LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 10-31-2008, 04:03 PM   #1
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Rep: Reputation: 58
Postfix TLS problem on CentOS 5.2


Hello, Im running postfix 2.5.5, sasl and tls.

the configuration of postfix is fine, or it should be for sasl and tls:

smtp_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_CApath = /etc/ssl/smtpd
smptpd_tls_cert_file = /etc/ssl/smtpd/smtpd.crt
smtpd_tls_key_file = /etc/ssl/smtpd/smtpd.key
smtpd_tls_CAfile = /etc/ssl/smtpd/cacert.pem
smtpd_tls_received_header = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_recieved_header = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

the .crt, .key and .pem file exist and should be perfectly good.

[root@viperhost smtpd]# pwd
/etc/ssl/smtpd
[root@viperhost smtpd]# ls -la
total 28
drwxr-xr-x 2 root root 4096 Oct 31 20:58 .
drwxr-xr-x 5 root root 4096 Oct 31 20:56 ..
-r--r--r-- 1 root root 1367 Oct 31 20:58 cacert.pem
-r--r--r-- 1 root root 963 Oct 31 20:58 cakey.pem
-r--r--r-- 1 root root 997 Oct 31 20:58 smtpd.crt
-r--r--r-- 1 root root 725 Oct 31 20:58 smtpd.csr
-r--r--r-- 1 root root 891 Oct 31 20:58 smtpd.key
[root@viperhost smtpd]#

But TLS doesnt work, postfix ... sends an error:

postfix/smtpd[11554]: warning: No server certs available. TLS won't be enabled

Does anyone have an idea what the hell is going on!?
 
Old 10-31-2008, 08:29 PM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Might it have something to do with misspelling smptpd_tls_cert_file? It should be smtpd_tls_cert_file.
 
Old 11-01-2008, 03:13 AM   #3
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Original Poster
Rep: Reputation: 58
Hello, you where so right... But still postfix doesnt work with TLS:

250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Wonder why?!
 
Old 11-01-2008, 03:36 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Have you configured the client to use TLS when it connects?
 
Old 11-01-2008, 04:15 AM   #5
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Original Poster
Rep: Reputation: 58
Sorry?! What do u mean? Postfix configuration?
 
Old 11-01-2008, 10:13 AM   #6
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Code:
250-STARTTLS
This shows that postfix offers TLS. Try to connect manually
to make sure it works:
Code:
openssl s_client -connect ip.add.re.ss:25 -starttls smtp
You should then make sure the client programs (e.g. Thunderbird and Outlook)
are configured to make use TLS. This is what billymayday meant.

Required reading for what you're doing is this and this.

I just noticed another misspelling in your config:
Code:
smtpd_tls_recieved_header = yes
 
Old 11-01-2008, 11:50 AM   #7
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Original Poster
Rep: Reputation: 58
Hey, it works somewhat I would say, also corrected the smtpd_tls_received_header = yes.

---
No client certificate CA names sent
---
SSL handshake has read 1350 bytes and written 341 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: B9530CCA789C5032D33DB1A23148937CA00E444D9BD7D510BD9DD79E12C34E61
Session-ID-ctx:
Master-Key: BE9BD33223549B410B6C515926FF244B096A23E5EC2C16222D6660CBB7D1C791A9DE1BE795EDC1D3A2FA3AAE94EB28AD
Key-Arg : None
Krb5 Principal: None
Start Time: 1225558069
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---


But im watching the mail logs and I see this:

postfix/smtpd[1606]: setting up TLS connection from localhost[127.0.0.1]
postfix/smtpd[1606]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Still im doing something wrong!?
 
Old 11-01-2008, 05:50 PM   #8
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Still im doing something wrong!?
Maybe you should say what you expect, and why you think something's wrong.
 
Old 11-01-2008, 05:57 PM   #9
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Original Poster
Rep: Reputation: 58
Im expecting the mail server to offer the certificate which I setup for postfix.

But if this work fine... then ok, I just dont know why is sending Anonymous TLS connection...
 
Old 11-01-2008, 08:21 PM   #10
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
The anonymous one is the client. If you look at the entire output (see below), you will see that postfix offers the certificate you expected. You can save the output to a file like this:
Code:
openssl s_client -connect ip.add.re.ss:25 -starttls smtp </dev/null >output.txt
 
Old 11-02-2008, 07:50 AM   #11
robertjinx
Member
 
Registered: Oct 2007
Location: Prague, CZ
Distribution: RedHat / CentOS / Ubuntu / SUSE / Debian
Posts: 574

Original Poster
Rep: Reputation: 58
Well it does work, just asking about the Anonymous... If its ok and it should happen, then Im happy

But I also have the problems with the dovecot and postfix

Please check out this one: http://www.linuxquestions.org/questi...users.-680447/

Thanks guys for the help!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with TLS in Postfix norbert_999 Linux - Server 11 06-10-2008 07:25 AM
Postfix TLS and SMTP i_nomad Linux - Security 2 05-20-2008 07:28 AM
Postfix + Tls + Sasl riotpunk Linux - Server 0 10-30-2007 08:11 PM
Postfix to relay through my ISPs SMTP with no tls problem icebrian Linux - Software 10 01-18-2007 06:45 PM
Postfix TLS error grant-skywalker Debian 3 09-11-2006 01:11 PM


All times are GMT -5. The time now is 09:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration