Having trouble verifying TLS setup // postfix / ubuntu 10.04

Discussion in 'Server Operation' started by vmos, Jan 19, 2011.

  1. vmos

    vmos Member

    Good morning,
    I'm setting up a new postfix server, it's going to be our inbound gateway and will also relay mail to certain domains that we need TLS for.

    I didn't notice any issues with the install, when I do "telnet localhost 25" I get this

    220 mail.server.net ESMTP Postfix (Debian/GNU)
    ehlo localhost
    250-mail.ourserver.net
    250-PIPELINING
    250-SIZE 70480000
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN


    Looks OK but when I go to another server and try "telnet mail.ourserver.net 25" I get


    Connected to mail.ourserver.net.
    Escape character is '^]'.
    220 ******************************************
    ehlo tibus.com
    250-mail.ourserver.net
    250-PIPELINING
    250-SIZE 70480000
    250-ETRN
    250-XXXXXXXA
    250-AUTH LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN

    No starttls but there is this 250-XXXXXXXA and I'm having trouble finding a clear answer as to what that is.

    There is another thing that may be causing an issue. We have a wildcard SSL that covers our whole domain *.ourserver.net, it's used on many server but in apache. I just lifted the key and the crt from one of the apache folders. Would that be an issue? Do I need to regenerate the key specifically for postfix or something?
     
  2. vmos

    vmos Member

    think I've got it, the key thing here is the difference in banner between localhost and remote

    220 mail.server.net ESMTP Postfix (Debian/GNU)

    220 ******************************************

    In my case at least, the ***** mean that the firewall is fiddling with SMTP traffic and sticking in its own banner. Apparently smtp inspection is enabled by default on Cisco Pix, I disabled it by using this sequence


    pix(config)#policy-map global_policy
    pix(config-pmap)#class inspection_default
    pix(config-pmap-c)#no inspect esmtp


    Now the starttls appears when I try it from my local machine


    Secondary question: this telnet test seems a bit simplistic to me, is there a more comprehensive method of verifying that the TLS is working properly?
     

Share This Page