Re: authenticated smtp relay and ssl/tls

Tue, 12 Apr 2011 08:06:53 -0700 

On 4/12/2011 9:24 AM, Fabien COMBERNOUS wrote:

Thank you for URL pointers.

On 12/04/2011 13:53, Noel Jones wrote:

[...]

Yes, TLS and authentication are set up separately in postfix
and can be (and frequently are) used together.

http://www.postfix.org/SASL_README.html#client_sasl_enable


Authentication with a remote smtp without SSL/TLS (port 25) is
running well.

http://www.postfix.org/TLS_README.html#client_tls

About TLS, i want to use smtp.gmail.com and a gmail account.
I started by getting certificates of the remote smtp service
with the command :
#> openssl s_client -connect smtp.gmail.com:465 -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google
Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKaM9uMQADAAAirTANBgkqhkiG9w0BAQUFADBGMQswCQYD
[...]
Ouo+mV5BJSkDXH/qbG6wiBdEIypseBEbG+XJMxTSaYVgUjY313rBbAvQ0Uf7ZGQ=
-----END CERTIFICATE-----
[...]

Then i put the certificate in the file
/etc/postfix/certs/googlesmtp.pem beginning by -----BEGIN
CERTIFICATE-----, ending by -----END CERTIFICATE-----

Then i added the following key in main.cf :
/etc/postfix/main.cf:smtp_tls_cert_file =
/etc/postfix/certs/googlesmtp.pem

Then i reloaded the postfix config.


It's fine to load google's certs, but that isn't required.




But, with or without the key smtp_tls_cert_file, I get the
following logs if my postfix wants to send a mail to via relay :
Apr 12 15:12:57 dns postfix/smtp[94247]: DA42493725:
to=<fcombern...@kezia.com>,
relay=smtp.gmail.com[209.85.227.109]:465, delay=1174,
delays=873/0.06/301/0, dsn=4.4.2, status=deferred
(conversation with smtp.gmail.com[209.85.227.109] timed out
while receiving the initial server greeting)
Port 465 is the deprecated "SSL wrapper mode" smtps. The postfix smtp client doesn't support wrapper mode. Use the submission port 587 instead, or if you must use 465 see http://www.postfix.org/TLS_README.html#client_smtps 


  -- Noel Jones

Reply via email to