wietse Venema:
> Sthu Pous:
> > [14:59:19] ESMTP> EHLO localhost
> > [14:59:20] ESMTP< 250-myhost.org
> > [14:59:20] ESMTP< 250-PIPELINING
> > [14:59:20] ESMTP< 250-SIZE 30720000
> > [14:59:20] ESMTP< 250-VRFY
> > [14:59:20] ESMTP< 250-ETRN
> > [14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
> > [14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
> > [14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
> > [14:59:20] ESMTP< 250-8BITMIME
> > [14:59:20] ESMTP< 250 DSN
> > [14:59:20] ESMTP> STARTTLS
> > [14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
>
> This server has a broken STARTTLS implementation, or it is behind
> a broken firewall that mis-handles SMTP.
Another possiblity is anti-virus software on the sending machine.
Wietse
Re: Impossible to send mail using SSL for SMTP connection. by Sthu Pous on
2009-05-24T18:09:48+00:00
Thank You for Your time and answer, Wietse:
> Another possiblity is anti-virus software on the sending machine.
I use Linux Debian squeeze/sid - AFAIK I have no any antivirus software.
Re: Impossible to send mail using SSL for SMTP connection. by mouss on
2009-05-24T20:44:32+00:00
Sthu Pous a écrit :
> Thank You for Your time and answer, Wietse:
>
>> Another possiblity is anti-virus software on the sending machine.
>
> I use Linux Debian squeeze/sid - AFAIK I have no any antivirus software.
whatever you use, you have something that breaks ESMTP, and in
particular STARTTLS.
This may be
- sofwtare (anti-virus, filtering proxy, ...) running on the client
machine and intercepting smtp traffic
- software (anti-virus, filtering proxy, ...) running on the server
machine and intercepting smtp traffic
- hardware/software (firewall, router, ...) running between the client
and the server and intercepting smtp traffic
and please remove the
smtpd-banner = The eMail Service
because it is invalid. The banner must contain the hostname... etc.
on the postfix bow, run the following command
openssl s-client -starttls smtp -connect 127.0.0.1:25
(type QUIT to end the connection).
then on your client machine
openssl s-client -starttls smtp -connect 192.168.1.2:25
where 192.168.1.2 is the IP of your postfix box.