techlist06
2016-07-23 21:31:48 UTC
I'm building a new server to replace an old one in production. I've never
had trouble in the past, but it's been a while and it is not going smoothly
this time. I've spent a week trying and not getting it going. I gave up
getting Cyrus-sasl to work, moved to Dovecot. Got farther but stuck now.
Eyes crossed. :)
This is on Centos 7, Postfix 2.10.1 from stock rpm, Dovecot 2.2.10.
I have my self signed certificates made and entered in main.cf and
/etc/dovecot/conf.d/10-ssl.conf I am no certificate guru, I think I have
them right.
I've checked everything best I can figure out how:
-----
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465
Appears to work
-----
From remote server
test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears to work, shows a bunch of info and the certificate text. Nothing
that looks like errors except a line that says:
verify error:num=18:self signed certificate
verify return:1
-----
From remote server
Tested my cacert.pem certificate with
openssl x509 -in cacert.pem -inform pem -noout -text
It did not ask for a PW, displayed contents, so I think that' s good (happy
to post output if it helps)
-----
checked if the cert and key match
(openssl x509 -noout -modulus -in /etc/certs/tn2.myserver.com.crt |
openssl md5 ;openssl rsa -noout -modulus -in
/etc/certs/tn2.myserver.com.key | openssl md5) | uniq
I only get one match so I think that' s good.
----
Telnet to the server and STARTTLS seems happy:
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
---------------
My postfix config is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
------------------
MS Outlook is happy using port 587 (SASL only I think) I can deliver a test
message. POP also works and it will retrive same.
But with Outlook set to use port 465 it will not work. Times out.
----------------
The maillog for the timed out test shows below. It gets to that last line
and just hangs.
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connection established
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: master_notify: status 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: resource
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: software
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connect from
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: setting up TLS connection
from yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: auto_clnt_open: connected to
private/tlsmgr
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr request = seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr size = 32
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value: 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value:
vyQmNnun9ko49YWyusMMmpdLoWMD3oF6j6MJwcWHXrs=
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: (list terminator)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: (end)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: SSL_accept:before/accept
initialization
Can someone see what I'm doing wrong? How to fix it? Hoping it's a config
error.
Please let me know if I've missed some piece of information. I'm a novice,
I'll be grateful if you temper your replies so I can take advantage of them.
Thanks very much
had trouble in the past, but it's been a while and it is not going smoothly
this time. I've spent a week trying and not getting it going. I gave up
getting Cyrus-sasl to work, moved to Dovecot. Got farther but stuck now.
Eyes crossed. :)
This is on Centos 7, Postfix 2.10.1 from stock rpm, Dovecot 2.2.10.
I have my self signed certificates made and entered in main.cf and
/etc/dovecot/conf.d/10-ssl.conf I am no certificate guru, I think I have
them right.
I've checked everything best I can figure out how:
-----
test tunneled TLS connections to port 465
openssl s_client -connect tn2.myserver.com:465
Appears to work
-----
From remote server
test STARTTLS connections on port 25 or 587 with:
openssl s_client -connect tn2.myserver.com:587 -starttls smtp
appears to work, shows a bunch of info and the certificate text. Nothing
that looks like errors except a line that says:
verify error:num=18:self signed certificate
verify return:1
-----
From remote server
Tested my cacert.pem certificate with
openssl x509 -in cacert.pem -inform pem -noout -text
It did not ask for a PW, displayed contents, so I think that' s good (happy
to post output if it helps)
-----
checked if the cert and key match
(openssl x509 -noout -modulus -in /etc/certs/tn2.myserver.com.crt |
openssl md5 ;openssl rsa -noout -modulus -in
/etc/certs/tn2.myserver.com.key | openssl md5) | uniq
I only get one match so I think that' s good.
----
Telnet to the server and STARTTLS seems happy:
220 tn2.myserver.com ESMTP Postfix
ehlo sample.com
250-tn2.myserver.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
---------------
My postfix config is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = $myhostname, localhost
inet_protocols = ipv4
local_recipient_maps = hash:/etc/postfix/local_recipient
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = tn2.myserver.com
myhostname = tn2.myserver.com
mynetworks = localhost, $mydomain, xx.xx.xx.xx/32
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = mlec.com
relay_recipient_maps = hash:/etc/postfix/relay_recipients
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_helo_required = yes
smtpd_recipient_limit = 2500
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, check_recipient_access
hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org
reject_rbl_client psbl.surriel.com, reject_rbl_client bl.spamcop.net,
check_policy_service unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/tn2.myserver.com.crt
smtpd_tls_key_file = /etc/postfix/certs/tn2.myserver.com.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
------------------
MS Outlook is happy using port 587 (SASL only I think) I can deliver a test
message. POP also works and it will retrive same.
But with Outlook set to use port 465 it will not work. Times out.
----------------
The maillog for the timed out test shows below. It gets to that last line
and just hangs.
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connection established
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: master_notify: status 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: resource
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: name_mask: software
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: connect from
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: match_list_match:
yy-yy-yy-yy: no match
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: smtp_stream_setup:
maxtime=300 enable_deadline=0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: setting up TLS connection
from yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]:
yy-yy-yy-yy.lightspeed.nsvltn.sbcglobal.net[yy-yy-yy-yy]: TLS cipher list
"aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: auto_clnt_open: connected to
private/tlsmgr
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr request = seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: send attr size = 32
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: status
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value: 0
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: seed
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute value:
vyQmNnun9ko49YWyusMMmpdLoWMD3oF6j6MJwcWHXrs=
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: private/tlsmgr: wanted
attribute: (list terminator)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: input attribute name: (end)
Jul 23 16:09:27 tn2 postfix/smtps/smtpd[10110]: SSL_accept:before/accept
initialization
Can someone see what I'm doing wrong? How to fix it? Hoping it's a config
error.
Please let me know if I've missed some piece of information. I'm a novice,
I'll be grateful if you temper your replies so I can take advantage of them.
Thanks very much