postfix + tls
Bill Holt
william_holt at speakeasy.net
Wed Apr 14 17:44:45 EDT 2004
[root at mail root]# postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
inet_interfaces = all
mail_owner = postfix
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
mydestination = mail.whde.com, mysql:/etc/postfix/mysql-mydestination.cf
mydomain = whde.com
myhostname = mail.$mydomain
mynetworks = 10.0.0.0/28, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /etc/postfix
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP ***billmail*** "Have a nice day...."
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check
_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
[root at mail root]#
> -----Original Message-----
> From: Bill Holt [mailto:william_holt at speakeasy.net]
> Sent: Wednesday, April 14, 2004 09:25 PM
> To: discuss at blu.org
> Subject: Re: postfix + tls
>
> miah is correct about port 25 and I am aware of 465, however, there is no resolving issues, the mail server worked fine before. Check these logs, if you want I'll include main.cf next time...
> I'm getting 5 minutes here and there to research this...
> You'll notice at 10:44:28 all was dandy...
> -----------------------------------------------------------------------------
> /var/log/messages
>
> Apr 14 10:44:28 mail imapd[1666]: login: [10.0.0.2] whde0001 plain+TLS User logg
> ed in
> Apr 14 11:13:47 mail ctl_cyrusdb[1740]: checkpointing cyrus databases
> Apr 14 11:13:50 mail ctl_cyrusdb[1740]: done checkpointing cyrus databases
> Apr 14 11:36:43 mail saslauthd[3001]: START: saslauthd 2.1.10
> Apr 14 11:36:44 mail saslauthd[3006]: master PID is: 3006
> Apr 14 11:36:44 mail saslauthd[3006]: daemon started, listening on /var/run/sasl
> authd/mux
> Apr 14 11:39:22 mail imapd[3025]: starttls: TLSv1 with cipher AES256-SHA (256/25
> 6 bits new) no authentication
> Apr 14 11:39:43 mail imapd[3028]: starttls: TLSv1 with cipher AES256-SHA (256/25
> 6 bits reused) no authentication
> Apr 14 11:43:48 mail ctl_cyrusdb[3074]: checkpointing cyrus databases
> Apr 14 11:43:48 mail ctl_cyrusdb[3074]: done checkpointing cyrus databases
> Apr 14 11:49:57 mail saslauthd[3006]: Caught signal 15. Cleaning up and terminat
> ing.
> Apr 14 11:49:57 mail imapd[3025]: size read failed
> Apr 14 11:49:57 mail imapd[3025]: Password verification failed
> Apr 14 11:49:57 mail imapd[3025]: badlogin: [10.0.0.2] plain [SASL(-1): generic
> failure: Password verification failed]
> Apr 14 11:49:57 mail imapd[3028]: size read failed
> Apr 14 11:49:57 mail imapd[3028]: Password verification failed
> Apr 14 11:49:57 mail imapd[3028]: badlogin: [10.0.0.2] plain [SASL(-1): generic
> failure: Password verification failed]
> Apr 14 11:50:00 mail imapd[3025]: cannot connect to saslauthd server: Connection
> refused
> Apr 14 11:50:00 mail imapd[3025]: badlogin: [10.0.0.2] plaintext whde0002 SASL(-
> 1): generic failure: checkpass failed
> Apr 14 11:50:00 mail imapd[3028]: cannot connect to saslauthd server: Connection
> refused
> Apr 14 11:50:00 mail imapd[3028]: badlogin: [10.0.0.2] plaintext whde0002 SASL(-
> 1): generic failure: checkpass failed
> Apr 14 11:50:02 mail saslauthd[3136]: START: saslauthd 2.1.10
> Apr 14 11:50:02 mail saslauthd[3141]: master PID is: 3141
> Apr 14 11:50:02 mail saslauthd[3141]: daemon started, listening on /var/run/sasl
> authd/mux
> Apr 14 11:50:03 mail imapd[3025]: badlogin: [10.0.0.2] plain [SASL(-1): generic
> failure: checkpass failed]
> Apr 14 11:50:03 mail imapd[3028]: badlogin: [10.0.0.2] plain [SASL(-1): generic
> failure: checkpass failed]
> Apr 14 11:52:23 mail imapd[3159]: starttls: TLSv1 with cipher AES256-SHA (256/25
> 6 bits new) no authentication
> Apr 14 11:54:01 mail imapd[3165]: starttls: TLSv1 with cipher AES256-SHA (256/25
> 6 bits new) no authentication
> Apr 14 12:13:47 mail ctl_cyrusdb[3226]: checkpointing cyrus databases
> Apr 14 12:13:48 mail ctl_cyrusdb[3226]: done checkpointing cyrus databases
> Apr 14 12:43:47 mail ctl_cyrusdb[3316]: checkpointing cyrus databases
> Apr 14 12:43:47 mail ctl_cyrusdb[3316]: done checkpointing cyrus databases
> Apr 14 13:13:47 mail ctl_cyrusdb[3407]: checkpointing cyrus databases
> Apr 14 13:13:47 mail ctl_cyrusdb[3407]: done checkpointing cyrus databases
> Apr 14 13:43:47 mail ctl_cyrusdb[3497]: checkpointing cyrus databases
> Apr 14 13:43:48 mail ctl_cyrusdb[3497]: done checkpointing cyrus databases
> Apr 14 14:13:47 mail ctl_cyrusdb[3588]: checkpointing cyrus databases
> Apr 14 14:13:47 mail ctl_cyrusdb[3588]: done checkpointing cyrus databases
> Apr 14 14:43:47 mail ctl_cyrusdb[3678]: checkpointing cyrus databases
> Apr 14 14:43:48 mail ctl_cyrusdb[3678]: done checkpointing cyrus databases
> Apr 14 15:13:47 mail ctl_cyrusdb[3769]: checkpointing cyrus databases
> Apr 14 15:13:47 mail ctl_cyrusdb[3769]: done checkpointing cyrus databases
> Apr 14 15:31:16 mail sshd(pam_unix)[3821]: session opened for user root by (uid=
> 0)
>
> ---------------------------------------------------------------------------------
> /var/log/maillog
>
> Apr 14 17:23:28 mail postfix/pickup[4378]: fatal: unsupported dictionary type: m
> ysql
> Apr 14 17:23:29 mail postfix/qmgr[4379]: fatal: unsupported dictionary type: mys
> ql
> Apr 14 17:23:29 mail postfix/master[587]: warning: process /usr/libexec/postfix/
> pickup pid 4378 exit status 1
> Apr 14 17:23:29 mail postfix/master[587]: warning: /usr/libexec/postfix/pickup:
> bad command startup -- throttling
> Apr 14 17:23:30 mail postfix/master[587]: warning: process /usr/libexec/postfix/
> qmgr pid 4379 exit status 1
> Apr 14 17:23:30 mail postfix/master[587]: warning: /usr/libexec/postfix/qmgr: ba
> d command startup -- throttling
> Apr 14 17:23:48 mail postfix/smtpd[4380]: fatal: unsupported dictionary type: my
> sql
> Apr 14 17:23:49 mail postfix/master[587]: warning: process /usr/libexec/postfix/
> smtpd pid 4380 exit status 1
> Apr 14 17:23:49 mail postfix/master[587]: warning: /usr/libexec/postfix/smtpd: b
> ad command startup -- throttling
> [root at mail root]# ps -aux | grep master
> root 587 0.0 0.3 3012 480 ? S Apr13 0:00 [master]
> cyrus 611 0.0 0.2 3292 296 ? S Apr13 0:00 [master]
> root 4391 0.0 0.0 172 16 pts/1 R 17:25 0:00 grep master
> [root at mail root]#
> > -----Original Message-----
> > From: miah [mailto:jjohnson at sunrise-linux.com]
> > Sent: Wednesday, April 14, 2004 07:08 AM
> > To: discuss at blu.org
> > Subject: Re: postfix + tls
> >
> > SSL can operate over 25/tcp, but the user has to issue a STARTTLS command. I'm betting here that the host he's telnet'ing from isnt resolving and he's got postfix setup to not work with hosts that dont resolve, or some other issue thats not related to SSL/SASL. The only reason you need to run SMTP over SSL (as with 465/tcp) is for broken clients that don't issue a STARTTLS (like older versions of outlook), these clients try to establish a ssl connection to the host and then issue smtp commands.
> >
> > -miah
> >
> > On Wed, Apr 14, 2004 at 12:45:21PM -0400, Chris Devers wrote:
> > > On Wed, 14 Apr 2004, Bill Holt wrote:
> > >
> > > > Hello, I am using cyrus imap and postfix smtp, and all was well, then
> > > > I decided to add tls support, now when I test it (telnet localhost 25)
> > > > It connects but I cannot get a response to any commands:ie: ehlo
> > > > localhost
> > >
> > > If you're now using SSL encrypted SMTP, are you still using the standard
> > > SMTP port 25? My copy of /etc/services suggests that SSMTP (SMTP over
> > > SSL) uses port 465, not 25. Have you tried that?
> > >
> > >
> > > --
> > > Chris Devers
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://www.blu.org/mailman/listinfo/discuss
> >
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list