Postfix STARTTLS works to localhost only (SOLVED) Ok guys this is driving me crazy. This is the output of the telnet localhost 25, on a shell login on the server: Code: nobunaga:/var/log# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 nobunaga.eden.blog.br ESMTP Postfix ehlo anything.lie 250-nobunaga.eden.blog.br 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Now this is the output of the same thing, but remotely from a winxp host: Code: telnet 192.168.254.3 220 nobunaga.eden.blog.br ESMTP Postfix ehlo anything.lie 250-nobunaga.eden.blog.br 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN What is that!?!?! there is no starttls offer. I can only send mail using thunderbird 2.0 if I check the option "tls if avaliable". Also outlook express I can't send mail if I check ssl to smtp. I can still use TLS with dovecot with no problems. in fact I have only pop3s and imaps running, not the regular ones. This is the output of nmap: Code: nobunaga:/var/log# nmap localhost Starting Nmap 4.11 ( [url]http://www.insecure.org/nmap/[/url] ) at 2008-07-10 22:46 BRT Interesting ports on localhost (127.0.0.1): Not shown: 1672 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql Here's my main.cf, its pretty simple: Code: # Geral myhostname = nobunaga.eden.blog.br mydomain = eden.blog.br home_mailbox = Maildir/ alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = localhost.localdomain localhost $myhostname $mydomain relayhost = mynetworks = 127.0.0.0/8 #mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_banner = $myhostname ESMTP $mail_name biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth-client broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous # TLS smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key #smtpd_tls_security_level = may smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_tls_auth_only = yes smtpd_tls_loglevel = 3 smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination I'm completely lost, googling for 2 days already.
Found what was causing the problem. WINDOWN XP ANTIVIRUS SOFTWARE The avast antivirus was proxying my smtp connections, and it doesn't support tls. How I discovered this? I issued the command starttls even if it wasnt showing in the telnet ehlo. just to recieve the message "avast doensn't support tls" or somehint like that. disabling mail virus check on the windows machine solved. I lost a full day because of this... I guess I deserve for using windows as client, since they need antivirus software. cya guys
Same problem here I have exactly the same problem, only that Windows antivirus software in NOT to blame. I have a realworld server and i replaced the real domain with an example someserver.somedomain.com for this post only. When i telenet from mailserver to localhost i have the STARTTLS option: Code: telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 someserver.somedomain.com ESMTP Postfix ehlo someserver 250-someserver.somedomain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. But when i telnet to the server from some machine from internet, there is no STARTTLS option: Code: telnet someserver.somedomain.com 25 Trying 321.321.321.321... Connected to someserver.somedomain.com. Escape character is '^]'. 220 someserver.somedomain.com ESMTP Postfix ehlo someserver 250-someserver.somedomain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-XXXXXXXA 250-AUTH PLAIN LOGIN 250-XXXXXXXXXXXXXXXB 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN STARTTLS 502 5.5.2 Error: command not recognized quit 221 2.0.0 Bye Connection closed by foreign host. I must mention that I had the server in local environment first, when I prepared the installation. Later, I moved the server to my client location, and changed the IP and other options at the site. I can send/receive mail normally without TLS. What could be the problem? Thanks, Peter
The problem I had also happens when the client tryies to connect via a proxied connection. maybe the proxy doens't support tls or it also scans for viruses. (I found some people that reported this when I was looking for solutions for my previous problem. They were also going crazy.) I'd test it with the following scenario.: Laptop with linux Plug in the same switch the mail server is Telnet ther mail server. That will answer for real.
How do you mean proxy? Do you mean in web browser? I use Linux for testing this, no proxies, direct connection to internet. But I am not at the location of the server. Whet I ssh to another linux server in their network, which is in the same network subnet I have STARTTLS command. Could ISP could be blocking something? Thanks, peter
Yes could be the ISP. Some ISPs proxy everything transparently so you don't need to configure anything on your computer. I strongly recomend you do the local switch test, or ask someone that has local access to the server to do it. Also, are you able to telnet other servers over the internet and see if the starttls appears? test this one Code: telnet chunli.iteci.com.br 25 220 chunli.iteci.com.br ESMTP Postfix ehlo test 250-chunli.iteci.com.br 250-PIPELINING 250-SIZE 40960000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN If you also can't see the starttls offer, than there's a problem in your connection, your computer. If you can see the starttls offer, than asure you are really telneting the correct ip when you test your server. And don't forget to do that local test.
Yes, what I meant was, ssh to another server in their network, then telnet from that server to the mailserver to test it. I guess there is something in between, because I also would not be able to starttls with your server: Code: telnet chunli.iteci.com.br 25 Trying 200.165.179.125... Connected to chunli.iteci.com.br. Escape character is '^]'. 220 chunli.iteci.com.br ESMTP Postfix ehlo chunli 250-chunli.iteci.com.br 250-PIPELINING 250-SIZE 40960000 250-ETRN 250-XXXXXXXA 250-AUTH PLAIN LOGIN 250-XXXXXXXXXXXXXXXB 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN How would I find out where is the point of error? There is a direct FTTH link to the location, then Cisco Catalyst switch, then mailserver, which has the default Centos firewall enabled (the ISPconfig firewall did not seem to work properly, it shut me off even though the default ports were left open). Any thoughts?
