Loading ...
Sorry, an error occurred while loading the content.
 

trying to get STARTTLS working

Expand Messages
  • David Benfell
    ... Hash: SHA1 Hi all, I had this working, at least sort of, on my old Arch Linux system. I m migrating to a new one, also Arch Linux. Copying the
    Message 1 of 7 , Apr 5, 2013
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Hi all,

      I had this working, at least sort of, on my old Arch Linux system. I'm
      migrating to a new one, also Arch Linux. Copying the configuration and
      just modifying it for new hostnames (and IP addresses?) didn't work.

      Here's postconf -n:

      address_verify_map = btree:$data_directory/verify_cache
      alias_database = $alias_maps
      alias_maps = hash:/etc/postfix/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      content_filter = scan:127.0.0.1:10026
      daemon_directory = /usr/lib/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
      (echo cont; echo where) | gdb $daemon_directory/$process_name
      $process_id 2>&1 >$config_directory/$process_name.$process_id.log &
      sleep 5
      fast_flush_domains = $relay_domains
      header_checks = pcre:/etc/postfix/header_checks
      home_mailbox = Maildir/
      html_directory = no
      in_flow_delay = 1s
      inet_protocols = ipv4
      local_destination_concurrency_limit = 2
      mail_owner = postfix
      mailbox_command_maps = hash:/etc/postfix/mailbox_commands
      mailq_path = /usr/bin/mailq
      manpage_directory = /usr/share/man
      message_size_limit = 20971520
      mydestination = localhost, localhost.$mydomain, cybernude.org,
      mail.cybernude.org, munich.cybernude.org, www.cybernude.org,
      disunitedstates.com, mail.disunitedstates.com,
      munich.disunitedstates.com, www.disunitedstates.com,
      disunitedstates.org, mail.disunitedstates.org,
      munich.disunitedstates.org, www.disunitedstates.org, greybeard95a.com,
      mail.greybeard95a.com, munich.greybeard95a.com, www.greybeard95a.com,
      n4rky.me, mail.n4rky.me, munich.n4rky.me, www.n4rky.me,
      parts-unknown.org, mail.parts-unknown.org, munich.parts-unknown.org,
      www.parts-unknown.org
      mydomain = parts-unknown.org
      myhostname = mail.parts-unknown.org
      mynetworks = 10.8.0.0/16, 127.0.0.0/8
      mynetworks_style = subnet
      myorigin = $myhostname
      newaliases_path = /usr/bin/newaliases
      queue_directory = /var/spool/postfix
      readme_directory = no
      receive_override_options = no_address_mappings
      relay_domains = *
      sample_directory = /etc/postfix/sample
      sendmail_path = /usr/sbin/sendmail
      setgid_group = postdrop
      smtp_tls_key_file = /big/www/ssl/www.cybernude.org_privatekey.pem
      smtp_tls_note_starttls_offer = yes
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP $mail_name
      smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated
      smtpd_peername_lookup = no
      smtpd_recipient_restrictions =
      permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
      smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
      defer_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = $mydomain
      smtpd_sasl_path = /var/spool/postfix/private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
      smtpd_sasl_type = dovecot
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /big/www/ssl/www.cybernude.org_publickey.pem
      smtpd_tls_loglevel = 3
      unknown_local_recipient_reject_code = 550

      Here's what happens when I telnet:

      munich# telnet munich 25
      Trying 193.34.144.104...
      Connected to munich.
      Escape character is '^]'.
      220 mail.parts-unknown.org ESMTP Postfix
      ehlo parts-unknown.org
      250-mail.parts-unknown.org
      250-PIPELINING
      250-SIZE 20971520
      250-VRFY
      250-ETRN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN

      If I understand correctly, this means I do not have STARTTLS working.
      I've been going nuts trying to figure this out from instructions on
      the web.

      I would like STARTTLS working both between the client and the server,
      and opportunistically between servers. I don't think it now does either.

      Thanks!
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v2.0.19 (GNU/Linux)
      Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

      iQIcBAEBAgAGBQJRXyz9AAoJELJhbl/uPb4SapQP/1flUWggcXA6QcEDuAhNYxh3
      3qq2af0R1Vf5+fde5Xw185wKt+07jp+kbIbf2dxG+DQECPxhBxWljQ0dEiCX5cRR
      9stflKwkTk2FjIhBhSWXLxZ8M86E4x4jzXExfoyFI1gXA8QLdfkCcQ3MQbuzG3W9
      0KccgIVW5/8KyKBlTRNnt+NJMrhhQoJPIqNhoSIM80ni1bDDpocraubayNuq8HS8
      ldDkTznpCtVR4KRJDgKxcvyN6F4EDDONe4E+hPvYpaGGlpyvIh71hiSr24gU0SJ3
      BXl8DQnpfKtKV2S904LZAd73lECzfW2l+ydNU5S7lP6YJRqGCK0DD4lpyLw1S42A
      lWL4/46omD/tlXBwMKnLxfs1AYMyHiN8FqKrxragytGyAuT2cS6ntSi3CewD6vUJ
      c3+mkzULl4R2xci3OJ055N8SkxFBpWb/vneSibae+8dsyzSYR/cP0smKLVRt0srJ
      OgbPVsDxLpEsyahGP2/UXtHsql8nbp2/kKZ2rqEYtg9w6AW5Ttruf3Kjr8mDdu2q
      qGfPYR8TOX8IyCE/gKL5ZwFL40WjXmY0Cc8qDhPHz+mf3acEaGIubWmNTEjYMb8R
      j/8IpejWT2aplxNN+RAcTJP40KiU7NAT73v5ohy0xYkKxh6gAOuEibTkj2jiB2xd
      f+QrKufNfJhuhzFQT3hs
      =hOiM
      -----END PGP SIGNATURE-----
    • Brian Evans
      ... [snip] ... You forgot the most important parameter, enabling TLS: smtpd_tls_security_level = may Brian
      Message 2 of 7 , Apr 5, 2013
        On 4/5/2013 3:58 PM, David Benfell wrote:
        > -----BEGIN PGP SIGNED MESSAGE-----
        > Hash: SHA1
        >
        > Hi all,
        >
        > I had this working, at least sort of, on my old Arch Linux system. I'm
        > migrating to a new one, also Arch Linux. Copying the configuration and
        > just modifying it for new hostnames (and IP addresses?) didn't work.
        >
        > Here's postconf -n:
        [snip]
        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file = /big/www/ssl/www.cybernude.org_publickey.pem
        > smtpd_tls_loglevel = 3
        > unknown_local_recipient_reject_code = 550
        >
        You forgot the most important parameter, enabling TLS:
        smtpd_tls_security_level = may

        Brian
      • Wietse Venema
        ... Postfix logs all errors! You just have to read it. Wietse
        Message 3 of 7 , Apr 5, 2013
          David Benfell:
          > munich# telnet munich 25
          > Trying 193.34.144.104...
          > Connected to munich.
          > Escape character is '^]'.
          > 220 mail.parts-unknown.org ESMTP Postfix
          > ehlo parts-unknown.org
          > 250-mail.parts-unknown.org
          > 250-PIPELINING
          > 250-SIZE 20971520
          > 250-VRFY
          > 250-ETRN
          > 250-ENHANCEDSTATUSCODES
          > 250-8BITMIME
          > 250 DSN
          >
          > If I understand correctly, this means I do not have STARTTLS working.
          > I've been going nuts trying to figure this out from instructions on
          > the web.

          Postfix logs all errors! You just have to read it.

          Wietse
        • Wietse Venema
          ... Look at /var/log/maillog* Wietse
          Message 4 of 7 , Apr 5, 2013
            On 04/05/2013 01:10 PM, Wietse Venema wrote:
            > Postfix logs all errors! You just have to read it.

            David Benfell:
            > And I had been scouring journalctl -b trying to find them. They
            > weren't there. This is running under systemd--and no, I'm not entirely
            > thrilled with the logging.

            Look at /var/log/maillog*

            Wietse
          • Viktor Dukhovni
            ... In this case there is nothing of interest logged, because Postfix SMTP server TLS was not enabled. Were TLS enabled, but not available due to some error,
            Message 5 of 7 , Apr 5, 2013
              On Fri, Apr 05, 2013 at 04:54:57PM -0400, Wietse Venema wrote:

              > On 04/05/2013 01:10 PM, Wietse Venema wrote:
              > > Postfix logs all errors! You just have to read it.
              >
              > David Benfell:
              > > And I had been scouring journalctl -b trying to find them. They
              > > weren't there. This is running under systemd--and no, I'm not entirely
              > > thrilled with the logging.
              >
              > Look at /var/log/maillog*

              In this case there is nothing of interest logged, because Postfix
              SMTP server TLS was not enabled. Were TLS enabled, but not available
              due to some error, there would be something pertinent in the logs.

              smtpd_tls_security_level = may

              --
              Viktor.
            • Wietse Venema
              ... No doubt there will have other problems, so now he knows not to search the systemd binary journal abomination. Wietse
              Message 6 of 7 , Apr 5, 2013
                Viktor Dukhovni:
                > On Fri, Apr 05, 2013 at 04:54:57PM -0400, Wietse Venema wrote:
                >
                > > On 04/05/2013 01:10 PM, Wietse Venema wrote:
                > > > Postfix logs all errors! You just have to read it.
                > >
                > > David Benfell:
                > > > And I had been scouring journalctl -b trying to find them. They
                > > > weren't there. This is running under systemd--and no, I'm not entirely
                > > > thrilled with the logging.
                > >
                > > Look at /var/log/maillog*
                >
                > In this case there is nothing of interest logged, because Postfix
                > SMTP server TLS was not enabled. Were TLS enabled, but not available
                > due to some error, there would be something pertinent in the logs.
                >
                > smtpd_tls_security_level = may

                No doubt there will have other problems, so now he knows
                not to search the systemd binary journal abomination.

                Wietse
              • Wietse Venema
                ... Postfix logs are the first place to look when some email isn t delivered. It may be worthwhile to generate some records by hand and see where things end
                Message 7 of 7 , Apr 5, 2013
                  On 04/05/2013 01:10 PM, Wietse Venema wrote:
                  > Postfix logs all errors! You just have to read it.

                  David Benfell:
                  > And I had been scouring journalctl -b trying to find them. They
                  > weren't there. This is running under systemd--and no, I'm not
                  > entirely thrilled with the logging.

                  Wietse:
                  > Look at /var/log/maillog*

                  David Benfell:
                  > Yup. It doesn't exist:
                  >
                  > munich# ls -al /var/log

                  Postfix logs are the first place to look when some email isn't
                  delivered.

                  It may be worthwhile to generate some records by hand
                  and see where things end up:

                  $ logger -p mail.info -t postfix/whatever some text here...

                  This should be filed in the same place as Postfix logging.

                  Wietse
                Your message has been successfully submitted and would be delivered to recipients shortly.