Loading ...
Sorry, an error occurred while loading the content.

293822Re: STARTTLS not announced?!

Expand Messages
  • /dev/rob0
    Jun 14, 2013
    • 0 Attachment
      On Sat, Jun 15, 2013 at 01:57:12AM +0200, Nabil Alsharif wrote:
      > I just setup postfix on my server but I'm having a problem with
      > TLS. I have TLS configured, there are no errors in the log, but
      > the server does not announce TLS support.Here is the output
      > relevant output from 'postconf -n', the full output is at the
      > end of the message:
      >
      > smtp_tls_note_starttls_offer = yes
      > smtp_use_tls = yes

      smtp_* settings control smtp(8), the SMTP client, so no, those are
      not relevant to the server's failure to announce STARTTLS. (Also,
      smtp_use_tls is deprecated, superceded by smtp_tls_security_level.)

      > smtpd_banner = $myhostname ESMTP
      > smtpd_recipient_restrictions = permit_mynetworks
      > reject_unauth_destination

      Those aren't relevant either. (I'd suggest leaving the default
      $smtpd_banner setting, however.)

      > smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
      > smtpd_tls_auth_only = yes
      > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
      > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

      I'm no OpenSSL expert, but I'm pretty sure it's wrong to have your
      own server certificate and key in the same file with your CAs. See
      TLS_README.html#server_tls for basic server TLS settings.

      > smtpd_tls_loglevel = 1
      > smtpd_tls_security_level = encrypt

      What? Do you understand what this means? It's not suitable for an
      Internet mail exchanger, because many sites will not use TLS (TLS
      isn't required for mail service.)

      > smtpd_use_tls = yes

      Deprecated, superceded by smtpd_tls_security_level.

      > Like I saidthe server does not announce STARTTLS:

      What you showed us should have announced STARTTLS. I would guess the
      problem is related to the single file certificate+key+CAs. Since you
      mentioned upthread that no errors are logged, check your syslogd (try
      restarting it.) These errors would be logged.
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 20 messages in this topic