Re: Postfix as a Smart Host for Exchange 2010 with TLS

Ben Curtis Mon, 09 Jan 2012 12:25:37 -0800

First off, thanks for the help everyone!

>Test postfix TLS with openssl to make sure postfix is working correctly.
>
>For port 25 (or 587) with STARTTLS
># openssl s_client -connect example.com:25 -starttls smtp
>


I'm using 587, and this seemed to functioned just fine from a remote host:

--------------------------------------------------------------
[root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls smtp
CONNECTED(00000003)
depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN =
mail.MYDOMAIN.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN =
mail.MYDOMAIN.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com
   i:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com
---
Server certificate
-----BEGIN CERTIFICATE-----
*************
-----END CERTIFICATE-----
subject=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com
issuer=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com
---
No client certificate CA names sent
---
SSL handshake has read 1871 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: ************
    Session-ID-ctx:
    Master-Key: ***********
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
**************

    Compression: 1 (zlib compression)
    Start Time: 1326139550
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN
ehlo MYDOMAIN
250-mail.MYDOMAIN.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
closed
--------------------------------------------------------------

>Or if you've enabled master.cf port 465 TLS wrappermode (sometimes
>mistakenly referred to as SSL in mail client software):
># openssl s_client -connect example.com:465
>

I'm not using 465, so this doesn't seem to be it.


>If postfix checks out OK, the problem is with the Exchange
>configuration.
>
>Maybe Exchange needs to import the private root CA you used to
>generate your certificates?  Maybe Exchange is trying to use
>wrappermode on a port configured for STARTTLS (or vice versa)?
>

I completely agree this is probably something specific to Exchange
2010, but I'm not even sure how I would figure this out from the
Exchange side. Exchange doesn't exactly have a lot of "settings" like
Postfix does. I can either turn TLS on or off, but there doesn't
appear to be any other related configuration. What I've tried to find
out in Exchange forums has been useless, unfortunately.

>If you need more help with postfix, show "postconf -n" output and
>relevant log entries.
>

Below is the output of postconf, and under that is a log level 7 TLS
negotiation.

"postconf -n"
--------------------------------------------------------------
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_at_myorigin = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 48h
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = ****** ****** ******
masquerade_exceptions = root
maximal_backoff_time = 8000s
maximal_queue_lifetime = 16d
minimal_backoff_time = 1000s
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mail.**********.com
mynetworks_style = host
myorigin = *********.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = proxy:mysql:$config_directory/mysql_relay_domains_maps.cf
relay_recipient_maps =
proxy:mysql:$config_directory/mysql_relay_recipient_maps.cf
relayhost =
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 60s
smtp_tls_CAfile = /etc/postfix/certs/ca.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject
reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 89
smtpd_recipient_restrictions = reject_unauth_pipelining,
permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks, warn_if_reject reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/postfix/certs/signed-cert.crt
smtpd_tls_key_file = /etc/postfix/certs/cert.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:$config_directory/mysql_transport_maps.cf
unknown_local_recipient_reject_code = 450
virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains =
proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
virtual_uid_maps = static:5000
--------------------------------------------------------------


maillog with log level 7 (I just noticed the "QUIT" message below, but
not sure how to interpret it)
--------------------------------------------------------------
Jan  9 20:12:18 ************ postfix/smtpd[11743]: initializing the
server-side TLS engine
Jan  9 20:12:18 ************ postfix/smtpd[11743]: connect from
**********[*******]
Jan  9 20:12:18 ************ postfix/smtpd[11743]: setting up TLS
connection from **********[*******]
Jan  9 20:12:18 ************ postfix/smtpd[11743]:
**********[*******]: TLS cipher list "ALL:+RC4:@STRENGTH"
Jan  9 20:12:18 ************ postfix/smtpd[11743]:
SSL_accept:before/accept initialization
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438C8] (11 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438C8] (11 bytes => 11 (0xB))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 00 7a
01 00 00|76 03 01                 ....z... v..
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D6] (116 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D6] (116 bytes => 116 (0x74))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
read client hello B
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
write server hello A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
write certificate A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
write server done A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968
[01651280] (934 bytes => 934 (0x3A6))
** snip **                                       ...
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 03a3 - <SPACES/NULLS>
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 flush data
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => 5 (0x5))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 01 06
                                  .....
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (262 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (262 bytes => 262 (0x106))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
read client key exchange A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => 5 (0x5))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0000 14 03 01 00 01
                                  .....
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (1 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (1 bytes => 1 (0x1))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0000 01
                                  .
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => 5 (0x5))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 00 30
                                  ....0
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (48 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (48 bytes => 48 (0x30))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
read finished A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
write change cipher spec A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3
write finished A
Jan  9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968
[01651280] (59 bytes => 59 (0x3B))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 flush data
Jan  9 20:12:18 ************ postfix/smtpd[11743]: Anonymous TLS
connection established from *************[******]: TLSv1 with cipher
AES128-SHA (128/128 bits)
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => 5 (0x5))
** snip **                                       ...
Jan  9 20:12:18 ************ postfix/smtpd[11743]: 0003 - <SPACES/NULLS>
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (32 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438D0] (32 bytes => 32 (0x20))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: Read 6 chars: QUIT??
Jan  9 20:12:18 ************ postfix/smtpd[11743]: Write 15 chars: 221
2.0.0 Bye??
Jan  9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968
[0164BE1B] (53 bytes => 53 (0x35))
** snip **                         ..._.
Jan  9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968
[0164BE1B] (37 bytes => 37 (0x25))
** snip **
Jan  9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968
[016438CB] (5 bytes => -1 (0xFFFFFFFF))
Jan  9 20:12:18 ************ postfix/smtpd[11743]: disconnect from
**********[*******]
--------------------------------------------------------------


Thanks,
Ben

Re: Postfix as a Smart Host for Exchange 2010 with TLS

Reply via email to