Postfix TLS

19 posts / 0 new
Last post
#1 Thu, 12/24/2009 - 23:53

Postfix TLS

Having a problem on a clean install of Centos 5.4 with VMin loaded

Followed Documentation in the documentation section but only seems to activate the TLS on mail inbound to the server. Doesnt activate outbound STARTTLS. Verified that maillog shows no errors or warnings

I did some google searches and added these lines that were mentioned in the centos wiki: smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/pki/tls/private/mail.domain.key
smtp_tls_cert_file = /etc/pki/tls/certs/mail.domain.crt

still to no resolve The server still doesnt offer STARTTLS first before sending.

Sat, 01/16/2010 - 06:37

And you tested it with...

openssl s_client -starttls smtp -connect

Sat, 01/16/2010 - 22:28 (Reply to #2)

when i issue the s_client connect command all goes properly no errors. Certs pass properly.

If I am correct this would only test inbound connections. My problem is with outbound.

Sat, 01/16/2010 - 22:32

Outbound stmp is controlled by the receiving mail server -- if the receiving smtp server doesnt support it it wont ask for it.

The only way to know is by looking at the headers or mail logs from the server that accepted the email.

Sat, 01/16/2010 - 22:41 (Reply to #4)

I have two servers that I have tested with that I will require TLS for but neither issue STARTTLS command. One requires TLS to connect and fails with an error saying STARTTLS not sent and disconnects. Other recieves mail but always goes non TLS. That server recieves TLS mail from other servers daily.

Sat, 01/16/2010 - 22:48 (Reply to #5)

It should... you didn't break your config ? Any errors in the mail.err ?

Sat, 01/16/2010 - 23:18 (Reply to #6)

Only errors in maillog are the ones i see for the server that required TLS

"TLS required but not offered by server"

Sat, 01/16/2010 - 23:50 (Reply to #7)

The TLS is not being offered. Check your config again.

Sun, 01/17/2010 - 00:21 (Reply to #8)

exact clip from maillog

duplicate post

Sun, 01/17/2010 - 00:20 (Reply to #9)

this is the exact error (host[*********] said: 530 Must issue STARTTLS (in reply to RCPT TO command))

here are the additions

smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_tls_cert_file = /etc/pki/tls/certs/certname.crt smtpd_tls_key_file = /etc/pki/tls/private/keyname.key smtpd_tls_security_level = encrypt smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_key_file = /etc/pki/tls/private/keyname.key smtp_tls_cert_file = /etc/pki/tls/certs/certname.crt

Sun, 01/17/2010 - 02:15 (Reply to #10)

I think you are missing:

smtpd_use_tls = yes
smtpd_tls_received_header = yes
Sun, 01/17/2010 - 10:59 (Reply to #11)

smtpd_use_tls = yes and smtp_use_tls = yes
have been replaced with smtpd_tls_security_level = encrypt (encrypt = forced tls) smtp_tls_security_level = may (may = when available)

I added the smtpd_tls_received_header = yes

sent a test message and errors show the same. Its almost like postfix is never probing the second server to see what protocols can be used.

Sat, 01/16/2010 - 22:33

If inbound is testing ok then outbound will as well. There isn't any other answer to this.

Sun, 01/17/2010 - 14:20

Don't know then.. Ask the postfix people.

Sun, 01/17/2010 - 14:22 (Reply to #14)

thanks for your help

Thu, 01/21/2010 - 00:41

Just found this and tested the instructions.... they worked for me.

Thu, 01/21/2010 - 02:05

This is my TLS/SSL section and it works.... if yours doesn't then something is broken or the sending server is not sending the STARTTLS command.

smtp_tls_CAfile = /etc/postfix/tls/Equifax.pem
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_security_options
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtpd_tls_mandatory_ciphers = medium
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 2

Sun, 01/24/2010 - 20:30

Hi bbranham,

As you're aware, you'll have to test against a server which you are certain(*) accepts, or requires, TLS.

Try setting your smtp client configuration smtp_tls_security_level from 'may' to 'encrypt' for debugging this.

Use smtp_tls_loglevel = 2 Use smtp_tls_note_starttls_offer = yes

Check your other smtp_tls_* parameters aren't inducing your trouble.

Maybe add the target server to your debug_peer_list and adjust debug_peer_level up as necessary in order to learn from your logfile.

Verify that your cert and key files exist, though the debug logs should disclose this for you. postconf |egrep "smtpdtls(cert|key).file"
smtp_tls_cert_file = $smtpd_tls_cert_file smtp_tls_key_file = $smtpd_tls_key_file smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

See the TLS_README file

(*)if you need something to verify that your remote smtpd server uses or requires TLS, install and use the 'swaks' package|utility.

Be patient and alert :)

Mon, 05/10/2010 - 20:17

You'll want to make sure that the "submission" is enabled... you can do that by editing /etc/postfix/, and uncomment the lines relating to "submission". After enabling it, you'll need to restart Postfix.

If that doesn't work, what error are you receiving in Thunderbird when you attempt to connect? Also, what shows up in /var/log/maillog?

Lastly, if you enable SMTPS in the, are you able to connect on port 465?


Topic locked