293822Re: STARTTLS not announced?!
- Jun 14, 2013On Sat, Jun 15, 2013 at 01:57:12AM +0200, Nabil Alsharif wrote:
> I just setup postfix on my server but I'm having a problem withsmtp_* settings control smtp(8), the SMTP client, so no, those are
> TLS. I have TLS configured, there are no errors in the log, but
> the server does not announce TLS support.Here is the output
> relevant output from 'postconf -n', the full output is at the
> end of the message:
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
not relevant to the server's failure to announce STARTTLS. (Also,
smtp_use_tls is deprecated, superceded by smtp_tls_security_level.)
> smtpd_banner = $myhostname ESMTPThose aren't relevant either. (I'd suggest leaving the default
> smtpd_recipient_restrictions = permit_mynetworks
$smtpd_banner setting, however.)
> smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pemI'm no OpenSSL expert, but I'm pretty sure it's wrong to have your
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
own server certificate and key in the same file with your CAs. See
TLS_README.html#server_tls for basic server TLS settings.
> smtpd_tls_loglevel = 1What? Do you understand what this means? It's not suitable for an
> smtpd_tls_security_level = encrypt
Internet mail exchanger, because many sites will not use TLS (TLS
isn't required for mail service.)
> smtpd_use_tls = yesDeprecated, superceded by smtpd_tls_security_level.
> Like I saidthe server does not announce STARTTLS:What you showed us should have announced STARTTLS. I would guess the
problem is related to the single file certificate+key+CAs. Since you
mentioned upthread that no errors are logged, check your syslogd (try
restarting it.) These errors would be logged.
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
- << Previous post in topic Next post in topic >>