Linux - Server This forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
#1
LQ Newbie
Registered: Jun 2008
Posts: 7
Rep:
Problem with TLS in Postfix
Sorry for my English, I'm not native speaker
. I can't connect using TLS, when I issue "telnet localhost 25" and write ehlo localhost (or domain name) there is no response. When I comment # TLS section in main.cf, there's no problem.
main.cf
Code:
smtp_host_lookup = dns
smtpd_banner = $myhostname ESMTP $mail_name(Debian/GNU)
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
deamon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = mail.zzz.com
mydomain = zzz.com
message_size_limit=51200000
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#mydestination =
mydestination = $myhostname, localhost.$mydomain, $mydomain
virtual_maps = hash:/etc/postfix/virtual
canonical_maps = hash:/etc/postfix/canonical
masquerade_domains = zzz.com xx.com $mydomain $myhostname
alias_maps = hash:/etc/aliases
relay_domains = $mydestination /etc/postfix/access
#przeanalizowac dobrze ponizsze adresy
mynetworks = 192.168.7.0/28, 127.0.0.0/8, 172.0.0.0/8, 192.0.0.0/8
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
#smtpd_sasl_application_name = smtpd
smtpd_auth_tls_only = no
#smtp_use_tls = no
smtpd_use_tsl = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/smtpd.pem
smtpd_tls_cert_file = $smtpd_tls_cert_file
#smtpd_tls_CAfile = /etc/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/emails, reject_unauth_destination
append_dot_mydomain = no
master.cf
Code:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
#-o content_filter=spamassassin
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
#spamassassin unix - n n - - pipe
# user=spamd argv=/user/bin/spamc -f -e
# /usr/sbin/sendmail -oi -f ${sender} ${recipient}
#2
LQ Guru
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678
Rep:
smtps listens on port 465, not 25 (that's smtp without tls/ssl)
#3
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
Yes I know that. The same problem is with 465 port.
#4
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
Now, when I telnet localhost 465 I'm disconnected and I receive this message "Connection closed by foreign host"
Mail.log
Code:
Jun 9 15:00:19 mail postfix/smtpd[27167]: setting up TLS connection from localhost[127.0.0.1]
Jun 9 15:00:19 mail postfix/smtpd[27167]: SSL_accept error from localhost[127.0.0.1]: -1
Jun 9 15:00:19 mail postfix/smtpd[27167]: warning: TLS library problem: 27167:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:
Jun 9 15:00:19 mail postfix/smtpd[27167]: lost connection after CONNECT from localhost[127.0.0.1]
#5
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
You can't telnet to an SSL/TLS port. Well, you can, but you'll just get disconnected since the telnet utility doesn't speak TLS.
Try openssl instead:
http://www.madboa.com/geek/openssl/#cs-smtp
Dave
Last edited by ilikejam; 06-09-2008 at 08:46 AM .
#6
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
Thank you
. After issuing "openssl s_client -connect remote.host:465" I receive this message.
gethostbyname failure
connect:errno=110
#7
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
Try "openssl s_client -connect localhost:465"
#8
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
This one works. But I don't havy any TSL option.
Last edited by norbert_999; 06-09-2008 at 10:39 AM .
#9
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
From the link I gave above, it looks like port 465 is usually an SSL port - TLS runs on ports 25 and 587. Perhaps try one of them?
#10
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
But I don't see STARTTLS when I issue ehlo localhost command. I don't know what's wrong.
#11
Senior Member
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109
Rep:
Could be a typo in your main.cf :
#12
LQ Newbie
Registered: Jun 2008
Posts: 7
Original Poster
Rep:
Yes you were right. Thank's for your assistance
All times are GMT -5. The time now is 06:32 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
. I can't connect using TLS, when I issue "telnet localhost 25" and write ehlo localhost (or domain name) there is no response. When I comment # TLS section in main.cf, there's no problem.
