Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 31st August 2011, 18:07
CopalFreak CopalFreak is offline
Junior Member
 
Join Date: May 2011
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Exclamation Diagnosing Postfix/Dovecot+SSL with Telnet

I want to use SSL with plain auth.
Am I supposed to be seeing something OTHER than "250-STARTTLS" ?
(should it say "250- AUTH PLAIN" also ? )


Code:
>>telnet mail.mydomain.com 587
Trying xx.xx.xx.xx...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP mail.mydomain.com (Linux/GNU)

>>ehlo MyEmail@mydomain.com
250-mail.mydomain.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

>>AUTH LOGIN
438 4.7.0 Encryption required for requested authentication mechanism

>>AUTH LOGIN PLAIN
438 4.7.0 Encryption required for requested authentication mechanism
Reply With Quote
Sponsored Links
  #2  
Old 1st September 2011, 11:09
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

587, submission, runs on tls not ssl
use 465 (ssmtp/smtps) for ssl

show us your config files.
Reply With Quote
  #3  
Old 1st September 2011, 19:24
CopalFreak CopalFreak is offline
Junior Member
 
Join Date: May 2011
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Thanks for responding Mark!
587 for TLS, 465 for SSL...important stuff to know! Thanks!

~/postfix/master.cf
Code:
# ==========================================================================
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
   -o content_filter=scan:127.0.0.1:10025
# ============================================================================================
# SHOULD I LEAVE THESE SETTINGS AS-IS IF I WANT TO ALLOW 
# TLS OVER 587 FOR THE MOMENT?
submission inet n       -       n       -       -       smtpd
#   -o smtpd_tls_security_level=encrypt 
   -o smtpd_tls_security_level=may 
   -o smtpd_sasl_auth_enable=yes 
   -o smtpd_sasl_type=dovecot 
   -o smtpd_sasl_path=/var/spool/postfix/private/auth 
   -o smtpd_sasl_security_options=noanonymous 
   -o smtpd_sasl_local_domain=$myhostname
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
#  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
#  -o smtpd_sender_restrictions=permit
#  -o smtpd_sender_restrictions=reject_sender_login_mismatch
#  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_sender_strictions=
#  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=reject_unauth_destination
#  -o smtpd_recipient_restrictions=permit
#
#
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

# ============================================================================================
# I AM GUESSING I SHOULD UN-COMMENT SOME OF THE STUFF BELOW 
# AND COPY SOME OF THE STUFF FROM ABOVE TO ENABLE SSL 
# ENCRYPTION FOR 465 ?
smtps inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# ============================================================================================
### AV scan filter (used by content_filter)
scan      unix  -       -       n       -       16      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_enforce_tls=no
# ============================================================================================
#628       inet  n       -       n       -       -      qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
	-o smtp_fallback_relay=
	# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
# ============================================================================================
spamassassin unix -      n      n       -       -       pipe
  user=spamd argv=/usr/bin/spamc -f -e
  /usr/sbin/sendmail -oi -f ${sender} ${recipient}
# ============================================================================================
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet  n -       n       -       16      smtpd

        -o content_filter=spamassassin
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks_style=host
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8
# ============================================================================================
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=dovecot:dovecot argv=/usr/libexec/dovecot/deliver -d ${recipient}
# ============================================================================================
# ============================================================================================

~/postfix/main.cf
Code:
myhostname = mail.MyDomain.com
mail_name = mail.MyDomain.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
#debug_peer_list = XX.XX.XX.XX
append_dot_mydomain = no
#delay_warning_time = 4h
myhostname = mail.MyDomain.com
myorigin = MyDomain.com
mydomain = MyDomain.com
mailbox_command = /usr/bin/procmail
mynetworks = /etc/postfix/mynetworks
mailbox_size_limit = 0
message_size_limit = 104857600

#debugging
debug_peer_level = 4
soft_bounce = yes


disable_vrfy_command = yes

transport_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
alias_database = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
local_recipient_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf 


#Virtual mailbox settings
virtual_mailbox_base = /var/vmail
virtual_minimum_uid = 202
virtual_uid_maps = static:202
virtual_gid_maps = static:202
virtual_transport = dovecot

dovecot_destination_recipient_limit = 1
#does this allow for CC and BCC?

sender_bcc_maps = hash:/etc/postfix/sender_bcc
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

virtual_alias_domains = proxy:mysql:/etc/postfix/mysql_virtual_alias_domains.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domain_maps.cf
virtual_login_maps = proxy:mysql:/etc/postfix/mysql_virtual_login_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf

mydestination = $myhostname, $mynetworks, localhost, localhost.localdomain, proxy_read_maps
proxy_read_maps = $myhostname $mynetworks $alias_maps $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_domains $virtual_login_maps $virtual_mailbox_maps $local_recipient_maps

relay_domains = $mynetworks 


#SASL Authentication
smtp_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_exceptions_networks = $mynetworks
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = $virtual_login_maps
smtpd_sasl_path = /var/spool/postfix/private/auth

smtpd_helo_required = yes

smtpd_client_restrictions =

smtpd_helo_restrictions = reject_invalid_hostname 


smtpd_sender_restrictions = reject_invalid_hostname reject_unknown_sender_domain reject_unauthenticated_sender_login_mismatch permit_sasl_authenticated permit_mynetworks permit

smtpd_recipient_restrictions =
	reject_invalid_hostname,
#reject_sender_login_mismatch,
	reject_unknown_recipient_domain,
    reject_unauth_pipelining,
	permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
	check_client_access hash:/etc/postfix/rbl_client_exceptions,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client ix.dnsbl.manitu.net,
	reject_rbl_client multi.uribl.com,
	reject_rbl_client dsn.rfc-ignorant.org,
 	reject_rbl_client abuse.rfc-ignorant.org,
	reject_rbl_client dul.dnsbl.sorbs.net,
	reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client dyna.spamrats.com,
	reject_rbl_client cbl.abuseat.org,
	reject_rbl_client rabl.nuclearelephant.com,

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20


# check_relay_domains reject_unlisted_recipient permit_sasl_authenticated reject_unauth_destination permit 

# stops bulk mail senders
# smtpd_data_restictions = reject_unauth_pipelining 
strict_rfc821_envelopes = no
disable_vrfy_command = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


#TSL Certs
smtpd_tls_cert_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_key_file = /etc/postfix/certs/MyDomain.com.pem
smtpd_tls_CAfile = /etc/postfix/certs/gd_bundle.pem


smtpd_tls_ask_ccert = no
smtpd_tls_req_ccert = no
# smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_received_header = no
smtpd_tls_loglevel = 1
# tls_random_source = dev:/dev/urandom

smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
Reply With Quote
  #4  
Old 7th September 2011, 19:13
CopalFreak CopalFreak is offline
Junior Member
 
Join Date: May 2011
Posts: 19
Thanks: 2
Thanked 0 Times in 0 Posts
 
Default

Should I try something besides Postfix?
Reply With Quote
Reply

Bookmarks

Tags
diagnose, dovecot, postfix, ssl, telnet

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix/Dovecot SSL auth port 587 CopalFreak Server Operation 0 29th August 2011 01:51
Adding SSL certificate to Site snowfly Installation/Configuration 2 31st May 2011 13:54
Creating a SSL certificate - Quick guide SamTzu Tips/Tricks/Mods 22 4th January 2011 14:38
Diagnosing a Postfix/Dovecot problem in F10. P4rD0nM3 Installation/Configuration 1 7th September 2009 13:46
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 18:59


All times are GMT +2. The time now is 01:06.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.