LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-09-2008, 07:07 AM   #1
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Rep: Reputation: 0
Problem with TLS in Postfix


Sorry for my English, I'm not native speaker . I can't connect using TLS, when I issue "telnet localhost 25" and write ehlo localhost (or domain name) there is no response. When I comment # TLS section in main.cf, there's no problem.

main.cf
Code:
smtp_host_lookup = dns
smtpd_banner = $myhostname ESMTP $mail_name(Debian/GNU)
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
deamon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = mail.zzz.com
mydomain = zzz.com
message_size_limit=51200000
inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost

#mydestination =
mydestination = $myhostname, localhost.$mydomain, $mydomain

virtual_maps = hash:/etc/postfix/virtual
canonical_maps = hash:/etc/postfix/canonical
masquerade_domains = zzz.com xx.com $mydomain $myhostname
alias_maps = hash:/etc/aliases
relay_domains = $mydestination /etc/postfix/access
#przeanalizowac dobrze ponizsze adresy
mynetworks = 192.168.7.0/28, 127.0.0.0/8, 172.0.0.0/8, 192.0.0.0/8

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
#smtpd_sasl_application_name = smtpd
smtpd_auth_tls_only = no
#smtp_use_tls = no
smtpd_use_tsl = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/ssl/smtpd.pem
smtpd_tls_cert_file = $smtpd_tls_cert_file
#smtpd_tls_CAfile = /etc/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source =  dev:/dev/urandom

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_sender_access hash:/etc/postfix/emails, reject_unauth_destination

append_dot_mydomain = no
master.cf
Code:
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
        #-o content_filter=spamassassin
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#spamassassin unix -    n       n       -       -       pipe
#       user=spamd argv=/user/bin/spamc -f -e
#       /usr/sbin/sendmail -oi -f ${sender} ${recipient}
 
Old 06-09-2008, 07:20 AM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
smtps listens on port 465, not 25 (that's smtp without tls/ssl)
 
Old 06-09-2008, 07:25 AM   #3
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Wink

Yes I know that. The same problem is with 465 port.
 
Old 06-09-2008, 08:12 AM   #4
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Now, when I telnet localhost 465 I'm disconnected and I receive this message "Connection closed by foreign host"

Mail.log
Code:
Jun  9 15:00:19 mail postfix/smtpd[27167]: setting up TLS connection from localhost[127.0.0.1]
Jun  9 15:00:19 mail postfix/smtpd[27167]: SSL_accept error from localhost[127.0.0.1]: -1
Jun  9 15:00:19 mail postfix/smtpd[27167]: warning: TLS library problem: 27167:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:
Jun  9 15:00:19 mail postfix/smtpd[27167]: lost connection after CONNECT from localhost[127.0.0.1]
 
Old 06-09-2008, 08:44 AM   #5
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
You can't telnet to an SSL/TLS port. Well, you can, but you'll just get disconnected since the telnet utility doesn't speak TLS.

Try openssl instead:
http://www.madboa.com/geek/openssl/#cs-smtp

Dave

Last edited by ilikejam; 06-09-2008 at 08:46 AM.
 
Old 06-09-2008, 09:10 AM   #6
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Thank you . After issuing "openssl s_client -connect remote.host:465" I receive this message.

gethostbyname failure
connect:errno=110
 
Old 06-09-2008, 09:24 AM   #7
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Try "openssl s_client -connect localhost:465"

Dave
 
Old 06-09-2008, 10:16 AM   #8
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
This one works. But I don't havy any TSL option.

220 mail.xxx.com ESMTP Postfix(Debian/GNU)
ehlo xxx.com
250-mail.xxx.com
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

There's something wrong with my configuration.

Last edited by norbert_999; 06-09-2008 at 10:39 AM.
 
Old 06-10-2008, 04:45 AM   #9
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
From the link I gave above, it looks like port 465 is usually an SSL port - TLS runs on ports 25 and 587. Perhaps try one of them?

Dave
 
Old 06-10-2008, 06:12 AM   #10
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
But I don't see STARTTLS when I issue ehlo localhost command. I don't know what's wrong.
 
Old 06-10-2008, 06:38 AM   #11
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Could be a typo in your main.cf :

smtpd_use_tsl = yes

should read:

smtpd_use_tls = yes

Dave
 
Old 06-10-2008, 07:25 AM   #12
norbert_999
LQ Newbie
 
Registered: Jun 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Yes you were right. Thank's for your assistance
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix TLS and SMTP i_nomad Linux - Security 2 05-20-2008 07:28 AM
Postfix + Tls + Sasl riotpunk Linux - Server 0 10-30-2007 08:11 PM
Postfix to relay through my ISPs SMTP with no tls problem icebrian Linux - Software 10 01-18-2007 06:45 PM
Postfix TLS error grant-skywalker Debian 3 09-11-2006 01:11 PM
Building Postfix with SASL + TLS mcd Linux - Networking 0 10-08-2005 09:43 PM


All times are GMT -5. The time now is 01:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration