hi everyone i can connect to smtpd and sasl with tls on port 25 but port 587 only responds with connected then hangs for a while then quits without any certificate activity. is my submission section in master.cf incorrect ?
[root@testy worker]# openssl s_client -starttls smtp -connect testy.tissisat.co.uk:25 CONNECTED(00000003) depth=1 C = UK, ST = UK, L = Nottingham, O = tissisat, OU = hq, CN = tissisat CA, name = Tissisat, emailAddress = n...@tissisat.co.uk verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=testy.tissisat.co.uk/name=Tissisat/emailAddress=n...@tissisat.co.uk i:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat CA/name=Tissisat/emailAddress=n...@tissisat.co.uk 1 s:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat CA/name=Tissisat/emailAddress=n...@tissisat.co.uk i:/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat CA/name=Tissisat/emailAddress=n...@tissisat.co.uk --- Server certificate -----BEGIN CERTIFICATE----- MIIFEzCCA/ugAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCVUsx CzAJBgNVBAgTAlVLMRMwEQYDVQQHEwpOb3R0aW5naGFtMREwDwYDVQQKEwh0aXNz aXNhdDELMAkGA1UECxMCaHExFDASBgNVBAMTC3Rpc3Npc2F0IENBMREwDwYDVQQp EwhUaXNzaXNhdDEiMCAGCSqGSIb3DQEJARYTbml5YUB0aXNzaXNhdC5jby51azAe Fw0xNTEwMTIxMDExMzZaFw0yNTEwMDkxMDExMzZaMIGlMQswCQYDVQQGEwJVSzEL MAkGA1UECBMCVUsxEzARBgNVBAcTCk5vdHRpbmdoYW0xETAPBgNVBAoTCHRpc3Np c2F0MQswCQYDVQQLEwJocTEdMBsGA1UEAxMUdGVzdHkudGlzc2lzYXQuY28udWsx ETAPBgNVBCkTCFRpc3Npc2F0MSIwIAYJKoZIhvcNAQkBFhNuaXlhQHRpc3Npc2F0 LmNvLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArrO9EhaBlneb +Cw9+uHcjJLdDlULw0xABdA0kMczL0tYu9icnIgPKbHheHTOWJIzik4y6MIokJJT 0BXgZUyW9pyqe7Sh6xsD+hG04SW6rHQ/PgEaqPZymYFzFo7anbMCDVrTuGByaBbY bFlBKvjUigXOCDNl+YMRDyXF/Rl1RoHfxbxhtRF5uHQcsxa1yNBm9OImiQdTfPpy zqUD/9eBQloECetX8zYhHstZIUMrSXX3eNQH7zJdnia/DTyC1gxFTeD8uJCPy3XC taaoBCln5dn+DlmMa4KYH5V/IeQ0t2zpuQAS3nmGpObYs5k54x7YuTLZi2iyY7z/ 6KkksWigswIDAQABo4IBUzCCAU8wCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYe RWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZtwljwGpd LlPc9JF3C1iAc4TdFjCB0QYDVR0jBIHJMIHGgBR7WJOIihMY+aI70RnunW4V8pJq KaGBoqSBnzCBnDELMAkGA1UEBhMCVUsxCzAJBgNVBAgTAlVLMRMwEQYDVQQHEwpO b3R0aW5naGFtMREwDwYDVQQKEwh0aXNzaXNhdDELMAkGA1UECxMCaHExFDASBgNV BAMTC3Rpc3Npc2F0IENBMREwDwYDVQQpEwhUaXNzaXNhdDEiMCAGCSqGSIb3DQEJ ARYTbml5YUB0aXNzaXNhdC5jby51a4IJAOYX/JigH7gdMBMGA1UdJQQMMAoGCCsG AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAWDJ4/FAFY6+n DgMkTfM/vrjyhrgOm4vWCS7HePeZPzPXqGK1HZ5ZcZL5w2SHgrN9r03Ai9mIJtP2 vjjpMBAMdeG/ePJOR3K+o0s6efJBgcCO4XwG8g9lYLbcfClmP5zvGC6nic3HbSIB feV5QrErDe2zUKK33U1ErLRC9Jjr3q6oinbzgYFu2tDuC9/mIcnQ1oa8Hyi3UfX7 qEsBuBVzhog2wU3zkhZyi+IKHAUILEj1zDQBhaeZBr8NGbiJbbgIkO3p7OOvy6Sv EwnmVw0yH5+5n1IeaxFTrZBSiJTKrnEu7lhSXeMrPDBHIEcfVmt82lYiyoAyp+1R gVGqnrMleg== -----END CERTIFICATE----- subject=/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=testy.tissisat.co.uk/name=Tissisat/emailAddress=n...@tissisat.co.uk issuer=/C=UK/ST=UK/L=Nottingham/O=tissisat/OU=hq/CN=tissisat CA/name=Tissisat/emailAddress=n...@tissisat.co.uk --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3485 bytes and written 488 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 6E4020BD2EEC00C0B2BBE5949B4BCEF4CE85ED5DAAAB2090E070F1D81867C6BD Session-ID-ctx: Master-Key: F9C12FC0E28408293436FBEC1407D6A629522C7E2ABFD094400AB44E62EAEC0BDE33A116811560F035FA8AE30E603821 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - d6 4f 5f 0d 92 62 6c 18-85 b7 11 50 1e 28 54 f8 .O_..bl....P.(T. 0010 - 1a 4f 50 a5 ce 72 65 fe-f7 51 4c f1 aa 6b bd 6a .OP..re..QL..k.j 0020 - 90 73 50 bb 2d 88 7b 6e-a0 48 ec 01 7d 7d e9 20 .sP.-.{n.H..}}. 0030 - aa 29 d2 9b bc 86 a2 e3-e1 80 23 ac 52 0f 7f df .)........#.R... 0040 - fe d9 d5 2c 52 dc 15 8b-2a 9f f8 a8 54 79 ba 25 ...,R...*...Ty.% 0050 - 8e 15 a1 05 02 6f af 1b-d1 83 48 dd 01 11 25 ef .....o....H...%. 0060 - ec 95 20 52 36 ed 82 ca-f9 28 5e 6b 15 1e 26 c4 .. R6....(^k..&. 0070 - b5 b4 ce 3a f5 43 8d 00-70 36 c9 33 e7 08 63 0b ...:.C..p6.3..c. 0080 - 1a d3 e2 51 95 11 cd 9d-e5 91 dc 06 27 20 4f dd ...Q........' O. 0090 - 9f 94 42 cf 19 46 24 6d-63 a6 52 9a c2 ae 0d 78 ..B..F$mc.R....x 00a0 - 04 e1 a7 4b 54 29 f5 1b-b0 e7 48 f8 7e 1e 70 74 ...KT)....H.~.pt Compression: 1 (zlib compression) Start Time: 1444691377 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250 SMTPUTF8 ehlo testy 250-testy.tissisat.co.uk 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 quit 221 2.0.0 Bye closed [root@testy worker]# openssl s_client -starttls smtp -connect testy.tissisat.co.uk:587 CONNECTED(00000003) (timeout period) didn't found starttls in server response, try anyway... write:errno=32 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 25 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated --- [root@testy worker]# journalctl -f -u postfix -l Oct 13 00:49:55 testy systemd[1]: Reloading Postfix Mail Transport Agent. Oct 13 00:49:56 testy postfix/postfix-script[23465]: refreshing the Postfix mail system Oct 13 00:49:56 testy postfix/master[396]: reload -- version 3.0.2, configuration /etc/postfix Oct 13 00:49:56 testy systemd[1]: Reloaded Postfix Mail Transport Agent. (port 25) Oct 13 00:50:15 testy postfix/smtpd[23473]: connect from testy.tissisat.co.uk[10.2.1.10] Oct 13 00:50:15 testy postfix/smtpd[23473]: Anonymous TLS connection established from testy.tissisat.co.uk[10.2.1.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Oct 13 00:50:42 testy postfix/smtpd[23473]: disconnect from testy.tissisat.co.uk[10.2.1.10] ehlo=2 starttls=1 quit=1 unknown=0/1 commands=4/5 (port 587) Oct 13 00:51:07 testy postfix/smtps/smtpd[23482]: connect from testy.tissisat.co.uk[10.2.1.10] Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: SSL_accept error from testy.tissisat.co.uk[10.2.1.10]: lost connection Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: lost connection after CONNECT from testy.tissisat.co.uk[10.2.1.10] Oct 13 00:51:24 testy postfix/smtps/smtpd[23482]: disconnect from testy.tissisat.co.uk[10.2.1.10] commands=0/0 postconf -n alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases proxy:pgsql:/etc/postfix/pgsql-aliases.cf broken_sasl_auth_clients = yes command_directory = /usr/bin compatibility_level = 2 config_directory = /etc/postfix daemon_directory = /usr/lib/postfix/bin data_directory = /var/lib/postfix debug_peer_level = 3 debug_peer_list = [smtp.googlemail.com]:587 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = proxy:pgsql:/etc/postfix/pgsql-boxes.cf $alias_maps mail_owner = postfix mailbox_size_limit = 0 mailbox_transport = lmtp:unix:private/dovecot-lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = myhostname = testy.tissisat.co.uk mynetworks = 10.2.1.0/24, 127.0.0.0/8 mynetworks_style = subnet myorigin = $myhostname newaliases_path = /usr/bin/newaliases qmqpd_authorized_clients = 10.2.1.0/24 queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = [smtp.googlemail.com]:587 sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay sendmail_path = /usr/bin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_header_checks = regexp:/etc/postfix/smtp_header_checks smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous noplaintext smtp_sasl_tls_security_options = noanonymous smtp_sender_dependent_authentication = yes smtp_tls_CAfile = /etc/postfix/ca.crt smtp_tls_cert_file = /etc/ssl/certs/postfix.crt smtp_tls_key_file = /etc/ssl/private/postfix.key smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_data_restrictions = reject_unauth_pipelining smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/postfix/ca.crt smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_dh1024_param_file = /etc/ssl/dh2048.pem smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA smtpd_tls_key_file = /etc/ssl/private/postfix.key smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql-aliases.cf virtual_gid_maps = static:500 virtual_mailbox_base = /home/mailboxes virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql-vdomains.cf virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql-boxes.cf virtual_minimum_uid = 100 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:500 nano /etc/postfix/master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=testy.tissisat.co.uk -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=proxy:pgsql:/etc/postfix/pgsql-boxes.cf -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,permit_mynetwo$ -o smtpd_sasl_tls_security_options=noanonymous -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o milter_macro_daemon_name=ORIGINATING shadrock