Hi, I used the following tutorials for installaing a postfix mailserver with TLS and SPAM prevention on Etch: Falko's Perfect Setup How To Block Spam Before It Enters The Server (Postfix) How To Implement SPF In Postfix How To Fight Spam Using Your Postfix Configuration I used CACert.org as Authority for my certificates, so this is my current configuration: Code: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all mailbox_command = mailbox_size_limit = 0 mydestination = /etc/postfix/local-host-names myhostname = mail.example.com mynetworks = 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + relayhost = smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_use_tls = yes smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_policy_service unix:private/policy, check_policy_service inet:127.0.0.1:60000, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous strict_rfc821_envelopes = yes unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 Now I get the following connection error if I use TLS or "TLS if possible) in Thunderbird: Code: Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: SSL_accept error from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1 Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: lost connection after STARTTLS from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX] If I use SSL over port 465 in Thunderbird it works without any problems and postfix seems to establish a TLS connection: Code: Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 23 13:32:57 hXXXXXX postfix/smtpd[8281]: TLS connection established from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 23 13:33:01 hXXXXXX postfix/smtpd[8281]: CA0611B4152: client=dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web2 Jul 23 13:33:01 hXXXXXX postfix/cleanup[8286]: CA0611B4152: message-id=<[email protected]> Postfix is also listening on both ports (25 and 465) so this doesn't seem to be the problem: Code: tcp 0 0 *:smtp *:* LISTEN 32626/master tcp6 0 0 *:imaps *:* LISTEN 5121/couriertcpd tcp6 0 0 *:pop3s *:* LISTEN 5102/couriertcpd tcp6 0 0 *:pop3 *:* LISTEN 955/couriertcpd tcp6 0 0 *:imap2 *:* LISTEN 933/couriertcpd tcp6 0 0 *:ssmtp *:* LISTEN 32626/master tcp6 0 0 *:smtp *:* LISTEN 32626/master And also a test of the certificates works as far as I can see: Code: openssl s_client -showcerts -cert /etc/postfix/ssl/cacert.org/server.crt -key /etc/postfix/ssl/cacert.org/server.key -starttls smtp -CAfile /etc/postfix/ssl/ca-certificates.crt -connect mail.example.com:25 Code: CONNECTED(00000003) depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] verify return:1 depth=0 /CN=mail.example.com verify return:1 --- Certificate chain 0 s:/CN=mail.example.com i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- --- Server certificate subject=/CN=mail.example.com issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/[email protected] --- No client certificate CA names sent --- SSL handshake has read 3623 bytes and written 326 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: DD1EEB0D5A7DA044323DC7EFD2DE3A3C011CDC87B27170B299F42CE58977C426 Session-ID-ctx: Master-Key: 5D9D544852CC74103C2EAD880F1B7E2ABBDCAB3633BE75940F32A6EE13DEE070C08B09E8B2F32C50CD4366010741A0CC Key-Arg : None Start Time: 1185190942 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 mail.example.com ESMTP Postfix (Debian/GNU) I sure there are some TLS/SSL/Postfix experts aroud here so can anybody tell me, what to do in order to make TLS work over port 25 without SSL? Thanks for your help!
Hi Falko, thanks for your reply. It's only postfix which is making problems. If I log into POP3 or over TLS it works as you can see below. Code: Jul 25 10:05:35 hXXXXXX courierpop3login: Connection, ip=[::ffff:XXX.XXX.XXX.XXX] Jul 25 10:05:39 hXXXXXX courierpop3login: LOGIN, user=web1, ip=[::ffff:XXX.XXX.XXX.XXX] Jul 25 10:05:49 hXXXXXX courierpop3login: LOGOUT, user=web1, ip=[::ffff:XXX.XXX.XXX.XXX], top=0, retr=574131, rcvd=609, sent=587893, time=10, stls=1 I use a CACert.org certificate for postfix/courier with the CN mail.example.com .So I also use this hostname as POP3/IMAPSMTP-Server in Thunderbird. If I tell Thunderbird to use SSL over Port 465 for SMTP I also get SSL_accept:error but can send messages withour any problems: Code: Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: initializing the server-side TLS engine Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: connect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: setting up TLS connection from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:before/accept initialization Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv2/v3 read client hello A Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client hello B Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client hello B Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read client hello B Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write server hello A Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write certificate A Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write key exchange A Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write server done A Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 flush data Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client certificate A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client certificate A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read client key exchange A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read certificate verify A Jul 25 10:13:32 hXXXXXX last message repeated 3 times Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read finished A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write change cipher spec A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write finished A Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 flush data Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: save session A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E to smtpd cache Jul 25 10:13:32 hXXXXXX postfix/tlsmgr[4286]: put smtpd session id=A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E [data 127 bytes] Jul 25 10:13:32 hXXXXXX postfix/tlsmgr[4286]: write smtpd TLS cache entry A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E: time=1185351212 [data 127 bytes] Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: TLS connection established from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 25 10:13:37 hXXXXXX postfix/smtpd[18355]: 3E5EA1B4177: client=dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web1 Jul 25 10:13:37 hXXXXXX postfix/cleanup[18359]: 3E5EA1B4177: message-id=<[email protected]> Jul 25 10:13:37 hXXXXXX postfix/qmgr[4209]: 3E5EA1B4177: from=<[email protected]>, size=691, nrcpt=1 (queue active) Jul 25 10:13:37 hXXXXXX postfix/smtp[18360]: initializing the client-side TLS engine Jul 25 10:13:37 hXXXXXX postfix/smtpd[18355]: disconnect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:13:37 hXXXXXX postfix/smtp[18360]: 3E5EA1B4177: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[209.85.129.27]:25, delay=0.53, delays=0.2/0.05/0.05/0.22, dsn=2.0.0, status=sent (250 2.0.0 OK 1185351217 v23si64519fkd) Jul 25 10:13:37 hXXXXXX postfix/qmgr[4209]: 3E5EA1B4177: removed If I tell Thunderbird to use TLS or TLS if possible ober port 25 I get an unable to connect error in Thunderbird and the following problem on the server mail log. Code: Jul 25 10:10:53 hXXXXXX postfix/smtpd[18222]: connect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: setting up TLS connection dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: SSL_accept:before/accept initialization Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: SSL_accept:error in SSLv2/v3 read client hello A Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: SSL_accept error from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1 Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: lost connection after STARTTLS from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: disconnect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX] Very strange is the fact, that with SSL Thunderbird asks me for validating the server certificate while with TLS I don't get any promts. Another question: I thought it would be enough, to install the CACert.org root certificate in IE and Firefox, so that Thunderbird is able to validate the server cert automatically. But I allways get these promts. Is there another way of avoiding them than clicking on "always allow", e.g. something like to import the server cert into Firefox? Thank your for your help. I really tried everything I could find and don't know any further.
What's the output of Code: telnet localhost 25 ehlo localhost ? Do you see TLS in the output? I don't know if Firefox and Thunderbird share their certs, but I'd say you have to import it into Thunderbird, too.
OK, here we go: Code: telnet localhost 25 Code: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.example.com ESMTP Postfix (Debian/GNU) ehlo localhost 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN At least the server tries to STARTTLS if you meant that. mail.info: Code: Jul 26 22:15:10 hXXXXXX postfix/smtpd[4962]: connect from localhost[127.0.0.1] Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: initializing the server-side TLS engine Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: connect from localhost[127.0.0.1] Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: lost connection after CONNECT from localhost[127.0.0.1] Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: disconnect from localhost[127.0.0.1] No idea beside that?
Interestingly I have just completed a "Perfect Server 14.04" build with ISPConfig, and I get the same message in the logs but the best I can do with Telnet localhost 25 is: Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. That is as far as it gets. Is there a config file I could post which would give some clue? Hope you can assist.
