Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK, I fixed the problem on startup. Turns out that if I have root set up to use bash as the default shell, it throws this error up. Using csh eliminated the problem and PPP now autonegotiates the connection on boot. However, things still are not right; the change route failed messages continue, as do the strange connectivity issues. I can still get out from the box to the internet without a problem, but going in is another story. Still trying to figure things out on my own and would appreciate advice - I'm frankly out of my league when it comes to this advanced networking stuff... I'll take coding any day.
OK, I was able to fix the PPPoE problem. (Don't as how, as I'm not really sure - it works now though.) Three other problems related to the PPPoE connection not being completely set up at boot time were fixed as well. I have one last mail-related problem to overcome.
I have two ports set up to send mail - the standard port 25 and a high port intended for users whose home ISPs block port 25. Sending mail using this high port works fine. However, I cannot get port 25 to use TLS. Every time I try, I get a message that the server didn't issue STARTTLS in it's EHLO response. I've been going through main.cf and master.cf and really don't see where it differentiates between the two. (To get the high port working, I simply added a service to /etc/services called smtp2 and duplicated the smtp line in master.cf, changing the smtp to smtp2. BAM - the high port was able to be used to send mail the same as port 25.)
The frustrating part is that I *had* this working before and (obviously erroneously) don't think I did anything to break it. Any ideas?
I tried increasing the log level as you suggested, but to no avail - nothing is shown in /var/log/maillog when a client is unable to connect via port 25.
The duplication that you refer to really isn't. The smtpd_tls_key_file and smtp_tls_key_file do two different things according to the docs. The smtpd_ line enables encryption on connections coming into the SMTP server while the smtp_ line enables encryption on mail being sent to other mail servers as long as they support encryption.
I've gone through the configuration so many times I'm starting to get dizzy. I don't see where there would be any difference between the two SMTP ports... sockstat -4 shows that both ports are being listened to by master started by root. If I comment out the smtp2 line in master.cf, I still cannot send on port 25 using TLS.
The exact error that Mozilla Thunderbird produces when trying to send mail using TLS on port 25 is:
Code:
Sending of message failed.
An error occurred sending mail: Unable to connect to SMTP server mail.****sales.com
via STARTTLS since it doesn't offer STARTTLS in EHLO response.
Please verify that your Mail/News account settings are correct and try again.
File with the Postfix SMTP client RSA certificate in PEM format. This file may also contain the Postfix SMTP client private RSA key, and these may be the same as the Postfix SMTP server RSA certificate and key file.
Do not configure client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them. The recommended setting is to let the defaults stand:
The best way to use the default settings is to comment out the above parameters in main.cf if present.
In order to verify certificates, the CA certificate (in case of a certificate chain, all CA certificates) must be available. You should add these certificates to the client certificate, the client certificate first, then the issuing CA(s).
Example: the certificate for "client.dom.ain" was issued by "intermediate CA" which itself has a certificate of "root CA". Create the client.pem file with "cat client_cert.pem intermediate_CA.pem root_CA.pem > client.pem".
If you also want to verify remote SMTP server certificates issued by these CAs, you can also add the CA certificates to the smtp_tls_CAfile, in which case it is not necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
A certificate supplied here must be usable as an SSL client certificate and hence pass the "openssl verify -purpose sslclient ..." test.
Example:
smtp_tls_cert_file = /etc/postfix/client.pem
This feature is available in Postfix 2.2 and later.
suggests to me that you shouldn't be defining smtp_tls_cert_file, etc. at all. It's a lng time sine I set TLS up for myself, but looking at http://postfix.state-of-mind.de/patr...s_support.html, he uses smtpd... not smtp..., so maybe that's where your problem lies.
Sorry - did some more digging - smtp_tls stuff is only if you are connecting to other servers that require tls. Are you?
More importantly, I can't see either smtpd_use_tls or smtpd_tls_security_level defined. Am I missing something? I think you need to (the latter seems to be the version to use, smtpd_use_tls being depreciated)
I found an article that stated that simply adding those few smtp_ lines to main.cf would enable encryption opportunistically when mail is being shuffled between mail servers on the internet - if the next server supports encryption it'll use it, otherwise it'll send plain.
I do have smtpd_tls_security_level = may as the seventh line from the bottom in my main.cf output pasted above. (The code window adds scroll bars; so it'd be easy to miss.)
I know it's working because the secondary SMTP port I set up works with TLS just fine. I'm actually thinking that it's not something in main.cf, as there's nothing that designates characteristics differently for different ports, but I know not where else to look. master.cf has one line different and the firewall allows port 25 through the same as the backup port. (They're actually specified in the same rules in my firewall rule set, though I don't see where the firewall would have this effect anyways... it might make it not work at all, but not change the response of a daemon.) What would cause a mail server to not advertise STARTTLS in it's HELO/EHLO response?
I though I may have just missed it - too easy with these configs
I don't have much time today, but I'll havea look over the weekend if I can and try and re-setup a TLS version. It's not that hard as I recall.
In the meantime, if you can, strip out al lthe TLS stuff, and follow a basic howto to redo. Don't be tempted to sut and paste from your current setup (you only need to clean out the existing TLS bits, not the whole setup)
Setup the standard "submission" port (587) for remote users. Leave port 25 w/out TLS; most MTAs are not going to attempt to connect via TLS.
Quote:
Originally Posted by Ruler2112
- nothing is shown in /var/log/maillog when a client is unable to connect via port 25.
Postfix always logs every connection - if there are no log messages for a connetion attempt, postfix didn't receive it. Consider that a firewall is blocking the attempt, or modifying the communication in some way.
OK, I figured out what the problem is. I feel real stupid not thinking of using a packet sniffer before scrolling through http://www.postfix.org/DEBUG_README.html#logging as suggested by a member of the postfix-users mailing list (I've used them many times before for a variety of applications), but using tcpdump to capture the transaction on both the client side and server side revealed that the server is responding with a 250-STARTTLS, but the client receives 250-XXXXXXXA instead. There must be something being done by my ISP to the traffic being passed on port 25 related to this. Given that I have a workaround (simply setting the sending port to my backup), I'm just going to drop it. (My ISP is such that they don't know what I'm talking about 1/2 the time anyways. They're nice and try, but simply don't have the knowledge required to understand what I'm saying when I have a problem I can't solve on my own.) It is nice to know that it's not something on my box though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.