In the process of converting from courier to postfix. Test configuration receives email fine except from google (gmail) which drops us without really complaining:
Nov 12 20:00:41 mail0 postfix/smtpd[24249]: initializing the server-side TLS engine Nov 12 20:00:41 mail0 postfix/smtpd[24249]: connect from mail-yk0-f172.google.com[209.85.160.172] Nov 12 20:00:41 mail0 postfix/smtpd[24249]: smtp_stream_setup: maxtime=300 enable_deadline=0 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: mail-yk0-f172.google.com ~? 10.1.0.0/16 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: 209.85.160.172 ~? 10.1.0.0/16 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: mail-yk0-f172.google.com ~? 71.39.104.224/29 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: 209.85.160.172 ~? 71.39.104.224/29 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: mail-yk0-f172.google.com: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: 209.85.160.172: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: auto_clnt_open: connected to private/anvil Nov 12 20:00:41 mail0 postfix/smtpd[24249]: event_enable_read: fd 18 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr request = connect Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr ident = submission:209.85.160.172 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 18 flush 49 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 18 got 25 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 0 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: count Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: count Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 1 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: rate Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: rate Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 1 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: (list terminator) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: (end) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 220 mail0.actualsoftware.com ESMTP Postfix Nov 12 20:00:41 mail0 postfix/smtpd[24249]: watchdog_pat: 0xb791b330 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 17 flush 44 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 17 got 31 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: < mail-yk0-f172.google.com[209.85.160.172]: EHLO mail-yk0-f172.google.com Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: mail-yk0-f172.google.com: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: 209.85.160.172: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-mail0.actualsoftware.com Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-PIPELINING Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-SIZE 10240000 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-VRFY Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-ETRN Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-STARTTLS Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-ENHANCEDSTATUSCODES Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-8BITMIME Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250 DSN Nov 12 20:00:41 mail0 postfix/smtpd[24249]: watchdog_pat: 0xb791b330 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 17 flush 147 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 17 got 10 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: < mail-yk0-f172.google.com[209.85.160.172]: STARTTLS Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 220 2.0.0 Ready to start TLS Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 17 flush 30 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: setting up TLS connection from mail-yk0-f172.google.com[209.85.160.172] Nov 12 20:00:41 mail0 postfix/smtpd[24249]: mail-yk0-f172.google.com[209.85.160.172]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH:!EXPORT" Nov 12 20:00:41 mail0 postfix/smtpd[24249]: event_request_timer: reset 0xb7715930 0xb782c6c0 5 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr request = seed Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr size = 32 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 12 flush 22 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 12 got 60 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/tlsmgr: wanted attribute: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 0 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/tlsmgr: wanted attribute: seed Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: seed Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 1Gsq7CFaM7issNDcol8pl5o5a7s82W+ifBo9xXt4WOU= Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/tlsmgr: wanted attribute: (list terminator) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: (end) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:before/accept initialization Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 read client hello A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write server hello A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write certificate A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write key exchange A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write server done A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 flush data Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 read client key exchange A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 read finished A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write change cipher spec A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 write finished A Nov 12 20:00:41 mail0 postfix/smtpd[24249]: SSL_accept:SSLv3 flush data Nov 12 20:00:41 mail0 postfix/smtpd[24249]: Anonymous TLS connection established from mail-yk0-f172.google.com[209.85.160.172]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: watchdog_pat: 0xb791b330 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 17 got 31 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: < mail-yk0-f172.google.com[209.85.160.172]: EHLO mail-yk0-f172.google.com Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: mail-yk0-f172.google.com: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: 209.85.160.172: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-mail0.actualsoftware.com Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-PIPELINING Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-SIZE 10240000 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-VRFY Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-ETRN Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-ENHANCEDSTATUSCODES Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250-8BITMIME Nov 12 20:00:41 mail0 postfix/smtpd[24249]: > mail-yk0-f172.google.com[209.85.160.172]: 250 DSN Nov 12 20:00:41 mail0 postfix/smtpd[24249]: watchdog_pat: 0xb791b330 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 17 flush 133 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: smtp_get: EOF Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: mail-yk0-f172.google.com ~? 10.1.0.0/16 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: 209.85.160.172 ~? 10.1.0.0/16 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostname: mail-yk0-f172.google.com ~? 71.39.104.224/29 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_hostaddr: 209.85.160.172 ~? 71.39.104.224/29 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: mail-yk0-f172.google.com: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: match_list_match: 209.85.160.172: no match Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr request = disconnect Nov 12 20:00:41 mail0 postfix/smtpd[24249]: send attr ident = submission:209.85.160.172 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_fflush_some: fd 18 flush 52 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: vstream_buf_get_ready: fd 18 got 10 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: status Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute value: 0 Nov 12 20:00:41 mail0 postfix/smtpd[24249]: private/anvil: wanted attribute: (list terminator) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: input attribute name: (end) Nov 12 20:00:41 mail0 postfix/smtpd[24249]: lost connection after EHLO from mail-yk0-f172.google.com[209.85.160.172] Nov 12 20:00:41 mail0 postfix/smtpd[24249]: disconnect from mail-yk0-f172.google.com[209.85.160.172] I remember we had some issues with gmail when we installed courier that I thought were related to ssl but comparing the results of openssl s_client -connect localhost:25 -starttls smtp >& courier vs. openssl s_client -connect localhost:25 -starttls smtp >& postfix seem "the same": [root@mail0 ssl]# diff courier postfix 0a1,2 > depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority > verify return:1 15c17,19 < i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 --- > i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority > 3 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority > i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority 53c57 < Server Temp Key: DH, 768 bits --- > Server Temp Key: ECDH, prime256v1, 256 bits 55c59 < SSL handshake has read 4647 bytes and written 442 bytes --- > SSL handshake has read 5638 bytes and written 410 bytes 57c61 < New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 64,65c68,69 < Cipher : DHE-RSA-AES256-GCM-SHA384 < Session-ID: 9BD5BADD20D42D512283E6BE012F11A39752CF991CAA3CAF3D99DA699DEA7644 --- > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: 06A946739F1649A5842968C36852EF2EDF5AF6BE3AC14A028C2297C95718EB1F 67c71 < Master-Key: 156B8364A8419BBE70D703242BC7C7C65A2A4875A34B2944189249E020860945D495316DDBFA55 9AC9B44BB4F9B69889 --- > Master-Key: 1B6BFE6A103DA38A07219F86B5B0F7F22F13A8ADAEB19DF41B1204ADC685BB71084B094FA09D30 401D767436B96EFD4D 72,85c76 < TLS session ticket lifetime hint: 7200 (seconds) < TLS session ticket: < 0000 - 99 1e 06 70 f3 b7 25 ac-7f a3 1e 08 fb 9a f0 d4 ...p..%......... < 0010 - 7e 96 fa 6d 39 86 a3 92-ba 3a 53 88 58 ca 9d c6 ~..m9....:S.X... < 0020 - 06 05 77 07 00 ae db c8-b5 b0 32 dd cb 84 0e 7d ..w.......2....} < 0030 - 01 3e 15 93 6d 87 41 e9-5e 65 59 65 3b 64 38 1a .>..m.A.^eYe;d8. < 0040 - 5b e9 c1 4a a3 7a 58 13-80 08 2f 06 5e a1 18 bc [..J.zX.../.^... < 0050 - 63 ca 40 c8 bb 72 33 16-e0 75 4e b9 b7 f5 3a 3f c...@..r3..un...:? < 0060 - 34 a7 5d 1f 4d ff 76 ef-56 56 d8 d8 94 3a 21 54 4.].M.v.VV...:!T < 0070 - 60 ac 12 a2 c0 3f 96 19-6d 05 4c 67 6e 86 75 0b `....?..m.Lgn.u. < 0080 - 98 11 c3 22 5a a3 68 f8-71 92 86 81 0e f0 2d b8 ..."Z.h.q.....-. < 0090 - 46 38 c8 e2 20 db f4 6e-25 f8 fc 55 fc 67 5c 73 F8.. ..n%..U.g\s < < Start Time: 1447379044 --- > Start Time: 1447379073 [root@mail0 ssl] Here's the output for postfix: depth=3 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority verify return:1 depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2 verify return:1 depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2 verify return:1 depth=0 OU = Domain Control Validated, CN = *.actualsoftware.com verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/OU=Domain Control Validated/CN=*.actualsoftware.com i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 2 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2 i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority 3 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- . . . -----END CERTIFICATE----- subject=/OU=Domain Control Validated/CN=*.actualsoftware.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2 --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 5638 bytes and written 410 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 06A946739F1649A5842968C36852EF2EDF5AF6BE3AC14A028C2297C95718EB1F Session-ID-ctx: Master-Key: 1B6BFE6A103DA38A07219F86B5B0F7F22F13A8ADAEB19DF41B1204ADC685BB71084B094FA09D30 401D767436B96EFD4D Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1447379073 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 DSN DONE Interesting bits from main.cf: smtpd_tls_exclude_ciphers = EXPORT postscreen_dnsbl_threshold = 2 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = zem.spamhaus.org*2 bl.spamcop.net*1 b.barracudacentral.org*1 # smtpd_tls_loglevel=2 smtpd_tls_CAfile=/etc/ssl/certs/ca-bundle.crt smtp_tls_CAfile=/etc/ssl/certs/ca-bundle.crt smtpd_tls_cert_file=/etc/postfix/ssl/actualsoftware.pem smtpd_tls_key_file=/etc/postfix/ssl/actualsoftware.key smtpd_tls_security_level=may debug_peer_level=4 debug_peer_list=google.com This seems like a fairly common deployment issue but I haven't found a solution and I admit to being an SSL noob. Thanks in advance.
