popper2001
23rd July 2007, 14:47
Hi,
I used the following tutorials for installaing a postfix mailserver with TLS and SPAM prevention on Etch:
Falko's Perfect Setup (http://www.howtoforge.com/perfect_setup_debian_etch)
How To Block Spam Before It Enters The Server (Postfix) (http://www.howtoforge.com/block_spam_at_mta_level_postfix)
How To Implement SPF In Postfix (http://www.howtoforge.com/postfix_spf)
How To Fight Spam Using Your Postfix Configuration (http://www.howtoforge.com/virtual_postfix_antispam)
I used CACert.org as Authority for my certificates, so this is my current configuration:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
check_policy_service unix:private/policy,
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
Now I get the following connection error if I use TLS or "TLS if possible) in Thunderbird:
Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: SSL_accept error from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1
Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: lost connection after STARTTLS from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
If I use SSL over port 465 in Thunderbird it works without any problems and postfix seems to establish a TLS connection:
Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:32:57 hXXXXXX postfix/smtpd[8281]: TLS connection established from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 23 13:33:01 hXXXXXX postfix/smtpd[8281]: CA0611B4152: client=dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web2
Jul 23 13:33:01 hXXXXXX postfix/cleanup[8286]: CA0611B4152: message-id=<46A491DF.9060605@example.com>
Postfix is also listening on both ports (25 and 465) so this doesn't seem to be the problem:
tcp 0 0 *:smtp *:* LISTEN 32626/master
tcp6 0 0 *:imaps *:* LISTEN 5121/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 5102/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 955/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 933/couriertcpd
tcp6 0 0 *:ssmtp *:* LISTEN 32626/master
tcp6 0 0 *:smtp *:* LISTEN 32626/master
And also a test of the certificates works as far as I can see:
openssl s_client -showcerts -cert /etc/postfix/ssl/cacert.org/server.crt -key /etc/postfix/ssl/cacert.org/server.key -starttls smtp -CAfile /etc/postfix/ssl/ca-certificates.crt -connect mail.example.com:25
CONNECTED(00000003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
verify return:1
depth=0 /CN=mail.example.com
verify return:1
---
Certificate chain
0 s:/CN=mail.example.com
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.example.com
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 3623 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DD1EEB0D5A7DA044323DC7EFD2DE3A3C011CDC87B27170B299 F42CE58977C426
Session-ID-ctx:
Master-Key: 5D9D544852CC74103C2EAD880F1B7E2ABBDCAB3633BE75940F 32A6EE13DEE070C08B09E8B2F32C50CD4366010741A0CC
Key-Arg : None
Start Time: 1185190942
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 mail.example.com ESMTP Postfix (Debian/GNU)
I sure there are some TLS/SSL/Postfix experts aroud here so can anybody tell me, what to do in order to make TLS work over port 25 without SSL?
Thanks for your help!
I used the following tutorials for installaing a postfix mailserver with TLS and SPAM prevention on Etch:
Falko's Perfect Setup (http://www.howtoforge.com/perfect_setup_debian_etch)
How To Block Spam Before It Enters The Server (Postfix) (http://www.howtoforge.com/block_spam_at_mta_level_postfix)
How To Implement SPF In Postfix (http://www.howtoforge.com/postfix_spf)
How To Fight Spam Using Your Postfix Configuration (http://www.howtoforge.com/virtual_postfix_antispam)
I used CACert.org as Authority for my certificates, so this is my current configuration:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
check_policy_service unix:private/policy,
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
Now I get the following connection error if I use TLS or "TLS if possible) in Thunderbird:
Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: SSL_accept error from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1
Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: lost connection after STARTTLS from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
If I use SSL over port 465 in Thunderbird it works without any problems and postfix seems to establish a TLS connection:
Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
Jul 23 13:32:57 hXXXXXX postfix/smtpd[8281]: TLS connection established from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 23 13:33:01 hXXXXXX postfix/smtpd[8281]: CA0611B4152: client=dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web2
Jul 23 13:33:01 hXXXXXX postfix/cleanup[8286]: CA0611B4152: message-id=<46A491DF.9060605@example.com>
Postfix is also listening on both ports (25 and 465) so this doesn't seem to be the problem:
tcp 0 0 *:smtp *:* LISTEN 32626/master
tcp6 0 0 *:imaps *:* LISTEN 5121/couriertcpd
tcp6 0 0 *:pop3s *:* LISTEN 5102/couriertcpd
tcp6 0 0 *:pop3 *:* LISTEN 955/couriertcpd
tcp6 0 0 *:imap2 *:* LISTEN 933/couriertcpd
tcp6 0 0 *:ssmtp *:* LISTEN 32626/master
tcp6 0 0 *:smtp *:* LISTEN 32626/master
And also a test of the certificates works as far as I can see:
openssl s_client -showcerts -cert /etc/postfix/ssl/cacert.org/server.crt -key /etc/postfix/ssl/cacert.org/server.key -starttls smtp -CAfile /etc/postfix/ssl/ca-certificates.crt -connect mail.example.com:25
CONNECTED(00000003)
depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
verify return:1
depth=0 /CN=mail.example.com
verify return:1
---
Certificate chain
0 s:/CN=mail.example.com
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.example.com
issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
No client certificate CA names sent
---
SSL handshake has read 3623 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: DD1EEB0D5A7DA044323DC7EFD2DE3A3C011CDC87B27170B299 F42CE58977C426
Session-ID-ctx:
Master-Key: 5D9D544852CC74103C2EAD880F1B7E2ABBDCAB3633BE75940F 32A6EE13DEE070C08B09E8B2F32C50CD4366010741A0CC
Key-Arg : None
Start Time: 1185190942
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 mail.example.com ESMTP Postfix (Debian/GNU)
I sure there are some TLS/SSL/Postfix experts aroud here so can anybody tell me, what to do in order to make TLS work over port 25 without SSL?
Thanks for your help!