Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to set up postfix to accept mail from an outside connection via TLS and send it to somewhere. TLS currently only works for veiwing mail in my inbox. I am using thunderbird on my work computer and connecting to port 143 on the sever to read mail (TLS works there). To send mail I am connecting to port 25, but TLS does not work. I can only send mail if I use no encryption and unencrypted password. Port 143 forwards to courier and port 25 forwards to postfix. What am I doing wrong? See my postfix/main.cf below:
Code:
# TLS parameters
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_cert_file=/etc/postfix/ssl/openssl_cert.crt
smtpd_tls_key_file=$smtpd_tls_cert_file
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_tls_cert_file=/etc/postfix/ssl/openssl_cert.crt
smtp_tls_key_file=$smtp_tls_cert_file
#smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
#smtp_tls_CApath = /etc/postfix/ssl
smtp_tls_loglevel = 3
smtpd_tls_ask_ccert = yes
smtpd_tls_received_header = yes
smtpd_tls_sesseion_cache_timeout = 3600s
tls_random_source = dev:/dev/random
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mydomain.net
mydomain = mydomain.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mydestination = $mydomain, mail.$mydomain, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 192.168.1.0/24
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Virtual domains to accept mail for
#virtual_alias_domains = mail.bloomincactus.com
#virtual_alias_maps = hash:/etc/postfix/virtual
To send mail I am connecting to port 25, but TLS does not work
First thing to do is check your logs. It may have something to do with
Code:
smtpd_tls_ask_ccert = yes
Your server is asking the client for a certificate, which is not all that common, and
something for which your client (Thunderbird) needs special configuration.
Perhaps you should comment that line out, and reload postfix. Then, test with
When I try to send something from another PC on my lan, I get this:
Code:
An error occurred sending mail: Unable to connect to SMTP server 192.168.1.100 via STARTTLS since it doesn't offer STARTTLS in EHLO response. Please verify that your Mail/News account settings are correct and try again.
The error says that the server doesn't even offer STARTTLS, which it should have done because of the 'smtpd_use_tls = yes'.
So, we're still on step 1. Let's try to get as far as offering STARTTLS in the greeting. Here's how the greeting should look when
the server is configured correctly:
Code:
berhanie@host:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.example.com ESMTP Postfix
EHLO localhost
250-host.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Indeed, it doesn't offer TLS. Apparently courier works with TLS on port 143 because I can retrieve my mail using IMAP with TLS only specified in Tbird. See the output below along with my current main.cf. I'm not too sure about smtp_tls_CApath. Currently it points to the directory with all of the CA certificates in it (i.e. Thawte, Verisign, etc.). This directory isn't copied to the chroot because I think it is read before going to chroot.
smtpd_tls_cert_file and smtpd_tls_key_file both point to my self signed certificate which is copied to the chroot at postfix startup. I assume this is OK since courier works.
On the router, port 25 is forwarded to "postfix" on the server.
The smtp_* setttings don't apply. They take effect when postfix is acting as a client, i.e. when it is delivering mail to another MTA (using smtp). I noticed that your main.cf suddenly switched to postfix-2.3 syntax, so I suppose you've upgraded your postfix installation between posts(?) Is your postfix even compiled with SSL (check makedefs.out to see how it was built)?
According to the tls_readme, the smtpd_tls_CAfile and smtp_tls_CAfile are "opened (with root privileges) before Postfix enters the optional chroot jail and so need not be accessible from inside the chroot jail." It's rather the *_tls_CApath that you have to be careful with. You may not need the *_tls_CAfile and *_tls_CApath settings unless you really do want to verify certificates. Furthermore, you realise that 'smtpd_security_level = encrypt' will cause postfix not accept mail unless the client uses STARTTLS -- this is ok for testing, but otherwise remote clients which cannot use tls will not be able to submit mail.
I am 90% sure that my postfix has support for tls. I am using a binary package from the debian repo. It is postfix-2.3 and is labelled as a replacement for postfix-tls (2.1), so I assume the new version has tls built in. Either it doesn't or there is some problem with my cert. I am going to mess around a bit more with it. Thanks for your help. This config file is actually starting to make sense!
I think that even if there's a problem with the certificate, postfix would still announce STARTTLS. I'd be interested to know the
cause when you finally solve the problem. Good luck.
OK, I got it to offer TLS now. Not sure how I did it. Unfortunately I can only send mail from within my local network (192.168.1.0/24). I am guessing it could be that maybe my isp is blocking port 25? I was unable to telnet from my work computer (at a university). Might also be something to do with authentication? I had tried to set up sasl at one time, but commented it out because I was trying to simplify things to make it work. Maybe time to give it a go again. Here is my full main.cf. It's a mess I know.
If you can receive mail from the outside, then nothing's blocked and you should be able to telnet to
port 25, the 'incoming' mail port of your server. Since you are unsuccessful, Is it possible you're
using the wrong IP address? Clients that deliver mail to you use your domain's MX record in DNS. Use
that IP address when you telnet.
I think I understand what you are trying to do: you want to allow some remote clients to relay mail through
your server (by default only clients in $mynetworks are allowed to do so). Authentication will come in handy,
then.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.