Having a problem on a clean install of Centos 5.4 with VMin loaded
Followed Documentation in the documentation section but only seems to activate the TLS on mail inbound to the server. Doesnt activate outbound STARTTLS. Verified that maillog shows no errors or warnings
I did some google searches and added these lines that were mentioned in the centos wiki:
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/pki/tls/private/mail.domain.key
smtp_tls_cert_file = /etc/pki/tls/certs/mail.domain.crt
still to no resolve The server still doesnt offer STARTTLS first before sending.
And you tested it with...
openssl s_client -starttls smtp -connect 127.0.0.1:25when i issue the s_client connect command all goes properly no errors. Certs pass properly.
If I am correct this would only test inbound connections. My problem is with outbound.
Outbound stmp is controlled by the receiving mail server -- if the receiving smtp server doesnt support it it wont ask for it.
The only way to know is by looking at the headers or mail logs from the server that accepted the email.
I have two servers that I have tested with that I will require TLS for but neither issue STARTTLS command. One requires TLS to connect and fails with an error saying STARTTLS not sent and disconnects. Other recieves mail but always goes non TLS. That server recieves TLS mail from other servers daily.
It should... you didn't break your config ? Any errors in the mail.err ?
Only errors in maillog are the ones i see for the server that required TLS
"TLS required but not offered by server"
The TLS is not being offered. Check your config again.
exact clip from maillog
duplicate post
this is the exact error (host asdfasdf.com[*********] said: 530 Must issue STARTTLS (in reply to RCPT TO command))
here are the main.cf additions
smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_tls_cert_file = /etc/pki/tls/certs/certname.crt smtpd_tls_key_file = /etc/pki/tls/private/keyname.key smtpd_tls_security_level = encrypt smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_key_file = /etc/pki/tls/private/keyname.key smtp_tls_cert_file = /etc/pki/tls/certs/certname.crt
I think you are missing:
smtpd_use_tls = yes and smtp_use_tls = yes
have been replaced with smtpd_tls_security_level = encrypt (encrypt = forced tls) smtp_tls_security_level = may (may = when available)
I added the smtpd_tls_received_header = yes
sent a test message and errors show the same. Its almost like postfix is never probing the second server to see what protocols can be used.
If inbound is testing ok then outbound will as well. There isn't any other answer to this.
Don't know then.. Ask the postfix people.
thanks for your help
Just found this and tested the instructions.... they worked for me.
http://wiki.redwall-firewall.com/index.php/Implementing_Upstream_SMTP_Au...
This is my TLS/SSL section and it works.... if yours doesn't then something is broken or the sending server is not sending the STARTTLS command.
smtpd_tls_cert_file=/etc/ssl/certs/roddenberry-cert.pem
smtpd_tls_key_file=/etc/ssl/private/roddenberry-key.pem
smtp_tls_CAfile = /etc/postfix/tls/Equifax.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_security_options
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtpd_tls_mandatory_ciphers = medium
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 2
Hi bbranham,
As you're aware, you'll have to test against a server which you are certain(*) accepts, or requires, TLS.
Try setting your smtp client configuration smtp_tls_security_level from 'may' to 'encrypt' for debugging this.
Use smtp_tls_loglevel = 2 Use smtp_tls_note_starttls_offer = yes
Check your other smtp_tls_* parameters aren't inducing your trouble.
Maybe add the target server to your debug_peer_list and adjust debug_peer_level up as necessary in order to learn from your logfile.
Verify that your cert and key files exist, though the debug logs should disclose this for you. postconf |egrep "smtpdtls(cert|key).file"
smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_key_file = $smtpd_tls_key_file smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
See the TLS_README file
(*)if you need something to verify that your remote smtpd server uses or requires TLS, install and use the 'swaks' package|utility.
Be patient and alert :)
You'll want to make sure that the "submission" is enabled... you can do that by editing /etc/postfix/master.cf, and uncomment the lines relating to "submission". After enabling it, you'll need to restart Postfix.
If that doesn't work, what error are you receiving in Thunderbird when you attempt to connect? Also, what shows up in /var/log/maillog?
Lastly, if you enable SMTPS in the master.cf, are you able to connect on port 465?
-Eric