Hi, since I'm kind of frustrated over my own stupidity, I hope you can help me understanding and perhaps solving some of my problems. I recently installed ISPConfig on a Strato Debian Etch following Falko's Perfect Setup. Right time to say thanks for all of your great work!! After that I made some additional configurations for SPAM prevention usinga mixture of How To Block Spam Before It Enters The Server (Postfix), How To Implement SPF In Postfix and How To Fight Spam Using Your Postfix Configuration, so my actual Postfix Configuration looks like this: Code: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all mailbox_command = mailbox_size_limit = 0 mydestination = /etc/postfix/local-host-names myhostname = hXXXXXXX.serverkompetenz.net mynetworks = 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + relayhost = smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, check_policy_service unix:private/policy, check_policy_service inet:127.0.0.1:60000, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 Solved Now I have a problem with mail clients using SMTP with TLS (SSL). For example if I try to access the Server with Outlook 2003 and select "Server needs a secure connection (SSL)" in the connection properties of the SMTP-Server, I cant access the account. There is neither a failure notice nor a timeout. Outlook is just waiting. But POP3s and IMAPs work fine and if I don't use SSL, SMTP also does and I can send mails without any problems. Solved End So I tried Thunderbird with the result that it does not accept my self signed server certificate (Here I simply followed the steps of Falko's Tutorial). It seems, that Thunderbird evaluates the Courier certificate which was assigned to localhost (Automatically-generated POP3 SSL Key) and not the Postfix certificate. Now I'm looking for a way to have a secured E-Mail-Connection without any security notices so I want to substitute my self signed cerificates with some of a real CA, if possible from CACert.org because they are for free. But actually I have some problems understanding all necessarry steps for avoiding the certification notices and making SSL in Outlook work. Here some Questions: Does the HELO name (currently hXXXXXXX.serverkompetenz.net) of the mail server need to be identical with the CN on the certificyte? Is it true that I can only use one FQN as Mailserver as e.g. mail.example.com for all domains hosted on my server or is it possible that every domain uses it's own mail.domain.com as MX and thus doesn't produce certificate errors when assigning the server certificate to hXXXXXXX.serverkompetenz.net? Do I have to copy (parts of) the certificates to the clients in order to make the communication work? Does the SMTP (and POP3s/IMAPs)server name need to be exactly the same hostname as the CN of the certificate? Is it necessary to set the MX-Record also to exactely that name? Is reverse lookup needed for the confirmation of the certificate, so can I use any domain name that points to the server as MX, e.g. mail.example.com although my IP's reverse lookup is hXXXXXXX.serverkompetenz.net or do I have to set both, the MX and the CN in the certificate to hXXXXXXX.serverkompetenz.net Is it mandatory that the Courier certificate is for localhost or can I also use any CNAME here? Is it possible to use ONE certificate for Apache, Postfix, Courier like described here and also for the ISPConfig access and if yes, what configuration steps are neccessary to do so? Is it enough to use CACert.org as authority or do I need a Thawte, etc. certificate for avoiding those Thunderbird, Outlook and Browser popups? Does Outlook perhaps need another athentication mechanism, like DIGEST-MD5 or CRAM-MD5 for making TLS (and not SMTPS) work or is PLAIN LOGIN enough? Does Postfix automatically "know" all installed ca-certificates in /etc/ssl/certs/ like Verisign, Thawte, etc and can use them for TLS communication or do I have to copy them somewhere and set the smtp_tls_CApath or smtpd_tls_CApath? I'm very sorry for all of these stupid questions but perhaps someone of you can help me? Possible I've also only made a small configuration mistake and simply don't know it... Thanks for your help in advance. Regards, popper2001
OK, I meanwhile "solved" the problem with Outlook (c above) by activating smtps with smtpd_tls_wrappermode on port 465 in master.cf. But as posted here Outlook seems to be able to use TLS also without SSL over 465 so is this really the best possible sollution? Code: vi /etc/postfix/master.cf Code: smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject Isn't anybody out there, who knows something about my other problems and likes to share her/his knowledge with me? I really need some help since I'm getting more and more confused and frustrated...
Ok, perhaps I was able to take the next step. I meanwhile installed a new server certificate for postfix signed by CACert.org and reconfigured Postfix to use the combined ca-certificates as CAfile. Code: smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_use_tls = yes smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache tls_random_source = dev:/dev/urandom myhostname = mail.example.com Correct? As far as I can see the connection is not established normaly due to the SSL_accept:error(s). The CN in the certificate is mail.example.com, the MX of the domain is mail.example.com and also the postfix myhostname is mail.example.com as you can see in the code so my questions above shouldn't actually be importent. Can somebody please tell me, what to do against the following problem? Code: Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: initializing the server-side TLS engine Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: connect from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX] Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: setting up TLS connection from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX] Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:before/accept initialization Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv2/v3 read client hello A Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: looking up session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF in smtpd cache Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: lookup smtpd session id=6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: read smtpd TLS cache entry 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF: time=1185124125 [data 127 bytes] Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: reloaded session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF from smtpd cache Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read client hello B Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write server hello A Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write change cipher spec A Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write finished A Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 flush data Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read finished A Jul 22 19:19:30 hXXXXXXX last message repeated 3 times Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read finished A Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: Reusing old session Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: TLS connection established from pXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]: TLSv1 with cipher RC4-MD5 (128/128 bits) Jul 22 19:19:31 hXXXXXXX postfix/smtpd[4340]: 1C3E71B418C: client=pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX], sasl_method=LOGIN, sasl_username=XXXXXXXX Jul 22 19:19:31 hXXXXXXX postfix/cleanup[4344]: 1C3E71B418C: message-id=<[email protected]> Are my other questions so confusion or just too stupid simple? I really tried my best to find a working sollution by myself but I didn't succeed so far. So I really appreciate your help.
I can't believe that nobody is around here knowing something about certificates within postfix and courier or abour CRS with CACert.org. I could really need some help here...
