Loading ...
Sorry, an error occurred while loading the content.

Re: No SMTP AUTH when TLS enabled

Expand Messages
  • froinds J
    ... My problem is: if I allow TLS I cannot authenticate. Without TLS everything works. Here is the output from saslfinger. Thanks for your help. saslfinger -
    Message 1 of 12 , Jan 2, 2010
    View Source
    • 0 Attachment
      On Sat, Jan 2, 2010 at 2:26 AM, Patrick Ben Koetter <p@...> wrote:
      * froinds J <froinds@...>:
      > Hello,
      > I'm having a problem with postfix in F12.
      > I used to have my email server setup with F10. My setup had TLS
      > enabled (self signed certs) with SASL using pwcheck_method=auxprop and
      > CRAM-MD5 DIGEST-MD5. I had virtual accounts.
      > Everything worked great until I installed F12. It was a clean install.
      > My issue now is the following:
      > If I disable TLS, postfix works as expected. If I enable it, I cannot
      > authenticate. Without TLS I can telnet to my server and I get 250-AUTH
      > CRAM-MD5 DIGEST-MD5
      > 250-AUTH=CRAM-MD5 DIGEST-MD5. However, once I enable TLS this doesn't show.
      > My mail client says the server does not support CRAM-MD5 or any other method
      > of authentication I try when TLS is on.
      >
      > I've tested the certs with openssl and I don't get any errors.
      >
      > I've been running my mail server on Fedora since FC3 and I've never
      > encountered this issue.
      > Has anyone had this problem?

      Blind guess: You have set $smtpd_tls_auth_only to yes and AUTH only shows up
      in a TLS session.

      If that is not the case follow the instructions at
      <http://de.postfix.org/httpmirror/DEBUG_README.html#mail> to provide debug
      output.

      p@rick

      My problem is: if I allow TLS I cannot authenticate. Without TLS everything works. Here is the output from saslfinger.
      Thanks for your help.

      saslfinger - postfix Cyrus sasl configuration Sat Jan  2 02:12:49 EST 2010

      version: 1.0.2

      mode: server-side SMTP AUTH


      -- basics --

      Postfix: 2.6.5

      System: Fedora release 12 (Constantine)


      -- smtpd is linked to --

      libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000)


      -- active SMTP AUTH and TLS parameters for smtpd --

      broken_sasl_auth_clients = yes

      smtpd_sasl_auth_enable = yes

      smtpd_sasl_authenticated_header = yes

      smtpd_sasl_local_domain = $myhostname

      smtpd_sasl_security_options = noanonymous, noplaintext

      smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

      smtpd_tls_auth_only = yes

      smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

      smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

      smtpd_tls_loglevel = 3

      smtpd_tls_received_header = yes

      smtpd_tls_security_level = encrypt

      smtpd_tls_session_cache_timeout = 3600s



      -- listing of /usr/lib/sasl --

      total 80

      drwxr-xr-x.   2 root root  4096 2009-12-29 12:31 .

      dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..

      -rw-r--r--.   1 root root    70 2009-09-16 09:38 smtpd.conf


      -- listing of /usr/lib/sasl2 --

      total 504

      drwxr-xr-x.   2 root root  4096 2009-12-29 12:31 .

      dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..

      -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so

      -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so.2

      -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23

      -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so

      -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so.2

      -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23

      -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so

      -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2

      -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23

      -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so

      -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so.2

      -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23

      -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so

      -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so.2

      -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23

      -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so

      -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so.2

      -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23

      -rw-r--r--.   1 root root    25 2009-09-16 14:55 Sendmail.conf

      -rw-r--r--.   1 root root   138 2010-01-02 01:22 smtpd.conf


      -- listing of /etc/sasl2 --

      total 16

      drwxr-xr-x.   2 root root  4096 2009-09-24 06:20 .

      drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 ..





      -- content of /usr/lib/sasl/smtpd.conf --

      pwcheck_method: saslauthd

      mech_list: plain login

      saslauthd_version: 2


      -- content of /usr/lib/sasl2/smtpd.conf --

      pwcheck_method: auxprop

      mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

      log_level: 4 



      -- active services in /etc/postfix/master.cf --

      # service type  private unpriv  chroot  wakeup  maxproc command + args

      #               (yes)   (yes)   (yes)   (never) (100)

      52525   inet  n - n - - smtpd -v


      pickup    fifo  n       -       n       60      1       pickup

      cleanup   unix  n       -       n       -       0       cleanup

      qmgr      fifo  n       -       n       300     1       qmgr

      tlsmgr    unix  -       -       n       1000?   1       tlsmgr

      rewrite   unix  -       -       n       -       -       trivial-rewrite

      bounce    unix  -       -       n       -       0       bounce

      defer     unix  -       -       n       -       0       bounce

      trace     unix  -       -       n       -       0       bounce

      verify    unix  -       -       n       -       1       verify

      flush     unix  n       -       n       1000?   0       flush

      proxymap  unix  -       -       n       -       -       proxymap

      proxywrite unix -       -       n       -       1       proxymap

      smtp      unix  -       -       n       -       -       smtp

      relay     unix  -       -       n       -       -       smtp

      -o smtp_fallback_relay=

      showq     unix  n       -       n       -       -       showq

      error     unix  -       -       n       -       -       error

      retry     unix  -       -       n       -       -       error

      discard   unix  -       -       n       -       -       discard

      local     unix  -       n       n       -       -       local

      virtual   unix  -       n       n       -       -       virtual

      lmtp      unix  -       -       n       -       -       lmtp

      anvil     unix  -       -       n       -       1       anvil

      scache    unix  -       -       n       -       1       scache


      -- mechanisms on localhost --


      -- end of saslfinger output --


       

    • Patrick Ben Koetter
      ... Delete /usr/lib/sasl/smtpd.conf. Postfix will not use Cyrus SASL 1.x anymore. ... Add: auxprop_plugin: sasldb ... At a first glance your configuration
      Message 2 of 12 , Jan 2, 2010
      View Source
      • 0 Attachment
        * froinds J <froinds@...>:
        > My problem is: if I allow TLS I cannot authenticate. Without TLS everything
        > works. Here is the output from saslfinger.
        > Thanks for your help.





        >
        > saslfinger - postfix Cyrus sasl configuration Sat Jan 2 02:12:49 EST 2010
        > version: 1.0.2
        > mode: server-side SMTP AUTH
        >
        > -- basics --
        > Postfix: 2.6.5
        > System: Fedora release 12 (Constantine)
        >
        > -- smtpd is linked to --
        > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000)
        >
        > -- active SMTP AUTH and TLS parameters for smtpd --
        > broken_sasl_auth_clients = yes
        > smtpd_sasl_auth_enable = yes
        > smtpd_sasl_authenticated_header = yes
        > smtpd_sasl_local_domain = $myhostname
        > smtpd_sasl_security_options = noanonymous, noplaintext
        > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
        > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
        > smtpd_tls_loglevel = 3
        > smtpd_tls_received_header = yes
        > smtpd_tls_security_level = encrypt
        > smtpd_tls_session_cache_timeout = 3600s
        >
        >
        > -- listing of /usr/lib/sasl --
        > total 80
        > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .
        > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
        > -rw-r--r--. 1 root root 70 2009-09-16 09:38 smtpd.conf

        Delete /usr/lib/sasl/smtpd.conf. Postfix will not use Cyrus SASL 1.x anymore.


        > -- listing of /usr/lib/sasl2 --
        > total 504
        > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .
        > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
        > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so
        > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2
        > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23
        > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so
        > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2
        > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23
        > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so
        > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2
        > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23
        > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so
        > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2
        > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23
        > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so
        > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2
        > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23
        > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so
        > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2
        > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23
        > -rw-r--r--. 1 root root 25 2009-09-16 14:55 Sendmail.conf
        > -rw-r--r--. 1 root root 138 2010-01-02 01:22 smtpd.conf
        >
        > -- listing of /etc/sasl2 --
        > total 16
        > drwxr-xr-x. 2 root root 4096 2009-09-24 06:20 .
        > drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 ..
        >
        >
        > -- content of /usr/lib/sasl2/smtpd.conf --
        > pwcheck_method: auxprop

        Add:

        auxprop_plugin: sasldb

        > mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
        > log_level: 4



        > -- active services in /etc/postfix/master.cf --
        > # service type private unpriv chroot wakeup maxproc command + args
        > # (yes) (yes) (yes) (never) (100)
        > 52525 inet n - n - - smtpd -v

        At a first glance your configuration looks sane. Maybe your problem is not
        SASL, but TLS. You are running smtpd verbose. What does the log say about errors?


        > pickup fifo n - n 60 1 pickup
        > cleanup unix n - n - 0 cleanup
        > qmgr fifo n - n 300 1 qmgr
        > tlsmgr unix - - n 1000? 1 tlsmgr
        > rewrite unix - - n - - trivial-rewrite
        > bounce unix - - n - 0 bounce
        > defer unix - - n - 0 bounce
        > trace unix - - n - 0 bounce
        > verify unix - - n - 1 verify
        > flush unix n - n 1000? 0 flush
        > proxymap unix - - n - - proxymap
        > proxywrite unix - - n - 1 proxymap
        > smtp unix - - n - - smtp
        > relay unix - - n - - smtp
        > -o smtp_fallback_relay=
        > showq unix n - n - - showq
        > error unix - - n - - error
        > retry unix - - n - - error
        > discard unix - - n - - discard
        > local unix - n n - - local
        > virtual unix - n n - - virtual
        > lmtp unix - - n - - lmtp
        > anvil unix - - n - 1 anvil
        > scache unix - - n - 1 scache
        >
        >
        > -- mechanisms on localhost --
        >
        >
        > -- end of saslfinger output --

        --
        All technical questions asked privately will be automatically answered on the
        list and archived for public access unless privacy is explicitely required and
        justified.

        saslfinger (debugging SMTP AUTH):
        <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
      • froinds J
        I made the changes you suggested and still can t authenticate. Here is the log from maillog. Thanks Jan 2 10:14:41 fedora postfix/smtpd[17435]: connection
        Message 3 of 12 , Jan 2, 2010
        View Source
        • 0 Attachment
          I made the changes you suggested and still can't authenticate.
          Here is the log from maillog. Thanks

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: connection established

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: master_notify: status 0

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: name_mask: resource

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: name_mask: software

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: connect from adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: adsl-012-034-567-890.sip.my.isp.net : no match

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: no match

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: adsl-012-034-567-890.sip.my.isp.net : no match

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: no match

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: >>> START Client host RESTRICTIONS <<<

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: generic_checks: name=permit_mynetworks

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: permit_mynetworks: adsl-012-034-567-890.sip.my.isp.net 12.34.56.78

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: generic_checks: name=permit_mynetworks status=1

          Jan  2 10:14:41 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 220 myDomName.com ESMTP Postfix

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: < adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: EHLO [192.168.0.105]

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: >>> START Helo command RESTRICTIONS <<<

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: generic_checks: name=reject_invalid_hostname

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: reject_invalid_hostaddr: [192.168.0.105]

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: generic_checks: name=reject_invalid_hostname status=0

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: >>> END Helo command RESTRICTIONS <<<

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-myDomName.com

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-PIPELINING

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-SIZE 10240000

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-VRFY

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ETRN

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_list_match: adsl-012-034-567-890.sip.my.isp.net : no match

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78: no match

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-STARTTLS

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ENHANCEDSTATUSCODES

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-8BITMIME

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250 DSN

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: smtp_get: EOF

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostname: adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: lost connection after EHLO from adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: disconnect from adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: master_notify: status 1

          Jan  2 10:14:42 fedora postfix/smtpd[17435]: connection closed





          On Sat, Jan 2, 2010 at 3:50 AM, Patrick Ben Koetter <p@...> wrote:
          * froinds J <froinds@...>:
          > My problem is: if I allow TLS I cannot authenticate. Without TLS everything
          > works. Here is the output from saslfinger.
          > Thanks for your help.





          >
          > saslfinger - postfix Cyrus sasl configuration Sat Jan  2 02:12:49 EST 2010
          > version: 1.0.2
          > mode: server-side SMTP AUTH
          >
          > -- basics --
          > Postfix: 2.6.5
          > System: Fedora release 12 (Constantine)
          >
          > -- smtpd is linked to --
          > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000)
          >
          > -- active SMTP AUTH and TLS parameters for smtpd --
          > broken_sasl_auth_clients = yes
          > smtpd_sasl_auth_enable = yes
          > smtpd_sasl_authenticated_header = yes
          > smtpd_sasl_local_domain = $myhostname
          > smtpd_sasl_security_options = noanonymous, noplaintext
          > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
          > smtpd_tls_auth_only = yes
          > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
          > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
          > smtpd_tls_loglevel = 3
          > smtpd_tls_received_header = yes
          > smtpd_tls_security_level = encrypt
          > smtpd_tls_session_cache_timeout = 3600s
          >
          >
          > -- listing of /usr/lib/sasl --
          > total 80
          > drwxr-xr-x.   2 root root  4096 2009-12-29 12:31 .
          > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
          > -rw-r--r--.   1 root root    70 2009-09-16 09:38 smtpd.conf

          Delete /usr/lib/sasl/smtpd.conf. Postfix will not use Cyrus SASL 1.x anymore.


          > -- listing of /usr/lib/sasl2 --
          > total 504
          > drwxr-xr-x.   2 root root  4096 2009-12-29 12:31 .
          > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
          > -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so
          > -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so.2
          > -rwxr-xr-x.   1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23
          > -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so
          > -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so.2
          > -rwxr-xr-x.   1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23
          > -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so
          > -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2
          > -rwxr-xr-x.   1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23
          > -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so
          > -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so.2
          > -rwxr-xr-x.   1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23
          > -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so
          > -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so.2
          > -rwxr-xr-x.   1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23
          > -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so
          > -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so.2
          > -rwxr-xr-x.   1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23
          > -rw-r--r--.   1 root root    25 2009-09-16 14:55 Sendmail.conf
          > -rw-r--r--.   1 root root   138 2010-01-02 01:22 smtpd.conf
          >
          > -- listing of /etc/sasl2 --
          > total 16
          > drwxr-xr-x.   2 root root  4096 2009-09-24 06:20 .
          > drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 ..
          >
          >
          > -- content of /usr/lib/sasl2/smtpd.conf --
          > pwcheck_method: auxprop

          Add:

          auxprop_plugin: sasldb

          > mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
          > log_level: 4



          > -- active services in /etc/postfix/master.cf --
          > # service type  private unpriv  chroot  wakeup  maxproc command + args
          > #               (yes)   (yes)   (yes)   (never) (100)
          > 52525   inet  n - n - - smtpd -v

          At a first glance your configuration looks sane. Maybe your problem is not
          SASL, but TLS. You are running smtpd verbose. What does the log say about errors?


          > pickup    fifo  n       -       n       60      1       pickup
          > cleanup   unix  n       -       n       -       0       cleanup
          > qmgr      fifo  n       -       n       300     1       qmgr
          > tlsmgr    unix  -       -       n       1000?   1       tlsmgr
          > rewrite   unix  -       -       n       -       -       trivial-rewrite
          > bounce    unix  -       -       n       -       0       bounce
          > defer     unix  -       -       n       -       0       bounce
          > trace     unix  -       -       n       -       0       bounce
          > verify    unix  -       -       n       -       1       verify
          > flush     unix  n       -       n       1000?   0       flush
          > proxymap  unix  -       -       n       -       -       proxymap
          > proxywrite unix -       -       n       -       1       proxymap
          > smtp      unix  -       -       n       -       -       smtp
          > relay     unix  -       -       n       -       -       smtp
          > -o smtp_fallback_relay=
          > showq     unix  n       -       n       -       -       showq
          > error     unix  -       -       n       -       -       error
          > retry     unix  -       -       n       -       -       error
          > discard   unix  -       -       n       -       -       discard
          > local     unix  -       n       n       -       -       local
          > virtual   unix  -       n       n       -       -       virtual
          > lmtp      unix  -       -       n       -       -       lmtp
          > anvil     unix  -       -       n       -       1       anvil
          > scache    unix  -       -       n       -       1       scache
          >
          >
          > -- mechanisms on localhost --
          >
          >
          > -- end of saslfinger output --

          --
          All technical questions asked privately will be automatically answered on the
          list and archived for public access unless privacy is explicitely required and
          justified.

          saslfinger (debugging SMTP AUTH):
          <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

        • Patrick Ben Koetter
          ... You client does not start a TLS session. p@rick ... -- All technical questions asked privately will be automatically answered on the list and archived for
          Message 4 of 12 , Jan 2, 2010
          View Source
          • 0 Attachment
            * froinds J <froinds@...>:
            > I made the changes you suggested and still can't authenticate.
            > Here is the log from maillog. Thanks

            You client does not start a TLS session.

            p@rick



            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: connection established
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: master_notify: status 0
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: name_mask: resource
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: name_mask: software
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: connect from
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match:
            > adsl-012-034-567-890.sip.my.isp.net : no match
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78:
            > no match
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match:
            > adsl-012-034-567-890.sip.my.isp.net : no match
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78:
            > no match
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 192.168.1.0/28
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 127.0.0.0/8
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 12.34.56.78
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: >>> START Client host
            > RESTRICTIONS <<<
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: generic_checks:
            > name=permit_mynetworks
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: permit_mynetworks:
            > adsl-012-034-567-890.sip.my.isp.net 12.34.56.78
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 192.168.1.0/28
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 127.0.0.0/8
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 12.34.56.78
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: generic_checks:
            > name=permit_mynetworks status=1
            >
            > Jan 2 10:14:41 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 220 myDomName.com ESMTP
            > Postfix
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: <
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: EHLO [192.168.0.105]
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >>> START Helo command
            > RESTRICTIONS <<<
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: generic_checks:
            > name=reject_invalid_hostname
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: reject_invalid_hostaddr:
            > [192.168.0.105]
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: generic_checks:
            > name=reject_invalid_hostname status=0
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >>> END Helo command
            > RESTRICTIONS <<<
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-myDomName.com
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-PIPELINING
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-SIZE 10240000
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-VRFY
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ETRN
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_list_match:
            > adsl-012-034-567-890.sip.my.isp.net : no match
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_list_match: 12.34.56.78:
            > no match
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-STARTTLS
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-ENHANCEDSTATUSCODES
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250-8BITMIME
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: >
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]: 250 DSN
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: smtp_get: EOF
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 192.168.1.0/28
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 192.168.1.0/28
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 127.0.0.0/8
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 127.0.0.0/8
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostname:
            > adsl-012-034-567-890.sip.my.isp.net ~? 12.34.56.78
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: match_hostaddr: 12.34.56.78 ~?
            > 12.34.56.78
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: lost connection after EHLO from
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: disconnect from
            > adsl-012-034-567-890.sip.my.isp.net [12.34.56.78]
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: master_notify: status 1
            >
            > Jan 2 10:14:42 fedora postfix/smtpd[17435]: connection closed
            >
            >
            >
            >
            > On Sat, Jan 2, 2010 at 3:50 AM, Patrick Ben Koetter <p@...>wrote:
            >
            > > * froinds J <froinds@...>:
            > > > My problem is: if I allow TLS I cannot authenticate. Without TLS
            > > everything
            > > > works. Here is the output from saslfinger.
            > > > Thanks for your help.
            > >
            > >
            > >
            > >
            > >
            > > >
            > > > saslfinger - postfix Cyrus sasl configuration Sat Jan 2 02:12:49 EST
            > > 2010
            > > > version: 1.0.2
            > > > mode: server-side SMTP AUTH
            > > >
            > > > -- basics --
            > > > Postfix: 2.6.5
            > > > System: Fedora release 12 (Constantine)
            > > >
            > > > -- smtpd is linked to --
            > > > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000)
            > > >
            > > > -- active SMTP AUTH and TLS parameters for smtpd --
            > > > broken_sasl_auth_clients = yes
            > > > smtpd_sasl_auth_enable = yes
            > > > smtpd_sasl_authenticated_header = yes
            > > > smtpd_sasl_local_domain = $myhostname
            > > > smtpd_sasl_security_options = noanonymous, noplaintext
            > > > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
            > > > smtpd_tls_auth_only = yes
            > > > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
            > > > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
            > > > smtpd_tls_loglevel = 3
            > > > smtpd_tls_received_header = yes
            > > > smtpd_tls_security_level = encrypt
            > > > smtpd_tls_session_cache_timeout = 3600s
            > > >
            > > >
            > > > -- listing of /usr/lib/sasl --
            > > > total 80
            > > > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .
            > > > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
            > > > -rw-r--r--. 1 root root 70 2009-09-16 09:38 smtpd.conf
            > >
            > > Delete /usr/lib/sasl/smtpd.conf. Postfix will not use Cyrus SASL 1.x
            > > anymore.
            > >
            > >
            > > > -- listing of /usr/lib/sasl2 --
            > > > total 504
            > > > drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .
            > > > dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..
            > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so
            > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2
            > > > -rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23
            > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so
            > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2
            > > > -rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23
            > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so
            > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2
            > > > -rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23
            > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so
            > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2
            > > > -rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23
            > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so
            > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2
            > > > -rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23
            > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so
            > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2
            > > > -rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23
            > > > -rw-r--r--. 1 root root 25 2009-09-16 14:55 Sendmail.conf
            > > > -rw-r--r--. 1 root root 138 2010-01-02 01:22 smtpd.conf
            > > >
            > > > -- listing of /etc/sasl2 --
            > > > total 16
            > > > drwxr-xr-x. 2 root root 4096 2009-09-24 06:20 .
            > > > drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 ..
            > > >
            > > >
            > > > -- content of /usr/lib/sasl2/smtpd.conf --
            > > > pwcheck_method: auxprop
            > >
            > > Add:
            > >
            > > auxprop_plugin: sasldb
            > >
            > > > mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
            > > > log_level: 4
            > >
            > >
            > >
            > > > -- active services in /etc/postfix/master.cf --
            > > > # service type private unpriv chroot wakeup maxproc command + args
            > > > # (yes) (yes) (yes) (never) (100)
            > > > 52525 inet n - n - - smtpd -v
            > >
            > > At a first glance your configuration looks sane. Maybe your problem is not
            > > SASL, but TLS. You are running smtpd verbose. What does the log say about
            > > errors?
            > >
            > >
            > > > pickup fifo n - n 60 1 pickup
            > > > cleanup unix n - n - 0 cleanup
            > > > qmgr fifo n - n 300 1 qmgr
            > > > tlsmgr unix - - n 1000? 1 tlsmgr
            > > > rewrite unix - - n - - trivial-rewrite
            > > > bounce unix - - n - 0 bounce
            > > > defer unix - - n - 0 bounce
            > > > trace unix - - n - 0 bounce
            > > > verify unix - - n - 1 verify
            > > > flush unix n - n 1000? 0 flush
            > > > proxymap unix - - n - - proxymap
            > > > proxywrite unix - - n - 1 proxymap
            > > > smtp unix - - n - - smtp
            > > > relay unix - - n - - smtp
            > > > -o smtp_fallback_relay=
            > > > showq unix n - n - - showq
            > > > error unix - - n - - error
            > > > retry unix - - n - - error
            > > > discard unix - - n - - discard
            > > > local unix - n n - - local
            > > > virtual unix - n n - - virtual
            > > > lmtp unix - - n - - lmtp
            > > > anvil unix - - n - 1 anvil
            > > > scache unix - - n - 1 scache
            > > >
            > > >
            > > > -- mechanisms on localhost --
            > > >
            > > >
            > > > -- end of saslfinger output --
            > >
            > > --
            > > All technical questions asked privately will be automatically answered on
            > > the
            > > list and archived for public access unless privacy is explicitely required
            > > and
            > > justified.
            > >
            > > saslfinger (debugging SMTP AUTH):
            > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
            > >

            --
            All technical questions asked privately will be automatically answered on the
            list and archived for public access unless privacy is explicitely required and
            justified.

            saslfinger (debugging SMTP AUTH):
            <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
          • froinds J
            Oops! I forgot to check SSL. My client now seems to start a TLS session and still nothing. Here is the log with the SSL error. Thanks. Jan 2 13:02:11 fedora
            Message 5 of 12 , Jan 2, 2010
            View Source
            • 0 Attachment
              Oops! I forgot to check SSL.
              My client now seems to start a TLS session and still nothing. Here is the log with the SSL error.
              Thanks.

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: connection established

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: master_notify: status 0

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: name_mask: resource

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: name_mask: software

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: connect from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: >>> START Client host RESTRICTIONS <<<

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=permit_mynetworks

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: permit_mynetworks: adsl-012-034-567-890.sip.myisp.net 12.34.56.78

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=permit_mynetworks status=1

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 220 myDomName.com ESMTP Postfix

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: < adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: EHLO [192.168.0.105]

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: >>> START Helo command RESTRICTIONS <<<

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=reject_invalid_hostname

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: reject_invalid_hostaddr: [192.168.0.105]

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=reject_invalid_hostname status=0

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: >>> END Helo command RESTRICTIONS <<<

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-myDomName.com

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-PIPELINING

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-SIZE 10240000

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-VRFY

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-ETRN

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-STARTTLS

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-ENHANCEDSTATUSCODES

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-8BITMIME

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250 DSN

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: < adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: STARTTLS

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 220 2.0.0 Ready to start TLS

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: setting up TLS connection from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: auto_clnt_open: connected to private/tlsmgr

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: send attr request = seed

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: send attr size = 32

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: status

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: status

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: input attribute value: 0

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: seed

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: seed

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: input attribute value: 04iDdMchtEcMhHMPlZE1PnA4hFVBivxAgufuUinTYeM=

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: (list terminator)

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: (end)

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:before/accept initialization

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E418] (11 bytes => -1 (0xFFFFFFFF))

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E418] (11 bytes => 11 (0xB))

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 0000 16 03 01 00 9d 01 00 00|99 03 01                 ........ ...

              …….

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 0090 19 00 0b 00 02 01                                ......

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 0096 - <SPACES/NULLS>

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 read client hello B

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write server hello A

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write certificate A

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write server done A

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: write to 02269768 [0227AAB0] (756 bytes => 756 (0x2F4))

              …… 

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 02e0 0f 67 ef 48 36 a9 7b 92|5c be b2 16 03 01 00 04  .g.H6.{. \.......

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 02f0 0e                                               .

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: 02f1 - <SPACES/NULLS>

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 flush data

              Jan  2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E41B] (5 bytes => -1 (0xFFFFFFFF))

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: SSL_accept error from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: -1

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: lost connection after STARTTLS from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: disconnect from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: master_notify: status 1

              Jan  2 13:02:12 fedora postfix/smtpd[20531]: connection closed


            • Patrick Ben Koetter
              ... TLS log. My favourite waste of time. Everything is layed out so clear... :/ There are two lines in your log that make me think (think, not know!) that your
              Message 6 of 12 , Jan 2, 2010
              View Source
              • 0 Attachment
                * froinds J <froinds@...>:
                > Oops! I forgot to check SSL.
                > My client now seems to start a TLS session and still nothing. Here is the
                > log with the SSL error.

                TLS log. My favourite waste of time. Everything is layed out so clear... :/

                There are two lines in your log that make me think (think, not know!) that
                your client doesn't like the server certificate. Read below.

                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: connection established
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: master_notify: status 0
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: name_mask: resource
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: name_mask: software
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: connect from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: >>> START Client host RESTRICTIONS <<<
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=permit_mynetworks
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: permit_mynetworks: adsl-012-034-567-890.sip.myisp.net 12.34.56.78
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=permit_mynetworks status=1
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 220 myDomName.com ESMTP Postfix
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: < adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: EHLO [192.168.0.105]
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: >>> START Helo command RESTRICTIONS <<<
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=reject_invalid_hostname
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: reject_invalid_hostaddr: [192.168.0.105]
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: generic_checks: name=reject_invalid_hostname status=0
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: >>> END Helo command RESTRICTIONS <<<
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-myDomName.com
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-PIPELINING
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-SIZE 10240000
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-VRFY
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-ETRN
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: adsl-012-034-567-890.sip.myisp.net: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: match_list_match: 12.34.56.78: no match
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-STARTTLS
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-ENHANCEDSTATUSCODES
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250-8BITMIME
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 250 DSN
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: < adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: STARTTLS
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: > adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: 220 2.0.0 Ready to start TLS
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: setting up TLS connection from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

                This is where your client requests a TLS session.

                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: auto_clnt_open: connected to private/tlsmgr
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: send attr request = seed
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: send attr size = 32
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: status
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: status
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: input attribute value: 0
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: seed
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: seed
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: input attribute value: 04iDdMchtEcMhHMPlZE1PnA4hFVBivxAgufuUinTYeM=
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: private/tlsmgr: wanted attribute: (list terminator)
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: input attribute name: (end)
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:before/accept initialization
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E418] (11 bytes => -1 (0xFFFFFFFF))
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E418] (11 bytes => 11 (0xB))
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 0000 16 03 01 00 9d 01 00 00|99 03 01 ........ ...
                > …….
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 0090 19 00 0b 00 02 01
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 0096 - <SPACES/NULLS>
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 read client hello B
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write server hello A
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write certificate A
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 write server done A
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: write to 02269768 [0227AAB0] (756 bytes => 756 (0x2F4))
                > ……
                >
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 02e0 0f 67 ef 48 36 a9 7b 92|5c be b2 16 03 01 00 04 .g.H6.{. \.......
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 02f0 0e
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: 02f1 - <SPACES/NULLS>
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: SSL_accept:SSLv3 flush data
                > Jan 2 13:02:11 fedora postfix/smtpd[20531]: read from 02269768 [0227E41B] (5 bytes => -1 (0xFFFFFFFF))
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: SSL_accept error from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]: -1

                This is where an "SSL_accept error" turns up, but I don't know if its relevant
                in your case.

                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 192.168.1.0/28
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 192.168.1.0/28
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 127.0.0.0/8
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 127.0.0.0/8
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostname: adsl-012-034-567-890.sip.myisp.net ~? 12.34.56.78
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: match_hostaddr: 12.34.56.78 ~? 12.34.56.78
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: lost connection after STARTTLS from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]

                This is where the connection seems to time out.
                No SMTP AUTH. The client attempts TLS and then nothing happens.

                What do you use as client?
                Did you import the server's CA certificate into your client?
                Does your client issue any warnings?
                Is there any Desktop antivirus firewall intercepting your client?
                Could you possibly test a TLS connection to your server using the "openssl
                s_client" command from command line?


                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: disconnect from adsl-012-034-567-890.sip.myisp.net[12.34.56.78]
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: master_notify: status 1
                > Jan 2 13:02:12 fedora postfix/smtpd[20531]: connection closed

                --
                All technical questions asked privately will be automatically answered on the
                list and archived for public access unless privacy is explicitely required and
                justified.

                saslfinger (debugging SMTP AUTH):
                <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
              • froinds J
                Ah you so were right. I set up postfix to use the certs that cyrus-imapd creates by default and everything works now. What s weird is that cyrus-imapd was
                Message 7 of 12 , Jan 2, 2010
                View Source
                • 0 Attachment
                  Ah you so were right.
                  I set up postfix to use the certs that cyrus-imapd creates by default and everything works now. 
                  What's weird is that cyrus-imapd was using the same certs postfix was using and it didn't complain. I was able to receive email when I turned off TSL for postfix.
                  So I guess the problem is that I'm not creating good self-signed certificates. I've done this more than 20 times following every source on the internet including the guides in postfix.org. My certs have always worked with cyrus-imapd and apache, but I always run into trouble with postfix.

                  Can you provide a set of instructions to follow?

                  Thanks so much.



                  On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p@...> wrote:
                  * froinds J <froinds@...>:
                  > Oops! I forgot to check SSL.
                  > My client now seems to start a TLS session and still nothing. Here is the
                  > log with the SSL error.

                  TLS log. My favourite waste of time. Everything is layed out so clear... :/

                  There are two lines in your log that make me think (think, not know!) that
                  your client doesn't like the server certificate. Read below.


                • Patrick Ben Koetter
                  ... You can use TinyCA to setup a CA and the required certificates. Then configure Postfix. When your done, send postconf -n
                  Message 8 of 12 , Jan 2, 2010
                  View Source
                  • 0 Attachment
                    * froinds J <froinds@...>:
                    > Ah you so were right.
                    > I set up postfix to use the certs that cyrus-imapd creates by default and
                    > everything works now.
                    > What's weird is that cyrus-imapd was using the same certs postfix was using
                    > and it didn't complain. I was able to receive email when I turned off TSL
                    > for postfix.
                    > So I guess the problem is that I'm not creating good self-signed
                    > certificates. I've done this more than 20 times following every source on
                    > the internet including the guides in postfix.org. My certs have always
                    > worked with cyrus-imapd and apache, but I always run into trouble with
                    > postfix.
                    >
                    > Can you provide a set of instructions to follow?

                    You can use TinyCA <http://tinyca.sm-zone.net/> to setup a CA and the required
                    certificates. Then configure Postfix. When your done, send "postconf -n" output and we will have a look at the config.

                    p@rick




                    >
                    > Thanks so much.
                    >
                    >
                    >
                    > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p@...>wrote:
                    >
                    > > * froinds J <froinds@...>:
                    > > > Oops! I forgot to check SSL.
                    > > > My client now seems to start a TLS session and still nothing. Here is the
                    > > > log with the SSL error.
                    > >
                    > > TLS log. My favourite waste of time. Everything is layed out so clear... :/
                    > >
                    > > There are two lines in your log that make me think (think, not know!) that
                    > > your client doesn't like the server certificate. Read below.
                    > >
                    > >

                    --
                    All technical questions asked privately will be automatically answered on the
                    list and archived for public access unless privacy is explicitely required and
                    justified.

                    saslfinger (debugging SMTP AUTH):
                    <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                  • froinds J
                    What should I use keylength and digest when creating both the CA cert and the smtpd cert? Should I leave the passwords blank? Thanks
                    Message 9 of 12 , Jan 2, 2010
                    View Source
                    • 0 Attachment
                      What should I use keylength and digest when creating both the CA cert and the smtpd cert?
                      Should I leave the passwords blank?
                      Thanks

                      On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter <p@...> wrote:
                      * froinds J <froinds@...>:
                      > Ah you so were right.
                      > I set up postfix to use the certs that cyrus-imapd creates by default and
                      > everything works now.
                      > What's weird is that cyrus-imapd was using the same certs postfix was using
                      > and it didn't complain. I was able to receive email when I turned off TSL
                      > for postfix.
                      > So I guess the problem is that I'm not creating good self-signed
                      > certificates. I've done this more than 20 times following every source on
                      > the internet including the guides in postfix.org. My certs have always
                      > worked with cyrus-imapd and apache, but I always run into trouble with
                      > postfix.
                      >
                      > Can you provide a set of instructions to follow?

                      You can use TinyCA <http://tinyca.sm-zone.net/> to setup a CA and the required
                      certificates. Then configure Postfix. When your done, send "postconf -n" output and we will have a look at the config.

                      p@rick




                      >
                      > Thanks so much.
                      >
                      >
                      >
                      > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p@...>wrote:
                      >
                      > > * froinds J <froinds@...>:
                      > > > Oops! I forgot to check SSL.
                      > > > My client now seems to start a TLS session and still nothing. Here is the
                      > > > log with the SSL error.
                      > >
                      > > TLS log. My favourite waste of time. Everything is layed out so clear... :/
                      > >
                      > > There are two lines in your log that make me think (think, not know!) that
                      > > your client doesn't like the server certificate. Read below.
                      > >
                      > >

                      --
                      All technical questions asked privately will be automatically answered on the
                      list and archived for public access unless privacy is explicitely required and
                      justified.

                      saslfinger (debugging SMTP AUTH):
                      <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

                    • Patrick Ben Koetter
                      ... That s an invitation for long discussions... In Germany, the federal institution BSI (administration for security), recommends 4096 Bit for CA
                      Message 10 of 12 , Jan 3, 2010
                      View Source
                      • 0 Attachment
                        * froinds J <froinds@...>:
                        > What should I use keylength and digest when creating both the CA cert and
                        > the smtpd cert?

                        That's an invitation for long discussions...

                        In Germany, the federal institution "BSI" (administration for security),
                        recommends 4096 Bit for CA certificates and > 2048 for server certificates.

                        For ciphers I can't say which is 'the best'. If you plan to use mobiles (cell
                        phone etc.) a lot you might want to use ECC certificates. They provide the
                        same security level as the others at a shorter key length, which makes it
                        easier and faster for weak processors (cell phone) to use them.

                        > Should I leave the passwords blank?

                        Create them with and remove the passwords when you export the certificates.
                        Why? The server (Postfix smtpd) can't type it it when it needs to be unlocked
                        for usage. ;)

                        p@rick





                        > Thanks
                        >
                        > On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter <p@...>wrote:
                        >
                        > > * froinds J <froinds@...>:
                        > > > Ah you so were right.
                        > > > I set up postfix to use the certs that cyrus-imapd creates by default and
                        > > > everything works now.
                        > > > What's weird is that cyrus-imapd was using the same certs postfix was
                        > > using
                        > > > and it didn't complain. I was able to receive email when I turned off TSL
                        > > > for postfix.
                        > > > So I guess the problem is that I'm not creating good self-signed
                        > > > certificates. I've done this more than 20 times following every source on
                        > > > the internet including the guides in postfix.org. My certs have always
                        > > > worked with cyrus-imapd and apache, but I always run into trouble with
                        > > > postfix.
                        > > >
                        > > > Can you provide a set of instructions to follow?
                        > >
                        > > You can use TinyCA <http://tinyca.sm-zone.net/> to setup a CA and the
                        > > required
                        > > certificates. Then configure Postfix. When your done, send "postconf -n"
                        > > output and we will have a look at the config.
                        > >
                        > > p@rick
                        > >
                        > >
                        > >
                        > >
                        > > >
                        > > > Thanks so much.
                        > > >
                        > > >
                        > > >
                        > > > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p@...
                        > > >wrote:
                        > > >
                        > > > > * froinds J <froinds@...>:
                        > > > > > Oops! I forgot to check SSL.
                        > > > > > My client now seems to start a TLS session and still nothing. Here is
                        > > the
                        > > > > > log with the SSL error.
                        > > > >
                        > > > > TLS log. My favourite waste of time. Everything is layed out so
                        > > clear... :/
                        > > > >
                        > > > > There are two lines in your log that make me think (think, not know!)
                        > > that
                        > > > > your client doesn't like the server certificate. Read below.
                        > > > >
                        > > > >
                        > >
                        > > --
                        > > All technical questions asked privately will be automatically answered on
                        > > the
                        > > list and archived for public access unless privacy is explicitely required
                        > > and
                        > > justified.
                        > >
                        > > saslfinger (debugging SMTP AUTH):
                        > > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                        > >

                        --
                        All technical questions asked privately will be automatically answered on the
                        list and archived for public access unless privacy is explicitely required and
                        justified.

                        saslfinger (debugging SMTP AUTH):
                        <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                      Your message has been successfully submitted and would be delivered to recipients shortly.