On Mon, Jan 10, 2011 at 01:04:02PM -0800, Bryan Harrison wrote:
> I've recently migrated services to a new mailserver, which has of course
> promptly started kicking out dire errors that didn't show during testing.
>
> Here's an example transcript, postconf -n is below
>
> Out: 220 gilded-bat.laughingboot.net ESMTP Postfix
> In: EHLO [10.2.45.174]
> Out: 250-gilded-bat.laughingboot.net
> Out: 250-PIPELINING
> Out: 250-SIZE 6291456
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In: STARTTLS
> Out: 454 4.7.0 TLS not available due to local problem
Your server is misconfigured, perhaps no certificate and/or matching
private key, ...
> In: ???
> Out: 502 5.5.2 Error: command not recognized
The client is broken, and sends an SSL HELLO even though STARTTLS was
rejected. Server logs are MUCH MORE useful than session transcripts.
> smtpd_pw_server_security_options = cram-md5,login,plain,gssapi
> smtpd_use_pw_server = yes
Apple's Postfix.
> smtpd_tls_exclude_ciphers = SSLv2 aNULL ADH eNULL
Why? eNULL is automatically excluded, and ADH is good to enable,
there's no harm in aNULL, especially if you don't configure keys!
As for SSLv2 if your OpenSSL or Postfix is new enough, that's automatic,
otherwise, best to turn off the protocol, not the ciphersuites, but
if opportustic protocol controls are in your Postfix version,
that's the only element here that makes some sense.
> smtpd_tls_loglevel = 0
> smtpd_use_tls = no
No certificate or key configured. I don't see a setting for
"smtpd_tls_security_level", perhaps there's more in master.cf, but
that would not be a good place to specify the keys...
--
Viktor.
