On 1/9/2012 2:24 PM, Ben Curtis wrote: > First off, thanks for the help everyone! > >> Test postfix TLS with openssl to make sure postfix is working correctly. >> >> For port 25 (or 587) with STARTTLS >> # openssl s_client -connect example.com:25 -starttls smtp >> > > I'm using 587, and this seemed to functioned just fine from a remote host: > > -------------------------------------------------------------- > [root@server ~]# openssl s_client -connect mail.MYDOMAIN.com:587 -starttls > smtp > CONNECTED(00000003) ...
> 250 DSN > quit > 221 2.0.0 Bye > closed OK, postfix TLS is working correctly. > Below is the output of postconf, and under that is a log level 7 TLS > negotiation. tls log levels above 1 are generally useless unless you are an expert in openssl (which I'm not sufficiently). Likewise with verbose logging in postfix; the vast majority of postfix config problems can be debugged with normal logging. > > "postconf -n" > no glaring errors in postconf. > -------------------------------------------------------------- > > > maillog with log level 7 (I just noticed the "QUIT" message below, but > not sure how to interpret it) everything reasonably normal up to here. > Jan 9 20:12:18 ************ postfix/smtpd[11743]: Read 6 chars: QUIT?? Remote site (Exchange) didn't like something and issued QUIT. No reason for the QUIT is given nor expected in the postfix logs. > Jan 9 20:12:18 ************ postfix/smtpd[11743]: disconnect from > **********[*******] remote site disconnected. FWIW, it appears the TLS negotiation between postfix and exchange worked since Exchange was able to send the QUIT over the encrypted link, but Exchange didn't like something about the connection and so disconnected. Since Exchange logs the message about an untrusted certificate, there's no reason at this point to not believe that message is accurate. Sorry, can't help any more. You might google around how to import a certificate in Exchange, or how to mark a particular client as trusted. -- Noel Jones