Impossible to send mail using SSL for SMTP connection.

Good day.
I have installed a new postfix server w/ virtual users, mysql
accounts and courier. All seems works fine except that I can not send
mail using secure connection. If connect to port 25 - it connects and
send the mail, but if I try to do so checking in my claws-mail client
"Use SSL for SMTP connection"
then it gives me error on connection. Interesting that I see no any
error in /var/log/mail.log, so I suppose may I have to open other port
in my firewall, for now I opened 25 and 465.
Here what I have:
# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 30720000
mydestination = localhost, localhost.localdomain
mydomain = minehost.org
myhostname = minehost.org
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix receive_override_options =
no_address_mappings recipient_delimiter = + relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = The eMail Service
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/whitelist, check_client_access
hash:/etc/postfix/blacklist smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = minehost.org smtpd_sasl_security_options =
noanonymous smtpd_tls_CAfile = /etc/ssl/ca.crt smtpd_tls_cert_file
= /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 600s
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps =
static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains
= proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_uid_maps =
static:5000
How I can fix that? Thank You for Your time.

Sthu Pous a écrit :
> Good day.
>
> I have installed a new postfix server w/ virtual users, mysql
> accounts and courier. All seems works fine except that I can not send
> mail using secure connection. If connect to port 25 - it connects and
> send the mail, but if I try to do so checking in my claws-mail client
>
> "Use SSL for SMTP connection"
>
Instead of this, use the 3d option: "Use the STARTTLS command ..."
STARTTLS is the standard method for doing SSL/TLS in ESMTP.
the option you tried to select means using old smtp inside a
pre-established SSL session ("wrapper mode SSL") and is not a standard.
it is needed by some non standard compliant mail software (mostly in the
MS world, although outlook 2007 has been reported to support STARTTLS)
> then it gives me error on connection. Interesting that I see no any
> error in /var/log/mail.log, so I suppose may I have to open other port
> in my firewall, for now I opened 25 and 465.
>
by default, smtps is disabled in master.cf. you can enable it if you
want to support non-compliant mailers (mostly outlook prior to 2007).
> [snip]

Nice to see You here, Mouss! Thank You for Your time and answer, again:
> Instead of this, use the 3d option: "Use the STARTTLS command ..."
>
> STARTTLS is the standard method for doing SSL/TLS in ESMTP.
Ok. So I've done and here what I see:
. Client's part:
[14:59:19] SMTP< 220 The eMail Service
[14:59:19] ESMTP> EHLO localhost
[14:59:20] ESMTP< 250-myhost.org
[14:59:20] ESMTP< 250-PIPELINING
[14:59:20] ESMTP< 250-SIZE 30720000
[14:59:20] ESMTP< 250-VRFY
[14:59:20] ESMTP< 250-ETRN
[14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
[14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
[14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
[14:59:20] ESMTP< 250-8BITMIME
[14:59:20] ESMTP< 250 DSN
[14:59:20] ESMTP> STARTTLS
[14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
** error occurred on SMTP session
*** Error occurred while sending the message:
502 5.5.1 Error: command not implemented
The same I get when I check "Use not blocking SSL".
. Server's side (/var/log/mail.log):
myhost postfix/smtpd[30187]: connect from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: lost connection after STARTTLS from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: disconnect from unknown[2.3.4.5]
The same I get when I check "Use not blocking SSL".
> the option you tried to select means using old smtp inside a
> pre-established SSL session ("wrapper mode SSL") and is not a
> standard. it is needed by some non standard compliant mail software
> (mostly in the MS world, although outlook 2007 has been reported to
> support STARTTLS)
>
> > then it gives me error on connection. Interesting that I see no any
> > error in /var/log/mail.log, so I suppose may I have to open other
> > port in my firewall, for now I opened 25 and 465.
> >
>
> by default, smtps is disabled in master.cf. you can enable it if you
> want to support non-compliant mailers (mostly outlook prior to 2007).
No, I do not want to support not standard stuff! If it is not correct,
I better tune up my server for the correct one.
And therefore, no need to allow port 465, correct? - Therefore I can
safely close it?
Also, as I see, it is impossible to protect postfix from password
finding fit a login by reducing connections per some period by
iptables - as in both cases - to get email from another email server
and send our email through our own server - we use the same port - 25
- for sever users authorizing and getting new mail from other servers,
is it? If so, then how to protect the server from password
finding fit a login to postfix?
Thank You, for You precious to me answers!

Sthu Pous:
> [14:59:19] ESMTP> EHLO localhost
> [14:59:20] ESMTP< 250-myhost.org
> [14:59:20] ESMTP< 250-PIPELINING
> [14:59:20] ESMTP< 250-SIZE 30720000
> [14:59:20] ESMTP< 250-VRFY
> [14:59:20] ESMTP< 250-ETRN
> [14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
> [14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
> [14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
> [14:59:20] ESMTP< 250-8BITMIME
> [14:59:20] ESMTP< 250 DSN
> [14:59:20] ESMTP> STARTTLS
> [14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
This server has a broken STARTTLS implementation, or it is behind
a broken firewall that mis-handles SMTP.
Wietse

Wietse Venema:
> Sthu Pous:
> > [14:59:19] ESMTP> EHLO localhost
> > [14:59:20] ESMTP< 250-myhost.org
> > [14:59:20] ESMTP< 250-PIPELINING
> > [14:59:20] ESMTP< 250-SIZE 30720000
> > [14:59:20] ESMTP< 250-VRFY
> > [14:59:20] ESMTP< 250-ETRN
> > [14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
> > [14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
> > [14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
> > [14:59:20] ESMTP< 250-8BITMIME
> > [14:59:20] ESMTP< 250 DSN
> > [14:59:20] ESMTP> STARTTLS
> > [14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
>
> This server has a broken STARTTLS implementation, or it is behind
> a broken firewall that mis-handles SMTP.
Another possiblity is anti-virus software on the sending machine.
Wietse

Thank You for Your time and answer, Wietse:
> Another possiblity is anti-virus software on the sending machine.
I use Linux Debian squeeze/sid - AFAIK I have no any antivirus software.

Sthu Pous a écrit :
> Thank You for Your time and answer, Wietse:
>
>> Another possiblity is anti-virus software on the sending machine.
>
> I use Linux Debian squeeze/sid - AFAIK I have no any antivirus software.
whatever you use, you have something that breaks ESMTP, and in
particular STARTTLS.
This may be
- sofwtare (anti-virus, filtering proxy, ...) running on the client
machine and intercepting smtp traffic
- software (anti-virus, filtering proxy, ...) running on the server
machine and intercepting smtp traffic
- hardware/software (firewall, router, ...) running between the client
and the server and intercepting smtp traffic
and please remove the
smtpd_banner = The eMail Service
because it is invalid. The banner must contain the hostname... etc.
on the postfix bow, run the following command
openssl s_client -starttls smtp -connect 127.0.0.1:25
(type QUIT to end the connection).
then on your client machine
openssl s_client -starttls smtp -connect 192.168.1.2:25
where 192.168.1.2 is the IP of your postfix box.