postfix server configured for TLS not accepting connections
Hi,
I have configured my postfix server to use TLS (STARTTLS) but with no certificates either on server or client. Here are the TLS parameters in main.cf. ========= smtpd_tls_security_level = may # Obsolete, but still supported #smtpd_use_tls = yes #smtp_use_tls = yes # Obsolete, but still supported #smtpd_enforce_tls = yes smtpd_tls_cert_file = none smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes ========= So according to the postfix doc this should allow my smtp client (I wrote a simple c++ SSL client) to issue a STARTTLS command and send encrypted emails without using certs. But all I get on the server side is this server log. The error on the server side appear after my client calls SSL_connect(m_ssl): =============== Aug 17 14:38:12 linux-m9ry postfix/postfix-script[18272]: refreshing the Postfix mail system Aug 17 14:38:12 linux-m9ry postfix/master[2934]: reload configuration /etc/postfix Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: initializing the server-side TLS engine Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: connect from mycomputer.corp.company.com[441.212.55.56] Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: setting up TLS connection from mycomputer.corp.company.com[441.212.55.56] Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: mycomputer.corp.company.com[441.212.55.56]: TLS cipher list "ALL:+RC4:@STRENGTH" Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: SSL_accept:before/accept initialization Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8128] (11 bytes => -1 (0xFFFFFFFF)) Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8128] (11 bytes => 11 (0xB)) Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 80 7a 01 03 01 00 51 .z....Q Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0007 - <SPACES/NULLS> Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8133] (113 bytes => -1 (0xFFFFFFFF)) Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8133] (113 bytes => 113 (0x71)) Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 00 00 39 00 00 38 00 00|35 00 00 16 00 00 13 00 ..9..8.. 5....... Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0010 00 0a 07 00 c0 00 00 33|00 00 32 00 00 2f 00 00 .......3 ..2../.. Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0020 07 05 00 80 03 00 80 00|00 05 00 00 04 01 00 80 ........ ........ Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0030 00 00 15 00 00 12 00 00|09 06 00 40 00 00 14 00 ........ ...@.... Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0040 00 11 00 00 08 00 00 06|04 00 80 00 00 03 02 00 ........ ........ Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0050 80 61 d2 f1 28 71 46 54|d9 23 93 b9 2d 6e 8a 32 .a..(qFT .#..-n.2 Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0060 68 bb fa a3 e4 28 f1 d2|ca a1 90 11 6d 64 f5 3a h....(.. ....md.: Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0070 - <SPACES/NULLS> Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: write to B7FBA9E0 [B7FD64B0] (7 bytes => 7 (0x7)) Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 15 03 01 00 02 02 28 ......( Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL3 alert write:fatal:handshake failure Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept:error in SSLv3 read client hello B Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept:error in SSLv3 read client hello B Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept error from mycomputer.corp.company.com[441.212.55.56]: -1 Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: warning: TLS library problem: 18280:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1006: Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: lost connection after STARTTLS from mycomputer.corp.company.com[441.212.55.56] Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: disconnect from mycomputer.corp.company.com[441.212.55.56] ================================================ I would really appreciate any advise or help with this. I can also provice the C++ client code if that is needed. Thanks in advance. |
Quote:
Quote:
Code:
# specify anonymous ciphers explicitly |
Hi,
Thanks for that explanation. That is very useful. I did get the TLS communication working with a server certificate. Now I will try without certs. |
All times are GMT -5. The time now is 11:38 PM. |