First off, thanks for the help everyone! >Test postfix TLS with openssl to make sure postfix is working correctly. > >For port 25 (or 587) with STARTTLS ># openssl s_client -connect example.com:25 -starttls smtp >
I'm using 587, and this seemed to functioned just fine from a remote host: -------------------------------------------------------------- [root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls smtp CONNECTED(00000003) depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN = mail.MYDOMAIN.com verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = North Carolina, L = Apex, O = MYDOMAIN, CN = mail.MYDOMAIN.com verify return:1 --- Certificate chain 0 s:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com i:/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com --- Server certificate -----BEGIN CERTIFICATE----- ************* -----END CERTIFICATE----- subject=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com issuer=/C=US/ST=North Carolina/L=Apex/O=MYDOMAIN/CN=mail.MYDOMAIN.com --- No client certificate CA names sent --- SSL handshake has read 1871 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: ************ Session-ID-ctx: Master-Key: *********** Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket: ************** Compression: 1 (zlib compression) Start Time: 1326139550 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- 250 DSN ehlo MYDOMAIN 250-mail.MYDOMAIN.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye closed -------------------------------------------------------------- >Or if you've enabled master.cf port 465 TLS wrappermode (sometimes >mistakenly referred to as SSL in mail client software): ># openssl s_client -connect example.com:465 > I'm not using 465, so this doesn't seem to be it. >If postfix checks out OK, the problem is with the Exchange >configuration. > >Maybe Exchange needs to import the private root CA you used to >generate your certificates? Maybe Exchange is trying to use >wrappermode on a port configured for STARTTLS (or vice versa)? > I completely agree this is probably something specific to Exchange 2010, but I'm not even sure how I would figure this out from the Exchange side. Exchange doesn't exactly have a lot of "settings" like Postfix does. I can either turn TLS on or off, but there doesn't appear to be any other related configuration. What I've tried to find out in Exchange forums has been useless, unfortunately. >If you need more help with postfix, show "postconf -n" output and >relevant log entries. > Below is the output of postconf, and under that is a log level 7 TLS negotiation. "postconf -n" -------------------------------------------------------------- alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases append_at_myorigin = no broken_sasl_auth_clients = no command_directory = /usr/sbin config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 delay_warning_time = 48h disable_vrfy_command = yes html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man masquerade_domains = ****** ****** ****** masquerade_exceptions = root maximal_backoff_time = 8000s maximal_queue_lifetime = 16d minimal_backoff_time = 1000s mydestination = $myhostname, localhost.$mydomain, localhost myhostname = mail.**********.com mynetworks_style = host myorigin = *********.com newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = proxy:mysql:$config_directory/mysql_relay_domains_maps.cf relay_recipient_maps = proxy:mysql:$config_directory/mysql_relay_recipient_maps.cf relayhost = sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_timeout = 60s smtp_tls_CAfile = /etc/postfix/certs/ca.crt smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_hard_error_limit = 12 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_recipient_limit = 89 smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit smtpd_soft_error_limit = 3 smtpd_tls_cert_file = /etc/postfix/certs/signed-cert.crt smtpd_tls_key_file = /etc/postfix/certs/cert.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom transport_maps = proxy:mysql:$config_directory/mysql_transport_maps.cf unknown_local_recipient_reject_code = 450 virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/mail/virtual virtual_mailbox_domains = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf virtual_uid_maps = static:5000 -------------------------------------------------------------- maillog with log level 7 (I just noticed the "QUIT" message below, but not sure how to interpret it) -------------------------------------------------------------- Jan 9 20:12:18 ************ postfix/smtpd[11743]: initializing the server-side TLS engine Jan 9 20:12:18 ************ postfix/smtpd[11743]: connect from **********[*******] Jan 9 20:12:18 ************ postfix/smtpd[11743]: setting up TLS connection from **********[*******] Jan 9 20:12:18 ************ postfix/smtpd[11743]: **********[*******]: TLS cipher list "ALL:+RC4:@STRENGTH" Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:before/accept initialization Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438C8] (11 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438C8] (11 bytes => 11 (0xB)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 00 7a 01 00 00|76 03 01 ....z... v.. Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D6] (116 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D6] (116 bytes => 116 (0x74)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 read client hello B Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 write server hello A Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 write certificate A Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 write server done A Jan 9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968 [01651280] (934 bytes => 934 (0x3A6)) ** snip ** ... Jan 9 20:12:18 ************ postfix/smtpd[11743]: 03a3 - <SPACES/NULLS> Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 flush data Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => 5 (0x5)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 01 06 ..... Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (262 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (262 bytes => 262 (0x106)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 read client key exchange A Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => 5 (0x5)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0000 14 03 01 00 01 ..... Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (1 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (1 bytes => 1 (0x1)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0000 01 . Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => 5 (0x5)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0000 16 03 01 00 30 ....0 Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (48 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (48 bytes => 48 (0x30)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 read finished A Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 write change cipher spec A Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 write finished A Jan 9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968 [01651280] (59 bytes => 59 (0x3B)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: SSL_accept:SSLv3 flush data Jan 9 20:12:18 ************ postfix/smtpd[11743]: Anonymous TLS connection established from *************[******]: TLSv1 with cipher AES128-SHA (128/128 bits) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => 5 (0x5)) ** snip ** ... Jan 9 20:12:18 ************ postfix/smtpd[11743]: 0003 - <SPACES/NULLS> Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (32 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438D0] (32 bytes => 32 (0x20)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: Read 6 chars: QUIT?? Jan 9 20:12:18 ************ postfix/smtpd[11743]: Write 15 chars: 221 2.0.0 Bye?? Jan 9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968 [0164BE1B] (53 bytes => 53 (0x35)) ** snip ** ..._. Jan 9 20:12:18 ************ postfix/smtpd[11743]: write to 01633968 [0164BE1B] (37 bytes => 37 (0x25)) ** snip ** Jan 9 20:12:18 ************ postfix/smtpd[11743]: read from 01633968 [016438CB] (5 bytes => -1 (0xFFFFFFFF)) Jan 9 20:12:18 ************ postfix/smtpd[11743]: disconnect from **********[*******] -------------------------------------------------------------- Thanks, Ben