hi everyone
i can connect to smtpd and sasl with tls on port 25
but port 587 only responds with connected then hangs
for a while then quits without any certificate activity.
is my submission section in master.cf incorrect ?
[root@testy worker]# openssl s_client -starttls smtp -connect
testy.tissisat.co.uk:25
CONNECTED(00000003)
depth=1 C = UK, ST = UK, L = Nottingham, O = tissisat, OU = hq, CN =
tissisat CA, name = Tissisat, emailAddress = n...@tissisat.co.uk
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0
s:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=testy.tissisat.co.uk/name=Tissisat/emailAddress=n...@tissisat.co.uk
i:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat
CA/name=Tissisat/emailAddress=n...@tissisat.co.uk
1 s:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat
CA/name=Tissisat/emailAddress=n...@tissisat.co.uk
i:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat
CA/name=Tissisat/emailAddress=n...@tissisat.co.uk
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCVUsx
CzAJBgNVBAgTAlVLMRMwEQYDVQQHEwpOb3R0aW5naGFtMREwDwYDVQQKEwh0aXNz
aXNhdDELMAkGA1UECxMCaHExFDASBgNVBAMTC3Rpc3Npc2F0IENBMREwDwYDVQQp
EwhUaXNzaXNhdDEiMCAGCSqGSIb3DQEJARYTbml5YUB0aXNzaXNhdC5jby51azAe
Fw0xNTEwMTIxMDExMzZaFw0yNTEwMDkxMDExMzZaMIGlMQswCQYDVQQGEwJVSzEL
MAkGA1UECBMCVUsxEzARBgNVBAcTCk5vdHRpbmdoYW0xETAPBgNVBAoTCHRpc3Np
c2F0MQswCQYDVQQLEwJocTEdMBsGA1UEAxMUdGVzdHkudGlzc2lzYXQuY28udWsx
ETAPBgNVBCkTCFRpc3Npc2F0MSIwIAYJKoZIhvcNAQkBFhNuaXlhQHRpc3Npc2F0
LmNvLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrO9EhaBlneb
+Cw9+uHcjJLdDlULw0xABdA0kMczL0tYu9icnIgPKbHheHTOWJIzik4y6MIokJJT
0BXgZUyW9pyqe7Sh6xsD+hG04SW6rHQ/PgEaqPZymYFzFo7anbMCDVrTuGByaBbY
bFlBKvjUigXOCDNl+YMRDyXF/Rl1RoHfxbxhtRF5uHQcsxa1yNBm9OImiQdTfPpy
zqUD/9eBQloECetX8zYhHstZIUMrSXX3eNQH7zJdnia/DTyC1gxFTeD8uJCPy3XC
taaoBCln5dn+DlmMa4KYH5V/IeQ0t2zpuQAS3nmGpObYs5k54x7YuTLZi2iyY7z/
6KkksWigswIDAQABo4IBUzCCAU8wCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYe
RWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZtwljwGpd
LlPc9JF3C1iAc4TdFjCB0QYDVR0jBIHJMIHGgBR7WJOIihMY+aI70RnunW4V8pJq
KaGBoqSBnzCBnDELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAlVLMRMwEQYDVQQHEwpO
b3R0aW5naGFtMREwDwYDVQQKEwh0aXNzaXNhdDELMAkGA1UECxMCaHExFDASBgNV
BAMTC3Rpc3Npc2F0IENBMREwDwYDVQQpEwhUaXNzaXNhdDEiMCAGCSqGSIb3DQEJ
ARYTbml5YUB0aXNzaXNhdC5jby51a4IJAOYX/JigH7gdMBMGA1UdJQQMMAoGCCsG
AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAWDJ4/FAFY6+n
DgMkTfM/vrjyhrgOm4vWCS7HePeZPzPXqGK1HZ5ZcZL5w2SHgrN9r03Ai9mIJtP2
vjjpMBAMdeG/ePJOR3K+o0s6efJBgcCO4XwG8g9lYLbcfClmP5zvGC6nic3HbSIB
feV5QrErDe2zUKK33U1ErLRC9Jjr3q6oinbzgYFu2tDuC9/mIcnQ1oa8Hyi3UfX7
qEsBuBVzhog2wU3zkhZyi+IKHAUILEj1zDQBhaeZBr8NGbiJbbgIkO3p7OOvy6Sv
EwnmVw0yH5+5n1IeaxFTrZBSiJTKrnEu7lhSXeMrPDBHIEcfVmt82lYiyoAyp+1R
gVGqnrMleg==
-----END CERTIFICATE-----
subject=/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=testy.tissisat.co.uk/name=Tissisat/emailAddress=n...@tissisat.co.uk
issuer=/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat
CA/name=Tissisat/emailAddress=n...@tissisat.co.uk
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3485 bytes and written 488 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
6E4020BD2EEC00C0B2BBE5949B4BCEF4CE85ED5DAAAB2090E070F1D81867C6BD
Session-ID-ctx:
Master-Key:
F9C12FC0E28408293436FBEC1407D6A629522C7E2ABFD094400AB44E62EAEC0BDE33A116811560F035FA8AE30E603821
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - d6 4f 5f 0d 92 62 6c 18-85 b7 11 50 1e 28 54 f8
.O_..bl....P.(T.
0010 - 1a 4f 50 a5 ce 72 65 fe-f7 51 4c f1 aa 6b bd 6a
.OP..re..QL..k.j
0020 - 90 73 50 bb 2d 88 7b 6e-a0 48 ec 01 7d 7d e9 20
.sP.-.{n.H..}}.
0030 - aa 29 d2 9b bc 86 a2 e3-e1 80 23 ac 52 0f 7f df
.)........#.R...
0040 - fe d9 d5 2c 52 dc 15 8b-2a 9f f8 a8 54 79 ba 25
...,R...*...Ty.%
0050 - 8e 15 a1 05 02 6f af 1b-d1 83 48 dd 01 11 25 ef
.....o....H...%.
0060 - ec 95 20 52 36 ed 82 ca-f9 28 5e 6b 15 1e 26 c4 ..
R6....(^k..&.
0070 - b5 b4 ce 3a f5 43 8d 00-70 36 c9 33 e7 08 63 0b
...:.C..p6.3..c.
0080 - 1a d3 e2 51 95 11 cd 9d-e5 91 dc 06 27 20 4f dd
...Q........' O.
0090 - 9f 94 42 cf 19 46 24 6d-63 a6 52 9a c2 ae 0d 78
..B..F$mc.R....x
00a0 - 04 e1 a7 4b 54 29 f5 1b-b0 e7 48 f8 7e 1e 70 74
...KT)....H.~.pt
Compression: 1 (zlib compression)
Start Time: 1444691377
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 SMTPUTF8
ehlo testy
250-testy.tissisat.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
quit
221 2.0.0 Bye
closed
[root@testy worker]# openssl s_client -starttls smtp -connect
testy.tissisat.co.uk:587
CONNECTED(00000003)
(timeout period)
didn't found starttls in server response, try anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 25 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
[root@testy worker]#
journalctl -f -u postfix -l
Oct 13 00:49:55 testy systemd[1]: Reloading Postfix Mail Transport Agent.
Oct 13 00:49:56 testy postfix/postfix-script[23465]: refreshing the
Postfix mail system
Oct 13 00:49:56 testy postfix/master[396]: reload -- version 3.0.2,
configuration /etc/postfix
Oct 13 00:49:56 testy systemd[1]: Reloaded Postfix Mail Transport Agent.
(port 25)
Oct 13 00:50:15 testy postfix/smtpd[23473]: connect from
testy.tissisat.co.uk[10.2.1.10]
Oct 13 00:50:15 testy postfix/smtpd[23473]: Anonymous TLS connection
established from testy.tissisat.co.uk[10.2.1.10]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 13 00:50:42 testy postfix/smtpd[23473]: disconnect from
testy.tissisat.co.uk[10.2.1.10] ehlo=2 starttls=1 quit=1 unknown=0/1
commands=4/5
(port 587)
Oct 13 00:51:07 testy postfix/smtps/smtpd[23482]: connect from
testy.tissisat.co.uk[10.2.1.10]
Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: SSL_accept error from
testy.tissisat.co.uk[10.2.1.10]: lost connection
Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: lost connection after
CONNECT from testy.tissisat.co.uk[10.2.1.10]
Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: disconnect from
testy.tissisat.co.uk[10.2.1.10] commands=0/0
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
proxy:pgsql:/etc/postfix/pgsql-aliases.cf
broken_sasl_auth_clients = yes
command_directory = /usr/bin
compatibility_level = 2
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 3
debug_peer_list = [smtp.googlemail.com]:587
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = proxy:pgsql:/etc/postfix/pgsql-boxes.cf $alias_maps
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination =
myhostname = testy.tissisat.co.uk
mynetworks = 10.2.1.0/24, 127.0.0.0/8
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
qmqpd_authorized_clients = 10.2.1.0/24
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = [smtp.googlemail.com]:587
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/postfix/ca.crt
smtp_tls_cert_file = /etc/ssl/certs/postfix.crt
smtp_tls_key_file = /etc/ssl/private/postfix.key
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ca.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql-aliases.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/mailboxes
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql-vdomains.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql-boxes.cf
virtual_minimum_uid = 100
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:500
nano /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=testy.tissisat.co.uk
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=proxy:pgsql:/etc/postfix/pgsql-boxes.cf
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetwo$
-o smtpd_sasl_tls_security_options=noanonymous
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o milter_macro_daemon_name=ORIGINATING
shadrock
