Loading ...
Sorry, an error occurred while loading the content.

cant login via SSL on port 465

Expand Messages
  • admin2
    hi there list people, I am just getting used to admin ing postfix and got TLS working on both port 25 and port 587. I am now attempting to get SSL via port 465
    Message 1 of 4 , Jun 1, 2009
    • 0 Attachment
      hi there list people,

      I am just getting used to admin'ing postfix and got TLS working on both
      port 25 and port 587.

      I am now attempting to get SSL via port 465 working. I have the port
      answering, can see the banner, and can even authenticate when I 'telnet
      localhost 465' after generating a user's test string with "perl
      -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'"

      but when I use thunderbird, which authenticates fine with the old server
      running sendmail with SSL/port 465 answering. tbird just Hangs and
      eventually claims "the connection has failed"

      on the server side logs in /var/log/mail.info I can see the connection
      and then a disconnect. there is never authentication shown as granted.
      But the same exact account and password works fine with TLS via port
      587 or port 25.

      What else can I try? What should I be looking for?

      After the EHLO hostname

      250-enabled.com
      250-PIPELINING
      250-SIZE 10240000
      250-VRFY
      250-ETRN
      250-STARTTLS
      250-AUTH PLAIN LOGIN
      250-AUTH=PLAIN LOGIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN

      and a slightly modified postconf -n - real IPs and domains removed.

      :/etc/postfix# postconf -n
      alias_database = hash:/etc/postfix/aliases
      hash:/var/lib/mailman/data/aliases
      alias_maps = hash:/etc/postfix/aliases hash:/var/lib/mailman/data/aliases
      append_dot_mydomain = no
      biff = no
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      delay_warning_time = 4h
      home_mailbox = Maildir/
      inet_interfaces = all
      inet_protocols = all
      mailbox_command = procmail -a "$EXTENSION"
      mailbox_size_limit = 0
      mydestination = $myhostname, localhost.$mydomain $mydomain
      mydomain = domain.com
      myhostname = domain.com
      mynetworks = 1.1.1.1/32 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
      myorigin = domain.com
      readme_directory = no
      recipient_delimiter = +
      relayhost =
      smtp_tls_note_starttls_offer = yes
      smtp_tls_security_level = may
      smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
      smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
      smtpd_recipient_restrictions =
      permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain =
      smtpd_sasl_security_options = noanonymous
      smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
      smtpd_tls_auth_only = no
      smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
      smtpd_tls_key_file = /etc/ssl/private/smtpd.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      smtpd_use_tls = yes
      tls_random_source = dev:/dev/urandom
      unknown_local_recipient_reject_code = 550
      virtual_alias_domains = <domains here>
      virtual_alias_maps = hash:/etc/postfix/virtual
      hash:/var/lib/mailman/data/virtual-mailman


      Cheers,

      Noah
    • Darren Pilgrim
      ... If you can telnet to port 465 and see the banner, then you don t have SSL enabled. You probably need to set smtpd_tls_wrappermode=yes for the smtps entry
      Message 2 of 4 , Jun 1, 2009
      • 0 Attachment
        admin2 wrote:
        > hi there list people,
        >
        > I am just getting used to admin'ing postfix and got TLS working on both
        > port 25 and port 587.
        >
        > I am now attempting to get SSL via port 465 working. I have the port
        > answering, can see the banner, and can even authenticate when I 'telnet
        > localhost 465' after generating a user's test string with "perl
        > -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'"

        If you can telnet to port 465 and see the banner, then you don't have
        SSL enabled. You probably need to set smtpd_tls_wrappermode=yes for the
        smtps entry in master.cf. If that's already there, please show us your
        master.cf.
      • admin2
        ... thanks for the quick reply. here is the relevant section of my master.cf # # Postfix master process configuration file. For details on the format # of
        Message 3 of 4 , Jun 1, 2009
        • 0 Attachment
          Darren Pilgrim wrote:
          > admin2 wrote:
          >> hi there list people,
          >>
          >> I am just getting used to admin'ing postfix and got TLS working on
          >> both port 25 and port 587.
          >>
          >> I am now attempting to get SSL via port 465 working. I have the port
          >> answering, can see the banner, and can even authenticate when I
          >> 'telnet localhost 465' after generating a user's test string with
          >> "perl -MMIME::Base64 -e 'print
          >> encode_base64("username\0username\0password");'"
          >
          > If you can telnet to port 465 and see the banner, then you don't have
          > SSL enabled. You probably need to set smtpd_tls_wrappermode=yes for the
          > smtps entry in master.cf. If that's already there, please show us your
          > master.cf.

          thanks for the quick reply. here is the relevant section of my master.cf

          #
          # Postfix master process configuration file. For details on the format
          # of the file, see the master(5) manual page (command: "man 5 master").
          #
          # Do not forget to execute "postfix reload" after editing this file.
          #
          # ==========================================================================
          # service type private unpriv chroot wakeup maxproc command + args
          # (yes) (yes) (yes) (never) (100)
          # ==========================================================================
          smtp inet n - - - - smtpd
          submission inet n - - - - smtpd
          # -o smtpd_tls_security_level=encrypt
          # -o smtpd_sasl_auth_enable=yes
          # -o smtpd_sasl_security_options = noanonymous
          # -o smtpd_sasl_application_name = smtpd
          # -o broken_sasl_auth_clients = yes
          # -o
          smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains,reject
          # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          # -o milter_macro_daemon_name=ORIGINATING
          smtps inet n - - - - smtpd
          # -o smtpd_tls_wrappermode=yes
          # -o smtpd_sasl_auth_enable=yes
          # -o smtpd_sasl_security_options = noanonymous
          # -o smtpd_sasl_application_name = smtpd
          # -o broken_sasl_auth_clients = yes
          # -o
          smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains,reject
          # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          # -o milter_macro_daemon_name=ORIGINATING
        • admin2
          ... Darren, you fixed it! the following mod to the master.cf file works fine! thank you! smtps inet n - - - - smtpd -o
          Message 4 of 4 , Jun 1, 2009
          • 0 Attachment
            Darren Pilgrim wrote:
            > admin2 wrote:
            >> hi there list people,
            >>
            >> I am just getting used to admin'ing postfix and got TLS working on
            >> both port 25 and port 587.
            >>
            >> I am now attempting to get SSL via port 465 working. I have the port
            >> answering, can see the banner, and can even authenticate when I
            >> 'telnet localhost 465' after generating a user's test string with
            >> "perl -MMIME::Base64 -e 'print
            >> encode_base64("username\0username\0password");'"
            >
            > If you can telnet to port 465 and see the banner, then you don't have
            > SSL enabled. You probably need to set smtpd_tls_wrappermode=yes for the
            > smtps entry in master.cf. If that's already there, please show us your
            > master.cf.

            Darren,

            you fixed it! the following mod to the master.cf file works fine!

            thank you!


            smtps inet n - - - - smtpd
            -o smtpd_tls_wrappermode=yes
          Your message has been successfully submitted and would be delivered to recipients shortly.