Loading ...
Sorry, an error occurred while loading the content.
 

Request Help with TLS Error

Expand Messages
  • Mark Jamsek
    Trying to send mail results in this error from Thunderbird client: Sending of message failed. An error occurred sending mail: Unable to establish a secure link
    Message 1 of 11 , Dec 10, 2013
      Trying to send mail results in this error from Thunderbird client:
      Sending of message failed.
      An error occurred sending mail: Unable to establish a secure link with SMTP server mail.bsdbox.co using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.


      Which results in this email to postmaster:

      Transcript of session follows.

       Out: 220 mail.bsdbox.co ESMTP Postfix
       In:  EHLO [10.0.0.66]
       Out: 250-mail.bsdbox.co
       Out: 250-PIPELINING
       Out: 250-SIZE 10240000
       Out: 250-VRFY
       Out: 250-ETRN
       Out: 250-STARTTLS
       Out: 250-ENHANCEDSTATUSCODES
       Out: 250-8BITMIME
       Out: 250 DSN


      Immediate output to /var/log/maillog:

      Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: [highlight]cannot get RSA certificate f
      rom file /etc/ssl/cert/dovecot.pem: disabling TLS support
      Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
      rror:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib
      /libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen('/etc/ssl/cer
      t/dovecot.pem','r'):[/highlight]
      Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
      rror:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/..
      /../../crypto/openssl/crypto/bio/bss_file.c:358:
      Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
      rror:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/sr
      c/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:722:


      Attempt new certificate generation to use different cert than Dovecot:

      # openssl ca -policy policy_anything -days 3650 -out server.crt -infiles server.csr
      Using configuration from /etc/ssl/openssl.cnf
      [highlight]Error opening CA private key ./demoCA/private/cakey.pem
      57089:error:02001002:system library:fopen:No such file or directory:/usr/src/sec
      ure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen('./dem
      oCA/private/cakey.pem','r')[/highlight]
      57089:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcr
      ypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:
      unable to load CA private key


      Output of postconf -n and dovecot -n:


      # postconf -n
      broken_sasl_auth_clients = yes
      command_directory = /usr/local/sbin
      config_directory = /usr/local/etc/postfix
      daemon_directory = /usr/local/libexec/postfix
      data_directory = /var/db/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_
      directory/$process_name $process_id & sleep 5
      home_mailbox = Maildir/
      html_directory = /usr/local/share/doc/postfix
      inet_interfaces = all
      inet_protocols = ipv4
      mail_owner = postfix
      mailq_path = /usr/local/bin/mailq
      manpage_directory = /usr/local/man
      mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
      mydomain = bsdbox.co
      myhostname = mail.bsdbox.co
      newaliases_path = /usr/local/bin/newaliases
      queue_directory = /var/spool/postfix
      readme_directory = /usr/local/share/doc/postfix
      recipient_delimiter = +
      relay_domains = $mydestination
      sample_directory = /usr/local/etc/postfix
      sendmail_path = /usr/local/sbin/sendmail
      setgid_group = maildrop
      smtpd_banner = $myhostname ESMTP $mail_name
      smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_type = dovecot
      smtpd_tls_auth_only = no
      smtpd_tls_cert_file = /etc/ssl/cert/dovecot.pem
      smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_security_level = may
      unknown_local_recipient_reject_code = 550

      # dovecot -n
      # 2.2.9: /usr/local/etc/dovecot/dovecot.conf
      # OS: FreeBSD 9.2-RELEASE i386
      disable_plaintext_auth = no
      listen = *
      mail_location = maildir:~/Maildir:LAYOUT=fs
      namespace inbox {
        inbox = yes
        location =
        mailbox Drafts {
          special_use = \Drafts
        }
        mailbox Junk {
          special_use = \Junk
        }
        mailbox Sent {
          special_use = \Sent
        }
        mailbox "Sent Messages" {
          special_use = \Sent
        }
        mailbox Trash {
          special_use = \Trash
        }
        prefix =
      }
      passdb {
        driver = pam
      }
      service auth {
        unix_listener /var/spool/postfix/private/auth {
          group = postfix
          mode = 0666
          user = postfix
        }
      }
      ssl_cert = </etc/ssl/certs/dovecot.pem
      ssl_key = </etc/ssl/private/dovecot.pem
      userdb {
        driver = passwd
      }


      I can connect to server on port 143 and receive TLS confirmation (see: https://bsdbox.co/cloud/public.php?service=files&t=0321f1ddb437e30dae75d08dc3bf59dc). However, telnet connection to port 587 displays no TLS confirmation. Any help would be appreciated. Thank you.

    • Viktor Dukhovni
      ... New spectacle prescription recommended: :-) ... -- Viktor.
      Message 2 of 11 , Dec 10, 2013
        On Tue, Dec 10, 2013 at 11:57:56PM +1100, Mark Jamsek wrote:

        > |Dec 10 11:36:03 mail postfix/smtpd[57120]: warning:
        > [highlight]cannot get RSA certificate from file
        >
        > /etc/ssl/cert/dovecot.pem:
        >
        > disabling TLS support

        New spectacle prescription recommended: :-)

        > ssl_cert = </etc/ssl/certs/dovecot.pem
        > ssl_key = </etc/ssl/private/dovecot.pem

        --
        Viktor.
      • Mark Jamsek
        ... Wow. I think you re right! You know, I spent nearly an entire day trying to debug this. Can t see the forest for the trees sometimes. Thank you so much.
        Message 3 of 11 , Dec 10, 2013
          On 11/12/2013 5:50 AM, Viktor Dukhovni wrote:
          > On Tue, Dec 10, 2013 at 11:57:56PM +1100, Mark Jamsek wrote:
          >
          >> |Dec 10 11:36:03 mail postfix/smtpd[57120]: warning:
          >> [highlight]cannot get RSA certificate from file
          >>
          >> /etc/ssl/cert/dovecot.pem:
          >>
          >> disabling TLS support
          > New spectacle prescription recommended: :-)
          >
          >> ssl_cert = </etc/ssl/certs/dovecot.pem
          >> ssl_key = </etc/ssl/private/dovecot.pem
          Wow. I think you're right! You know, I spent nearly an entire day trying
          to debug this. Can't see the forest for the trees sometimes. Thank you
          so much. TLS issue resolved -- now I have an authentication problem.
        • Mark Jamsek
          Thanks to another subscriber, I have resolved my TLS problem. However, I cannot get SMTP authentication working, no matter what I try. My client sends mail
          Message 4 of 11 , Dec 10, 2013
            Thanks to another subscriber, I have resolved my TLS problem. However, I
            cannot get SMTP authentication working, no matter what I try. My client
            "sends" mail without any errors; however, /var/log/maillog reports
            connection refused errors and recipients are not receiving my emails.
            This is due to no SMTP authentication (I believe).

            Please see my dovecot config:

            ### doveconf -n output
            ## I've moved auth configuration to the top for easier parsing
            # 2.2.9: /usr/local/etc/dovecot/dovecot.conf
            # OS: FreeBSD 9.2-RELEASE i386
            service auth {
            unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
            }
            }
            auth_mechanisms = plain login
            disable_plaintext_auth = no
            listen = *
            mail_location = maildir:~/Maildir:LAYOUT=fs
            namespace inbox {
            inbox = yes
            location =
            mailbox Drafts {
            special_use = \Drafts
            }
            mailbox Junk {
            special_use = \Junk
            }
            mailbox Sent {
            special_use = \Sent
            }
            mailbox "Sent Messages" {
            special_use = \Sent
            }
            mailbox Trash {
            special_use = \Trash
            }
            prefix =
            }
            passdb {
            driver = pam
            }
            ssl_cert = </etc/ssl/certs/dovecot.pem
            ssl_key = </etc/ssl/private/dovecot.pem
            userdb {
            driver = passwd
            }


            And my postfix config:

            ### postfix -n output
            ## I've moved all the sasl related entries to the top for easier parsing
            smtpd_sasl_auth_enable = yes
            smtpd_sasl_path = private/auth
            smtpd_sasl_type = dovecot
            broken_sasl_auth_clients = yes
            smtpd_recipient_restrictions = permit_mynetworks
            permit_sasl_authenticated reject_unauth_destination
            smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
            reject_unauth_destination
            command_directory = /usr/local/sbin
            config_directory = /usr/local/etc/postfix
            daemon_directory = /usr/local/libexec/postfix
            data_directory = /var/db/postfix
            debug_peer_level = 2
            debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
            $daemon_directory/$process_name $process_id & sleep 5
            home_mailbox = Maildir/
            html_directory = /usr/local/share/doc/postfix
            inet_interfaces = all
            inet_protocols = ipv4
            mail_owner = postfix
            mailq_path = /usr/local/bin/mailq
            manpage_directory = /usr/local/man
            mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
            mydomain = bsdbox.co
            myhostname = mail.bsdbox.co
            newaliases_path = /usr/local/bin/newaliases
            queue_directory = /var/spool/postfix
            readme_directory = /usr/local/share/doc/postfix
            recipient_delimiter = +
            relay_domains = $mydestination
            sample_directory = /usr/local/etc/postfix
            sendmail_path = /usr/local/sbin/sendmail
            setgid_group = maildrop
            smtp_tls_loglevel = 3
            smtp_tls_note_starttls_offer = yes
            smtp_tls_security_level = may
            smtp_use_tls = yes
            smtpd_banner = $myhostname ESMTP $mail_name
            smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
            smtpd_tls_CApath = /etc/ssl/certs/
            smtpd_tls_auth_only = yes
            smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
            smtpd_tls_key_file = /etc/ssl/private/postfix.key
            smtpd_tls_loglevel = 3
            smtpd_tls_received_header = yes
            smtpd_tls_security_level = may
            smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
            smtpd_tls_session_cache_timeout = 3600s
            smtpd_use_tls = yes
            tls_random_source = dev:/dev/urandom
            unknown_local_recipient_reject_code = 550


            And, the glaringly obvious absence of SMTP auth mechanisms:

            ### no auth mechanisms available
            root@mail:~/debug # telnet localhost smtp
            Trying 127.0.0.1...
            Connected to localhost.
            Escape character is '^]'.
            220 mail.bsdbox.co ESMTP Postfix
            ehlo bsdbox.co
            250-mail.bsdbox.co
            250-PIPELINING
            250-SIZE 10240000
            250-VRFY
            250-ETRN
            250-STARTTLS
            250-ENHANCEDSTATUSCODES
            250-8BITMIME
            250 DSN
            quit
            221 2.0.0 Bye
            Connection closed by foreign host.
            root@mail:~/debug #


            Just for good measure, here is maillog data immediately post receiving
            mail and replying:

            ### note the connection refused reports toward the end
            root@mail:~/debug # tail /var/log/maillog
            Dec 11 07:11:24 mail postfix/cleanup[65906]: D9F2A2384BA:
            message-id=<52A8101B.7
            0204@...>
            Dec 11 07:11:24 mail postfix/qmgr[65422]: D9F2A2384BA:
            from=<debug@...>, s
            ize=848, nrcpt=1 (queue active)
            Dec 11 07:11:24 mail postfix/smtp[65909]: initializing the client-side
            TLS engin
            e
            Dec 11 07:11:24 mail postfix/smtpd[65902]: disconnect from
            CPE-110-146-148-136.k
            nmu.knt.bigpond.net.au[110.146.148.136]
            Dec 11 07:11:25 mail dovecot: imap-login: Login: user=<debug>,
            method=PLAIN, rip
            =110.146.148.136, lip=10.0.0.120, mpid=65911, TLS,
            session=<zN/e7zzt0QBukpSI>
            Dec 11 07:11:25 mail dovecot: imap-login: Login: user=<debug>,
            method=PLAIN, rip
            =110.146.148.136, lip=10.0.0.120, mpid=65913, TLS,
            session=<xQni7zztaABukpSI>
            Dec 11 07:11:31 mail postfix/smtp[65909]: connect to
            myune-edu-au.mail.eo.outloo
            k.com[213.199.154.23]:25: Connection refused
            Dec 11 07:11:37 mail postfix/smtp[65909]: connect to
            myune-edu-au.mail.eo.outloo
            k.com[213.199.154.87]:25: Connection refused
            Dec 11 07:11:37 mail postfix/smtp[65909]: D9F2A2384BA:
            to=<mjamsek@...>
            , relay=none, delay=13, delays=0.01/0.02/13/0, dsn=4.4.1,
            status=deferred (conne
            ct to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: Connection
            refused)
            Dec 11 07:11:38 mail dovecot: imap-login: Login: user=<debug>,
            method=PLAIN, rip
            =110.146.148.136, lip=10.0.0.120, mpid=65916, TLS,
            session=<1SGn8DztMABukpSI>
            root@mail:~/debug #

            I've scrutinized and parsed my config files with all the relevant
            Postfix and Dovecot literature. I guess I am overlooking something
            blatantly obvious but I need a fresh set of eyes and some help. I've
            been at this all day and getting no where. Thanks, guys.
          • Viktor Dukhovni
            ... Still need those glasses... ... Only when not using TLS. ... This problem is a failure to *send* email out, that is already in the queue. Not failure to
            Message 5 of 11 , Dec 11, 2013
              On Wed, Dec 11, 2013 at 06:17:08PM +1100, Mark Jamsek wrote:

              > However, I cannot get SMTP authentication working, no matter what I
              > try.

              Still need those glasses...

              > And, the glaringly obvious absence of SMTP auth mechanisms:
              >
              > 220 mail.bsdbox.co ESMTP Postfix
              > ehlo bsdbox.co
              > 250-mail.bsdbox.co
              > 250-STARTTLS

              Only when not using TLS.

              > Just for good measure, here is maillog data immediately post
              > receiving mail and replying:
              >
              > Dec 11 07:11:31 mail postfix/smtp[65909]: connect to
              > myune-edu-au.mail.eo.outlook.com[213.199.154.23]:25: Connection refused

              This problem is a failure to *send* email out, that is already in
              the queue. Not failure to authenticate submission requests that
              add mail to the queue.

              > I've scrutinized and parsed my config files with all the relevant
              > Postfix and Dovecot literature. I guess I am overlooking something
              > blatantly obvious but I need a fresh set of eyes and some help. I've
              > been at this all day and getting no where. Thanks, guys.

              It helps if you actually look at your logs to see what they actually
              say, rather than posting them without trying to read them. You
              can also look at your queue with "mailq", or "qshape" (available
              with Postfix source).

              You've got a firewall problem or similar, your network is blocking
              connections to port 25 on that host. I have no trouble connecting
              to it:

              $ posttls-finger -o inet_protocols=ipv4 -Lsummary "[myune-edu-au.mail.eo.outlook.com]"
              posttls-finger: Connected to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25
              posttls-finger: < 220 DB3FFO11FD012.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 11 Dec 2013 09:28:36 +0000
              posttls-finger: > EHLO amnesiac.example
              posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
              posttls-finger: < 250-SIZE 157286400
              posttls-finger: < 250-PIPELINING
              posttls-finger: < 250-DSN
              posttls-finger: < 250-ENHANCEDSTATUSCODES
              posttls-finger: < 250-STARTTLS
              posttls-finger: < 250-AUTH
              posttls-finger: < 250-8BITMIME
              posttls-finger: < 250-BINARYMIME
              posttls-finger: < 250 CHUNKING
              posttls-finger: > STARTTLS
              posttls-finger: < 220 2.0.0 SMTP server ready
              posttls-finger: certificate verification failed for myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
              posttls-finger: Untrusted TLS connection established to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: unknown with cipher AES128-SHA (128/128 bits)
              posttls-finger: > EHLO amnesiac.example
              posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
              posttls-finger: < 250-SIZE 157286400
              posttls-finger: < 250-PIPELINING
              posttls-finger: < 250-DSN
              posttls-finger: < 250-ENHANCEDSTATUSCODES
              posttls-finger: < 250-AUTH LOGIN
              posttls-finger: < 250-8BITMIME
              posttls-finger: < 250-BINARYMIME
              posttls-finger: < 250 CHUNKING
              posttls-finger: > QUIT
              posttls-finger: < 221 2.0.0 Service closing transmission channel

              --
              Viktor.
            • Mark Jamsek
              ... I m not sure I understand what you mean here. I am using TLS, and there is no SMTP authentication. ... It would, but I don t understand exactly what the
              Message 6 of 11 , Dec 11, 2013
                On 11/12/2013 8:31 PM, Viktor Dukhovni wrote:
                > On Wed, Dec 11, 2013 at 06:17:08PM +1100, Mark Jamsek wrote:
                >
                >> However, I cannot get SMTP authentication working, no matter what I
                >> try.
                > Still need those glasses...
                >
                >> And, the glaringly obvious absence of SMTP auth mechanisms:
                >>
                >> 220 mail.bsdbox.co ESMTP Postfix
                >> ehlo bsdbox.co
                >> 250-mail.bsdbox.co
                >> 250-STARTTLS
                > Only when not using TLS.

                I'm not sure I understand what you mean here. I am using TLS, and there
                is no SMTP authentication.

                >
                >> Just for good measure, here is maillog data immediately post
                >> receiving mail and replying:
                >>
                >> Dec 11 07:11:31 mail postfix/smtp[65909]: connect to
                >> myune-edu-au.mail.eo.outlook.com[213.199.154.23]:25: Connection refused
                > This problem is a failure to *send* email out, that is already in
                > the queue. Not failure to authenticate submission requests that
                > add mail to the queue.

                >
                >> I've scrutinized and parsed my config files with all the relevant
                >> Postfix and Dovecot literature. I guess I am overlooking something
                >> blatantly obvious but I need a fresh set of eyes and some help. I've
                >> been at this all day and getting no where. Thanks, guys.
                > It helps if you actually look at your logs to see what they actually
                > say, rather than posting them without trying to read them. You
                > can also look at your queue with "mailq", or "qshape" (available
                > with Postfix source).

                It would, but I don't understand exactly what the logs are saying, hence
                my sharing them.

                >
                > You've got a firewall problem or similar, your network is blocking
                > connections to port 25 on that host. I have no trouble connecting
                > to it:
                >
                > $ posttls-finger -o inet_protocols=ipv4 -Lsummary "[myune-edu-au.mail.eo.outlook.com]"
                > posttls-finger: Connected to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25
                > posttls-finger: < 220 DB3FFO11FD012.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 11 Dec 2013 09:28:36 +0000
                > posttls-finger: > EHLO amnesiac.example
                > posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
                > posttls-finger: < 250-SIZE 157286400
                > posttls-finger: < 250-PIPELINING
                > posttls-finger: < 250-DSN
                > posttls-finger: < 250-ENHANCEDSTATUSCODES
                > posttls-finger: < 250-STARTTLS
                > posttls-finger: < 250-AUTH
                > posttls-finger: < 250-8BITMIME
                > posttls-finger: < 250-BINARYMIME
                > posttls-finger: < 250 CHUNKING
                > posttls-finger: > STARTTLS
                > posttls-finger: < 220 2.0.0 SMTP server ready
                > posttls-finger: certificate verification failed for myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
                > posttls-finger: Untrusted TLS connection established to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: unknown with cipher AES128-SHA (128/128 bits)
                > posttls-finger: > EHLO amnesiac.example
                > posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
                > posttls-finger: < 250-SIZE 157286400
                > posttls-finger: < 250-PIPELINING
                > posttls-finger: < 250-DSN
                > posttls-finger: < 250-ENHANCEDSTATUSCODES
                > posttls-finger: < 250-AUTH LOGIN
                > posttls-finger: < 250-8BITMIME
                > posttls-finger: < 250-BINARYMIME
                > posttls-finger: < 250 CHUNKING
                > posttls-finger: > QUIT
                > posttls-finger: < 221 2.0.0 Service closing transmission channel
                >

                That's not my host though. That's one of many hosts I've tried to send
                email to from my mail server at mail.bsdbox.co
              • Mark Jamsek
                ... Wait. I think I understand what you re saying: my ISP perhaps blocks my connections, so I need to use them as my $relayhost? Is it possible to work around
                Message 7 of 11 , Dec 11, 2013
                  On 11/12/2013 8:31 PM, Viktor Dukhovni wrote:
                  > On Wed, Dec 11, 2013 at 06:17:08PM +1100, Mark Jamsek wrote:
                  >
                  >> However, I cannot get SMTP authentication working, no matter what I
                  >> try.
                  > Still need those glasses...
                  >
                  >> And, the glaringly obvious absence of SMTP auth mechanisms:
                  >>
                  >> 220 mail.bsdbox.co ESMTP Postfix
                  >> ehlo bsdbox.co
                  >> 250-mail.bsdbox.co
                  >> 250-STARTTLS
                  > Only when not using TLS.
                  >
                  >> Just for good measure, here is maillog data immediately post
                  >> receiving mail and replying:
                  >>
                  >> Dec 11 07:11:31 mail postfix/smtp[65909]: connect to
                  >> myune-edu-au.mail.eo.outlook.com[213.199.154.23]:25: Connection refused
                  > This problem is a failure to *send* email out, that is already in
                  > the queue. Not failure to authenticate submission requests that
                  > add mail to the queue.
                  >
                  >> I've scrutinized and parsed my config files with all the relevant
                  >> Postfix and Dovecot literature. I guess I am overlooking something
                  >> blatantly obvious but I need a fresh set of eyes and some help. I've
                  >> been at this all day and getting no where. Thanks, guys.
                  > It helps if you actually look at your logs to see what they actually
                  > say, rather than posting them without trying to read them. You
                  > can also look at your queue with "mailq", or "qshape" (available
                  > with Postfix source).
                  >
                  > You've got a firewall problem or similar, your network is blocking
                  > connections to port 25 on that host. I have no trouble connecting
                  > to it:
                  >
                  > $ posttls-finger -o inet_protocols=ipv4 -Lsummary "[myune-edu-au.mail.eo.outlook.com]"
                  > posttls-finger: Connected to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25
                  > posttls-finger: < 220 DB3FFO11FD012.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 11 Dec 2013 09:28:36 +0000
                  > posttls-finger: > EHLO amnesiac.example
                  > posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
                  > posttls-finger: < 250-SIZE 157286400
                  > posttls-finger: < 250-PIPELINING
                  > posttls-finger: < 250-DSN
                  > posttls-finger: < 250-ENHANCEDSTATUSCODES
                  > posttls-finger: < 250-STARTTLS
                  > posttls-finger: < 250-AUTH
                  > posttls-finger: < 250-8BITMIME
                  > posttls-finger: < 250-BINARYMIME
                  > posttls-finger: < 250 CHUNKING
                  > posttls-finger: > STARTTLS
                  > posttls-finger: < 220 2.0.0 SMTP server ready
                  > posttls-finger: certificate verification failed for myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
                  > posttls-finger: Untrusted TLS connection established to myune-edu-au.mail.eo.outlook.com[213.199.154.87]:25: unknown with cipher AES128-SHA (128/128 bits)
                  > posttls-finger: > EHLO amnesiac.example
                  > posttls-finger: < 250-DB3FFO11FD012.mail.protection.outlook.com Hello [192.0.2.1]
                  > posttls-finger: < 250-SIZE 157286400
                  > posttls-finger: < 250-PIPELINING
                  > posttls-finger: < 250-DSN
                  > posttls-finger: < 250-ENHANCEDSTATUSCODES
                  > posttls-finger: < 250-AUTH LOGIN
                  > posttls-finger: < 250-8BITMIME
                  > posttls-finger: < 250-BINARYMIME
                  > posttls-finger: < 250 CHUNKING
                  > posttls-finger: > QUIT
                  > posttls-finger: < 221 2.0.0 Service closing transmission channel
                  >
                  Wait. I think I understand what you're saying: my ISP perhaps blocks my
                  connections, so I need to use them as my $relayhost? Is it possible to
                  work around this somehow? I would rather not relay my mail through my ISP.
                • Viktor Dukhovni
                  ... You re not using TLS in the above session. The server supports TLS, but telnet host 25 does not *use* TLS. To really use TLS you need a client
                  Message 8 of 11 , Dec 11, 2013
                    On Wed, Dec 11, 2013 at 08:42:29PM +1100, Mark Jamsek wrote:

                    > >>And, the glaringly obvious absence of SMTP auth mechanisms:
                    > >>
                    > >>220 mail.bsdbox.co ESMTP Postfix
                    > >>ehlo bsdbox.co
                    > >>250-mail.bsdbox.co
                    > >>250-STARTTLS
                    > >
                    > >Only when not using TLS.
                    >
                    > I'm not sure I understand what you mean here. I am using TLS, and
                    > there is no SMTP authentication.

                    You're not "using" TLS in the above session. The server supports
                    TLS, but "telnet host 25" does not *use* TLS. To really use TLS
                    you need a client program that supports TLS. I use "posttls-finger"
                    (because I wrote it to suit my needs). You could make some progress
                    with "openssl s_client -starttls smtp -connect somehost:25", though
                    the latter shows less SMTP oriented output, you don't have to
                    compile it from source.

                    $ posttls-finger "[mail.bsdbox.co]"
                    posttls-finger: Connected to mail.bsdbox.co[110.146.148.136]:25
                    posttls-finger: < 220 mail.bsdbox.co ESMTP Postfix
                    posttls-finger: > EHLO amnesiac.example
                    posttls-finger: < 250-mail.bsdbox.co
                    posttls-finger: < 250-PIPELINING
                    posttls-finger: < 250-SIZE 10240000
                    posttls-finger: < 250-VRFY
                    posttls-finger: < 250-ETRN
                    posttls-finger: < 250-STARTTLS
                    posttls-finger: < 250-ENHANCEDSTATUSCODES
                    posttls-finger: < 250-8BITMIME
                    posttls-finger: < 250 DSN
                    posttls-finger: > STARTTLS
                    posttls-finger: < 220 2.0.0 Ready to start TLS
                    posttls-finger: mail.bsdbox.co[110.146.148.136]:25 Matched CommonName mail.bsdbox.co
                    posttls-finger: certificate verification failed for mail.bsdbox.co[110.146.148.136]:25: self-signed certificate
                    posttls-finger: mail.bsdbox.co[110.146.148.136]:25: subject_CN=mail.bsdbox.co, issuer_CN=mail.bsdbox.co, fingerprint=26:79:C0:78:CE:0E:DE:7C:83:6C:32:D4:4F:02:EF:72:51:2B:08:7A, pkey_fingerprint=80:B8:24:5B:EF:E4:B9:44:E9:EC:A6:40:0C:6A:6C:D7:9C:5E:B0:6F
                    posttls-finger: Untrusted TLS connection established to mail.bsdbox.co[110.146.148.136]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
                    posttls-finger: > EHLO amnesiac.example
                    posttls-finger: < 250-mail.bsdbox.co
                    posttls-finger: < 250-PIPELINING
                    posttls-finger: < 250-SIZE 10240000
                    posttls-finger: < 250-VRFY
                    posttls-finger: < 250-ETRN
                    posttls-finger: < 250-AUTH PLAIN LOGIN
                    posttls-finger: < 250-AUTH=PLAIN LOGIN
                    posttls-finger: < 250-ENHANCEDSTATUSCODES
                    posttls-finger: < 250-8BITMIME
                    posttls-finger: < 250 DSN
                    posttls-finger: > QUIT
                    posttls-finger: < 221 2.0.0 Bye

                    It sure offers AUTH (PLAIN and LOGIN) to clients that use TLS.

                    On Wed, Dec 11, 2013 at 08:58:10PM +1100, Mark Jamsek wrote:

                    > Wait. I think I understand what you're saying: my ISP perhaps blocks
                    > my connections, so I need to use them as my $relayhost? Is it
                    > possible to work around this somehow? I would rather not relay my
                    > mail through my ISP.

                    Now you're beginning to see the light. No you can't bypass the
                    ISP filter. Either they are willing to turn the filter off for
                    you, or you need to relay through their submission service.

                    http://www.postfix.org/SOHO_README.html
                    http://www.postfix.org/SASL_README.html
                    http://www.postfix.org/OVERVIEW.html
                    http://www.postfix.org/BASIC_CONFIGURATION_README.html
                    http://www.postfix.org/DEBUG_README.html
                    http://www.postfix.org/QSHAPE_README.html

                    --
                    Viktor.
                  • Mark Jamsek
                    ... Thank you, sir! Using the $relayhost option to relay through my ISP has worked! I can t believe I didn t at least try that already. And, overlooking that I
                    Message 9 of 11 , Dec 11, 2013
                      On 11/12/2013 9:03 PM, Viktor Dukhovni wrote:
                      > On Wed, Dec 11, 2013 at 08:42:29PM +1100, Mark Jamsek wrote:
                      >
                      >>>> And, the glaringly obvious absence of SMTP auth mechanisms:
                      >>>>
                      >>>> 220 mail.bsdbox.co ESMTP Postfix
                      >>>> ehlo bsdbox.co
                      >>>> 250-mail.bsdbox.co
                      >>>> 250-STARTTLS
                      >>> Only when not using TLS.
                      >> I'm not sure I understand what you mean here. I am using TLS, and
                      >> there is no SMTP authentication.
                      > You're not "using" TLS in the above session. The server supports
                      > TLS, but "telnet host 25" does not *use* TLS. To really use TLS
                      > you need a client program that supports TLS. I use "posttls-finger"
                      > (because I wrote it to suit my needs). You could make some progress
                      > with "openssl s_client -starttls smtp -connect somehost:25", though
                      > the latter shows less SMTP oriented output, you don't have to
                      > compile it from source.
                      >
                      > $ posttls-finger "[mail.bsdbox.co]"
                      > posttls-finger: Connected to mail.bsdbox.co[110.146.148.136]:25
                      > posttls-finger: < 220 mail.bsdbox.co ESMTP Postfix
                      > posttls-finger: > EHLO amnesiac.example
                      > posttls-finger: < 250-mail.bsdbox.co
                      > posttls-finger: < 250-PIPELINING
                      > posttls-finger: < 250-SIZE 10240000
                      > posttls-finger: < 250-VRFY
                      > posttls-finger: < 250-ETRN
                      > posttls-finger: < 250-STARTTLS
                      > posttls-finger: < 250-ENHANCEDSTATUSCODES
                      > posttls-finger: < 250-8BITMIME
                      > posttls-finger: < 250 DSN
                      > posttls-finger: > STARTTLS
                      > posttls-finger: < 220 2.0.0 Ready to start TLS
                      > posttls-finger: mail.bsdbox.co[110.146.148.136]:25 Matched CommonName mail.bsdbox.co
                      > posttls-finger: certificate verification failed for mail.bsdbox.co[110.146.148.136]:25: self-signed certificate
                      > posttls-finger: mail.bsdbox.co[110.146.148.136]:25: subject_CN=mail.bsdbox.co, issuer_CN=mail.bsdbox.co, fingerprint=26:79:C0:78:CE:0E:DE:7C:83:6C:32:D4:4F:02:EF:72:51:2B:08:7A, pkey_fingerprint=80:B8:24:5B:EF:E4:B9:44:E9:EC:A6:40:0C:6A:6C:D7:9C:5E:B0:6F
                      > posttls-finger: Untrusted TLS connection established to mail.bsdbox.co[110.146.148.136]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
                      > posttls-finger: > EHLO amnesiac.example
                      > posttls-finger: < 250-mail.bsdbox.co
                      > posttls-finger: < 250-PIPELINING
                      > posttls-finger: < 250-SIZE 10240000
                      > posttls-finger: < 250-VRFY
                      > posttls-finger: < 250-ETRN
                      > posttls-finger: < 250-AUTH PLAIN LOGIN
                      > posttls-finger: < 250-AUTH=PLAIN LOGIN
                      > posttls-finger: < 250-ENHANCEDSTATUSCODES
                      > posttls-finger: < 250-8BITMIME
                      > posttls-finger: < 250 DSN
                      > posttls-finger: > QUIT
                      > posttls-finger: < 221 2.0.0 Bye
                      >
                      > It sure offers AUTH (PLAIN and LOGIN) to clients that use TLS.
                      >
                      > On Wed, Dec 11, 2013 at 08:58:10PM +1100, Mark Jamsek wrote:
                      >
                      >> Wait. I think I understand what you're saying: my ISP perhaps blocks
                      >> my connections, so I need to use them as my $relayhost? Is it
                      >> possible to work around this somehow? I would rather not relay my
                      >> mail through my ISP.
                      > Now you're beginning to see the light. No you can't bypass the
                      > ISP filter. Either they are willing to turn the filter off for
                      > you, or you need to relay through their submission service.
                      >
                      > http://www.postfix.org/SOHO_README.html
                      > http://www.postfix.org/SASL_README.html
                      > http://www.postfix.org/OVERVIEW.html
                      > http://www.postfix.org/BASIC_CONFIGURATION_README.html
                      > http://www.postfix.org/DEBUG_README.html
                      > http://www.postfix.org/QSHAPE_README.html
                      >
                      Thank you, sir! Using the $relayhost option to relay through my ISP has
                      worked! I can't believe I didn't at least try that already. And,
                      overlooking that I configured auth to only commence AFTER TLS, I
                      foolishly expected auth mechanisms to be apparent using telnet (25). And
                      thank you, again, for those links; I'll read them tonight and draft a
                      letter to my ISP to request disabling the filter. Running your own mail
                      server only to relay mail through a third party sort of defeats the
                      purpose of running your own mail server.

                      n.b. Please forgive my elementary requests for help -- I am really
                      really new to this. Thanks again, Viktor. Much appreciated, my friend.
                      While I have your ear, do you know if Postfix developers take bitcoin
                      donations? I'd love to contribute something to this great FOSS service.
                    • Simon B
                      ... CommonName mail.bsdbox.co ... self-signed certificate ... mail.bsdbox.co, issuer_CN=mail.bsdbox.co,
                      Message 10 of 11 , Dec 11, 2013


                        On 11 Dec 2013 11:22, "Mark Jamsek" <markjamsek@...> wrote:
                        >
                        > On 11/12/2013 9:03 PM, Viktor Dukhovni wrote:
                        >>
                        >> On Wed, Dec 11, 2013 at 08:42:29PM +1100, Mark Jamsek wrote:
                        >>
                        >>>>> And, the glaringly obvious absence of SMTP auth mechanisms:
                        >>>>>
                        >>>>> 220 mail.bsdbox.co ESMTP Postfix
                        >>>>> ehlo bsdbox.co
                        >>>>> 250-mail.bsdbox.co
                        >>>>> 250-STARTTLS
                        >>>>
                        >>>> Only when not using TLS.
                        >>>
                        >>> I'm not sure I understand what you mean here. I am using TLS, and
                        >>> there is no SMTP authentication.
                        >>
                        >> You're not "using" TLS in the above session.  The server supports
                        >> TLS, but "telnet host 25" does not *use* TLS.  To really use TLS
                        >> you need a client program that supports TLS.  I use "posttls-finger"
                        >> (because I wrote it to suit my needs).  You could make some progress
                        >> with "openssl s_client -starttls smtp -connect somehost:25", though
                        >> the latter shows less SMTP oriented output, you don't have to
                        >> compile it from source.
                        >>
                        >>      $ posttls-finger "[mail.bsdbox.co]"
                        >>      posttls-finger: Connected to mail.bsdbox.co[110.146.148.136]:25
                        >>      posttls-finger: < 220 mail.bsdbox.co ESMTP Postfix
                        >>      posttls-finger: > EHLO amnesiac.example
                        >>      posttls-finger: < 250-mail.bsdbox.co
                        >>      posttls-finger: < 250-PIPELINING
                        >>      posttls-finger: < 250-SIZE 10240000
                        >>      posttls-finger: < 250-VRFY
                        >>      posttls-finger: < 250-ETRN
                        >>      posttls-finger: < 250-STARTTLS
                        >>      posttls-finger: < 250-ENHANCEDSTATUSCODES
                        >>      posttls-finger: < 250-8BITMIME
                        >>      posttls-finger: < 250 DSN
                        >>      posttls-finger: > STARTTLS
                        >>      posttls-finger: < 220 2.0.0 Ready to start TLS
                        >>      posttls-finger: mail.bsdbox.co[110.146.148.136]:25 Matched CommonName mail.bsdbox.co
                        >>      posttls-finger: certificate verification failed for mail.bsdbox.co[110.146.148.136]:25: self-signed certificate
                        >>      posttls-finger: mail.bsdbox.co[110.146.148.136]:25: subject_CN=mail.bsdbox.co, issuer_CN=mail.bsdbox.co, fingerprint=26:79:C0:78:CE:0E:DE:7C:83:6C:32:D4:4F:02:EF:72:51:2B:08:7A, pkey_fingerprint=80:B8:24:5B:EF:E4:B9:44:E9:EC:A6:40:0C:6A:6C:D7:9C:5E:B0:6F
                        >>      posttls-finger: Untrusted TLS connection established to mail.bsdbox.co[110.146.148.136]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
                        >>      posttls-finger: > EHLO amnesiac.example
                        >>      posttls-finger: < 250-mail.bsdbox.co
                        >>      posttls-finger: < 250-PIPELINING
                        >>      posttls-finger: < 250-SIZE 10240000
                        >>      posttls-finger: < 250-VRFY
                        >>      posttls-finger: < 250-ETRN
                        >>      posttls-finger: < 250-AUTH PLAIN LOGIN
                        >>      posttls-finger: < 250-AUTH=PLAIN LOGIN
                        >>      posttls-finger: < 250-ENHANCEDSTATUSCODES
                        >>      posttls-finger: < 250-8BITMIME
                        >>      posttls-finger: < 250 DSN
                        >>      posttls-finger: > QUIT
                        >>      posttls-finger: < 221 2.0.0 Bye
                        >>
                        >> It sure offers AUTH (PLAIN and LOGIN) to clients that use TLS.
                        >>
                        >> On Wed, Dec 11, 2013 at 08:58:10PM +1100, Mark Jamsek wrote:
                        >>
                        >>> Wait. I think I understand what you're saying: my ISP perhaps blocks
                        >>> my connections, so I need to use them as my $relayhost? Is it
                        >>> possible to work around this somehow? I would rather not relay my
                        >>> mail through my ISP.
                        >>
                        >> Now you're beginning to see the light.  No you can't bypass the
                        >> ISP filter.  Either they are willing to turn the filter off for
                        >> you, or you need to relay through their submission service.
                        >>
                        >>      http://www.postfix.org/SOHO_README.html
                        >>      http://www.postfix.org/SASL_README.html
                        >>      http://www.postfix.org/OVERVIEW.html
                        >>      http://www.postfix.org/BASIC_CONFIGURATION_README.html
                        >>      http://www.postfix.org/DEBUG_README.html
                        >>      http://www.postfix.org/QSHAPE_README.html
                        >>
                        > Thank you, sir! Using the $relayhost option to relay through my ISP has worked! I can't believe I didn't at least try that already. And, overlooking that I configured auth to only commence AFTER TLS, I foolishly expected auth mechanisms to be apparent using telnet (25). And thank you, again, for those links; I'll read them tonight and draft a letter to my ISP to request disabling the filter. Running your own mail server only to relay mail through a third party sort of defeats the purpose of running your own mail server.
                        >
                        > n.b. Please forgive my elementary requests for help -- I am really really new to this. Thanks again, Viktor. Much appreciated, my friend. While I have your ear, do you know if Postfix developers take bitcoin donations? I'd love to contribute something to this great FOSS service.

                        When you read the documentation you'll realise Viktor actually did develop some of postfix :)

                        Simon

                      • Viktor Dukhovni
                        ... My employer would likely frown on that. My Postfix contributions are a hobby, not a business. Wietse accepts postcards:
                        Message 11 of 11 , Dec 11, 2013
                          On Wed, Dec 11, 2013 at 09:21:09PM +1100, Mark Jamsek wrote:

                          > n.b. Please forgive my elementary requests for help -- I am really
                          > really new to this. Thanks again, Viktor. Much appreciated, my
                          > friend. While I have your ear, do you know if Postfix developers
                          > take bitcoin donations? I'd love to contribute something to this
                          > great FOSS service.

                          My employer would likely frown on that. My Postfix contributions
                          are a hobby, not a business. Wietse accepts postcards:

                          https://github.com/vdukhovni/postfix

                          [ search for the word "postcard" in the README text. ]

                          --
                          Viktor.
                        Your message has been successfully submitted and would be delivered to recipients shortly.