I have increasing problems with Postfix / SASL / TLS etc. since I upgraded my ISPConfig 3 server on Debian jessie. I guess the best way is to tackle one thing after the other by looking in the logs: First thing: I get SSL accept errors although I tried to remake my certificates according to this https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix Code: Aug 10 06:30:21 eins postfix/smtps/smtpd[7207]: SSL_accept error from 66-220-144-146.outmail.facebook.com[66.220.144.146]: Connection timed out Aug 10 06:30:21 eins postfix/smtps/smtpd[7207]: lost connection after CONNECT from 66-220-144-146.outmail.facebook.com[66.220.144.146] Aug 10 06:30:21 eins postfix/smtps/smtpd[7207]: disconnect from 66-220-144-146.outmail.facebook.com[66.220.144.146] Aug 10 06:30:22 eins postfix/smtps/smtpd[7190]: connect from 66-220-144-157.outmail.facebook.com[66.220.144.157] Aug 10 06:30:24 eins postfix/smtps/smtpd[5517]: SSL_accept error from smtprelay04.ispgateway.de[80.67.31.42]: Connection timed out Aug 10 06:30:24 eins postfix/smtps/smtpd[5517]: lost connection after CONNECT from smtprelay04.ispgateway.de[80.67.31.42] Aug 10 06:30:24 eins postfix/smtps/smtpd[5517]: disconnect from smtprelay04.ispgateway.de[80.67.31.42] My main.cf: Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # TLS parameters smtpd_tls_cert_file = /etc/ssl/certs/eins.xxx.tld.crt smtpd_tls_key_file = /etc/ssl/private/eins.xxx.tld.key #smtpd_use_tls = yes mtpd_use_tls = no ssmtpd_tls_loglevel = 3 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = eins.xxx.tld alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = eins.xxx.tld, localhost, localhost.localdomain relayhost = mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 html_directory = /usr/share/doc/postfix/html virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes # angepasst ande 20150805: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf #smtpd_client_restrictions = permit_mynetworks, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = maildrop header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings message_size_limit = 0 smtpd_client_message_rate_limit = 100 owner_request_special = no smtp_tls_security_level = may smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_tls_auth_only = no #smtp_use_tls = yes smtp_use_tls = no smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom master.cf will follow in another post
master.cf: Because customers are wating, I tried to disable smtps but to no avail apparently. Code: # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # =========================================================== smtp inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject submission inet n - - - - smtpd -o syslog_name=postfix/submission war: encrypt: -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING enabled 20110818 ande: #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - - - - qmqpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - - 300 1 oqmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - - - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavis unix - - - - 4 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
Did you run an ispconfig update with "reconfgure services = yes" after you upgraded Debian? This is required to adjust the config files for the newly installed software versions.
Yes! However, when the apt update ran, I was not sure whether to replay "Y" or "N" - I answered "N" most of the time.. tried to examine when..
And regardin master.cf, are these lines really in that file? war: encrypt: enabled 20110818 ande: If yes, comment them out by adding a # in front, then restart postfix. Btw. If you need help by remote login, then you might want to contact Florian from ISPConfig Business support here: http://www.ispconfig.org/get-support/?type=ispconfig
I have continued to work on the config, now I get these logfiles Code: connect from mx-ca-106.xqueue.com[212.6.174.106] Aug 10 09:02:28 eins postfix/smtps/smtpd[2975]: setting up TLS connection from mx-ca-106.xqueue.com[212.6.174.106] Aug 10 09:02:28 eins postfix/smtps/smtpd[2975]: mx-ca-106.xqueue.com[212.6.174.106]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Aug 10 09:02:28 eins postfix/smtps/smtpd[2975]: SSL_accept:before/accept initialization Aug 10 09:02:28 eins postfix/smtps/smtpd[2975]: read from 7F5AB1F2D660 [7F5AB1F3BE70] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: initializing the server-side TLS engine Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: connect from mail212.suw16.rsgsv.net[198.2.182.212] Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: setting up TLS connection from mail212.suw16.rsgsv.net[198.2.182.212] Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: mail212.suw16.rsgsv.net[198.2.182.212]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: SSL_accept:before/accept initialization Aug 10 09:02:29 eins postfix/smtps/smtpd[3322]: read from 7F4DA9EA0630 [7F4DA9F21DA0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Aug 10 09:02:31 eins pop3d-ssl: Unexpected SSL connection shutdown. Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: read from 7F7782300700 [7F778230DDA0] (11 bytes => 0 (0x0)) Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: SSL_accept error from rdp02.snthostings.com[62.210.188.27]: lost connection Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: lost connection after CONNECT from rdp02.snthostings.com[62.210.188.27] Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: disconnect from rdp02.snthostings.com[62.210.188.27] Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: connect from rdp02.snthostings.com[62.210.188.27] Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: setting up TLS connection from rdp02.snthostings.com[62.210.188.27] Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: rdp02.snthostings.com[62.210.188.27]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH" Aug 10 09:02:35 eins postfix/smtps/smtpd[3239]: SSL_accept:before/accept initialization My postconf -n says: Code: alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = ipv4 mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = eins.dellekom.net, localhost, localhost.localdomain myhostname = eins.dellekom.net mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/eins.dellekom.net.crt smtpd_tls_key_file = /etc/ssl/private/eins.dellekom.net.key smtpd_tls_loglevel = 3 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = no tls_random_source = dev:/dev/urandom transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = maildrop virtual_uid_maps = static:5000
Next, I tested port 465: Code: root@eins ~ # openssl s_client -connect eins.xxx.tld:465 CONNECTED(00000003) depth=0 C = DE, ST = BW, L = XXX, O = XXX, CN = eins.xxx.tld, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = BW, L = XXX, O = XXX, CN = ens.xxx.tld, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=DE/ST=BW/L=XXX/O=XXX/CN=eins.xxx.tld/[email protected] i:/C=DE/ST=BW/L=XXX/O=XXX/CN=eins.xxx.tld/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIDvjCCAqYCCQCbzJLWg+lb2zANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMC REUxCzAJBgNVBAgMAkJXMR0wGwYDVQQHDBRGcmVpYnVyZyBpbSBCcmVpc2dhdTEi MCAGA1UECgwZRGVsbGVrb20gQW5kcmVhcyBEZWxsZXNrZTEZMBcGA1UEAwwQZW5z LmRlbGxla29tLm5ldDEmMCQGCSqGSIb3DQEJARYXcG9zdG1hc3RlckBkZWxsZWtv bS5uZXQwHhcNMTYwODEwMDI1MjIxWhcNMjEwODA5MDI1MjIxWjCBoDELMAkGA1UE BhMCREUxCzAJBgNVBAgMAkJXMR0wGwYDVQQHDBRGcmVpYnVyZyBpbSBCcmVpc2dh dTEiMCAGA1UECgwZRGVsbGVrb20gQW5kcmVhcyBEZWxsZXNrZTEZMBcGA1UEAwwQ ZW5zLmRlbGxla29tLm5ldDEmMCQGCSqGSIb3DQEJARYXcG9zdG1hc3RlckBkZWxs ZWtvbS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD+EsfOhaRU KfgadhKn2gOf7XDaExWB1JMljhNZqrqefmMkuQHr2+j08TebXp1Ea+BPU47X8pBm DjJZb58jr12y8VN9H6kYvl+tR/NJNheTbZKSUNq+C2hpspU2uXOZtlDQTUWKokg+ f6/c6zRFQq75BKnnhJO/3QzOAembabprKbM0+K8dRIffb+K3yFSb10cOYadax+Xn uCiC8y233/XRunqr1UOyQe3yTmSYixuR9bDZ25pEz/bzuOqu70fW98Sr35MLRW2L cKTBSvwNw5WNfAiuCdW3ugW5SwpO8LTNwkYsJWeVuvNsptBhzpSnTx+nPu3eA9kh bYcus7B9VEIFAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIOajs/cildkT8l5Gfel PQe/zbHD9yHtoZAcDis+8OIKrNmUbLBXDZXr89qVFl+MwVGcRHgPOxAx1VnM0VxE aSb3x6stOppWsUwgfNU1MLpOl3f2oNdEmjmFbnm3X1jUhVxLAU8Vd69xsdTs0bpe 3F7YbSS/G1hvgfUYwdtO9G0BcuKvoMVFey3VtzpGgcz9/2Z7oeCn7WhmnpRlMxYR JN0FC38KMr0UYsz1Yi6MLh+vtBiyhSVh4p5WBI8Pwa+rzvFF/wT3wc6gw1L/wmYV kSZ8h1eeZnVWcceKh1g42OivQcmv/uWdlIOZt67rwe4gZnz2m14D6phXlQNpBq4z YnU= -----END CERTIFICATE----- subject=/C=DE/ST=BW/L=XXX/O=XXX/CN=eins.dellekom.net/[email protected] issuer=/C=DE/ST=BW/L=XXX/O=XXX/CN=eins.xxx.tld/[email protected] --- No client certificate CA names sent --- SSL handshake has read 1621 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 8565B461D2C919750DE4341F09B95534AD56C19F61CB9BA8A02F23F504BFC952 Session-ID-ctx: Master-Key: 945323190C6F9917C7977A552765A6D721EC07F6F20569B0D3BA725A01866A63FE98E7B5A3C7D3CD6319C6F338591CD4 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 02 0d 51 56 27 88 53 fb-07 1a 9e 99 c7 2d 64 e2 ..QV'.S......-d. 0010 - af 79 39 ad 64 0b 1d ee-9f cc 65 c1 1d b5 78 61 .y9.d.....e...xa 0020 - 55 d0 e2 f6 79 a7 6e ce-2d f9 ea d5 43 d8 95 f7 U...y.n.-...C... 0030 - b9 69 cd 11 42 c8 e5 50-4d 85 f8 64 4a dd 55 73 .i..B..PM..dJ.Us 0040 - 1e 3d e1 5d f9 42 ef cd-b5 32 5e b1 12 df 9b 2a .=.].B...2^....* 0050 - 51 2d 46 93 e7 c7 ff 70-fa fd 72 e1 f6 ed 16 bd Q-F....p..r..... 0060 - 41 86 4b e3 00 bf 12 cf-d7 67 97 07 69 01 f1 76 A.K......g..i..v 0070 - 06 0b 30 6f aa 7b 87 a5-c4 43 34 2c e0 9e 85 f6 ..0o.{...C4,.... 0080 - 3b f3 f9 53 b8 7b 27 44-03 77 e9 40 42 cb 17 7f ;..S.{'D.w.@B... 0090 - 2f 97 5f 21 d2 9d 8a c3-d8 57 4b b9 fd 41 a1 26 /._!.....WK..A.& Start Time: 1470812671 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 eins.xxx.tld ESMTP Postfix (Debian/GNU)
Dear Till, yes thanks I discovered the typos in my master.cf / main.cf and removed them. I did what you suggested: Code: root@eins /etc/ssl # postfix check root@eins /etc/ssl # postfix upgrade-configuration Editing /etc/postfix/master.cf, adding missing entry for postscreen TCP service Editing /etc/postfix/master.cf, adding missing entry for smtpd unix-domain service Editing /etc/postfix/master.cf, adding missing entry for dnsblog unix-domain service Editing /etc/postfix/master.cf, adding missing entry for tlsproxy unix-domain service Note: the following files or directories still exist but are no longer part of Postfix: /etc/postfix/postfix-files /etc/postfix/postfix-script /etc/postfix/post-install /usr/share/doc/postfix/QMQP_README This is the end when checking the dialog on port 465: Code: Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 5DE45F99EC7CD616FD3DC8AE9E526F76152F34B81A6C5F44611B0B8AA9EC4255 Session-ID-ctx: Master-Key: 476945A63DFAC83E28B8EFF3656589CB208E1279B8174B1E7D6DE0F37DA74EBA0BE60348A89BE58DDA66DCF7E18D70F8 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - b6 eb a9 21 18 ea d0 51-b3 3e 6a a8 4d c9 ec 83 ...!...Q.>j.M... 0010 - ff d8 d9 55 50 bb 14 8f-fb ad 6a b3 93 97 91 a6 ...UP.....j..... 0020 - f8 f8 31 c7 bc 5f e7 db-27 8d 60 a6 1f a8 96 8a ..1.._..'.`..... 0030 - d0 58 22 e7 cd 67 f7 98-88 51 95 09 e0 e5 d1 e6 .X"..g...Q...... 0040 - 81 72 b3 f8 f1 ce b8 8f-6b d1 5b 4f a3 34 89 b2 .r......k.[O.4.. 0050 - 55 14 a1 f0 34 3f 12 3a-ae a1 88 e5 b5 4f 22 3d U...4?.:.....O"= 0060 - d3 71 1a ba a1 43 ef 3e-b1 97 ba 3a 5f 41 d0 e4 .q...C.>...:_A.. 0070 - 6e f5 ab b1 c6 a1 97 7d-2a 9a a3 54 81 0f 9b 29 n......}*..T...) 0080 - 93 d2 15 df 8a 15 bd 72-a1 1d 15 77 73 6e 24 93 .......r...wsn$. 0090 - da f2 47 c7 c0 ce 89 18-97 4d 49 fb 42 fd 80 49 ..G......MI.B..I Start Time: 1470813847 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 220 eins.dellekom.net ESMTP Postfix (Debian/GNU) quit 221 2.0.0 Bye closed
While comparing a fresh installation of ISPConfig 3 on Debian jessie, I discovered that you install dovecot - which I don't have. However, reading mail seems to work fine. Just as a remark. BTW I will buy professional support if you haven't seen already.
When trying to deliver mail from a Thunderbird client via port 587, I seem to get the right certificate (valid until 2021) but Postfix log shows this: Code: Aug 10 09:44:44 eins postfix/submission/smtpd[5590]: disconnect from HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43] Aug 10 09:45:15 eins postfix/submission/smtpd[5590]: connect from HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43] Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: setting up TLS connection from HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43] Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: hsi-kbw-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43]: Issuing session ticket, key expiration: 1470815646 Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: Anonymous TLS connection established from hsi-kbw-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: lost connection after STARTTLS from HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43] Aug 10 09:45:16 eins postfix/submission/smtpd[5590]: disconnect from HSI-KBW-134-3-103-43.hsi14.kabel-badenwuerttemberg.de[134.3.103.43] I think as a first step I would like to turn off encryption for SMTP so the pending mails for my customers can flow in..
The issue could be solved with the help of www.schaal-24.de [edited] This seem to be the right settings for smtp: main.cf: Code: smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may #smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache tls_random_source = dev:/dev/urandom master.cf without comments: Code: smtp inet n - - - - smtpd -o syslog_name=postfix/smtp submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d vmail ${extension} ${recipient} ${user} ${nexthop} ${sender} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} amavis unix - - - - 4 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
