Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Dear Viktor, I setup the certificates repository for mailx and everything
works OK 

$ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="172.16.1.1:587" -S
smtp-use-starttls -S ssl-verify=ignore -S nss-config-dir=/etc/pki/nssdb/
anyu...@gmail.com

Really I appreciate the important help from this mailing list, mainly yours.

Thousands of thanks and now it-s time to make a document !!!

Regards,

J.

On Mon, Mar 13, 2017 at 11:58 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
wrote:

> Ahh OK, and now when I try to send a mesaage with mailx, in the mail.log
> from Postfix I have this:
>
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: connect from
> unknown[10.1.1.1]
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
> 10.1.1.1 ~? 127.0.0.0/8
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
> 10.1.1.1 ~? 10.0.0.0/8
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: <
> unknown[10.1.1.1]: EHLO CLIENT01
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_list_match:
> 10.1.1.1: no match
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-relay.mycompany.com
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-PIPELINING
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-SIZE 1524
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-ETRN
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-STARTTLS
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-ENHANCEDSTATUSCODES
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250-8BITMIME
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 250 DSN
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: <
> unknown[10.1.1.1]: STARTTLS
> Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: >
> unknown[10.1.1.1]: 220 2.0.0 Ready to start TLS
> Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: SSL_accept error
> from unknown[10.1.1.1]: lost connection
> Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
> 10.1.1.1 ~? 127.0.0.0/8
> Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
> 10.1.1.1 ~? 10.0.0.0/8
> Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: lost connection
> after STARTTLS from unknown[10.1.1.1]
> Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: disconnect from
> unknown[10.1.1.1]
>
> and from mailx output>
>
> aaa
> .
> EOT
> Resolving host 172.16.1.1 . . . done.
> Connecting to 172.16.1.1:587 . . . connected.
> 220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
> >>> EHLO CLIENT01
> 250-relay.mycompany.com
> 250-PIPELINING
> 250-SIZE 1524
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> >>> STARTTLS
> 220 2.0.0 Ready to start TLS
> Error initializing NSS: Unknown error -8015.
> "/root/dead.letter" 11/313
> . . . message not sent.
>
> On Mon, Mar 13, 2017 at 11:46 PM, Viktor Dukhovni <
> postfix-us...@dukhovni.org> wrote:
>
>>
>> > On Mar 13, 2017, at 10:39 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
>> wrote:
>> >
>> > After set the verbose logging:
>> >
>> > debug_peer_list = 10.1.1.1  (client IP)
>>
>>
>> > and try to send a message with mailx, the log is empty because the
>> STARTTLS capabilities on port TCP/587 are nor present:
>>
>> That's because there's a typo in:
>>
>>smtpd_relay_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, reject_unauth_destinations
>>
>> That last element should be singular: "reject_unauth_destination" not
>> plural "...destinations"
>>
>> This would be easily found in your logs:
>>
>> http://www.postfix.org/DEBUG_README.html#logging
>>
>> --
>> Viktor.
>>
>>
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Ahh OK, and now when I try to send a mesaage with mailx, in the mail.log
from Postfix I have this:

Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: connect from
unknown[10.1.1.1]
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
10.1.1.1 ~? 127.0.0.0/8
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
10.1.1.1 ~? 10.0.0.0/8
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: < unknown[10.1.1.1]:
EHLO CLIENT01
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: match_list_match:
10.1.1.1: no match
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-relay.mycompany.com
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-PIPELINING
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-SIZE 1524
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-ETRN
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-STARTTLS
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-ENHANCEDSTATUSCODES
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250-8BITMIME
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
250 DSN
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: < unknown[10.1.1.1]:
STARTTLS
Mar 13 23:52:03 RELAY1 postfix/submission/smtpd[4570]: > unknown[10.1.1.1]:
220 2.0.0 Ready to start TLS
Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: SSL_accept error
from unknown[10.1.1.1]: lost connection
Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
10.1.1.1 ~? 127.0.0.0/8
Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: match_hostaddr:
10.1.1.1 ~? 10.0.0.0/8
Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: lost connection
after STARTTLS from unknown[10.1.1.1]
Mar 13 23:52:04 RELAY1 postfix/submission/smtpd[4570]: disconnect from
unknown[10.1.1.1]

and from mailx output>

aaa
.
EOT
Resolving host 172.16.1.1 . . . done.
Connecting to 172.16.1.1:587 . . . connected.
220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
>>> EHLO CLIENT01
250-relay.mycompany.com
250-PIPELINING
250-SIZE 1524
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> STARTTLS
220 2.0.0 Ready to start TLS
Error initializing NSS: Unknown error -8015.
"/root/dead.letter" 11/313
. . . message not sent.

On Mon, Mar 13, 2017 at 11:46 PM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:

>
> > On Mar 13, 2017, at 10:39 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
> wrote:
> >
> > After set the verbose logging:
> >
> > debug_peer_list = 10.1.1.1  (client IP)
>
>
> > and try to send a message with mailx, the log is empty because the
> STARTTLS capabilities on port TCP/587 are nor present:
>
> That's because there's a typo in:
>
>smtpd_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destinations
>
> That last element should be singular: "reject_unauth_destination" not
> plural "...destinations"
>
> This would be easily found in your logs:
>
> http://www.postfix.org/DEBUG_README.html#logging
>
> --
> Viktor.
>
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Ok Viktor, thanks again.

After set the verbose logging:

debug_peer_list
<http://www.postfix.org/postconf.5.html#debug_peer_list> = 10.1.1.1
(client IP)

and try to send a message with mailx, the log is empty because the
STARTTLS capabilities on port TCP/587 are nor present:

tail -f /var/log/mail.log | grep 10.1.1.1

NOTHING !!!

Before the changes you suggested to me, the STARTTLS was present in a
telnet session.

I attach the output of postconf -n andd postconf -Mf.


On Mon, Mar 13, 2017 at 11:16 PM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:

>
> > On Mar 13, 2017, at 10:07 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
> wrote:
> >
> > Dear Viktor, I apologize for my new interruptionbut after follow
> your instructions, the Postfix server doesn't show the STARTTLS support via
> telnet:
>
>http://www.postfix.org/DEBUG_README.html#mail
>http://www.postfix.org/DEBUG_README.html#logging
>
> --
> Viktor.
>
>
smtp   inet  n   -   -   -   -   smtpd
submission inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_recipient_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
pickup fifo  n   -   -   60  1   pickup
cleanupunix  n   -   -   -   0   cleanup
qmgr   fifo  n   -   n   300 1   qmgr
tlsmgr unix  -   -   -   1000?   1   tlsmgr
rewriteunix  -   -   -   -   -   trivial-rewrite
bounce unix  -   -   -   -   0   bounce
defer  unix  -   -   -   -   0   bounce
trace  unix  -   -   -   -   0   bounce
verify unix  -   -   -   -   1   verify
flush  unix  n   -   -   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   -   -   -   smtp
relay  unix  -   -   -   -   -   smtp
showq  unix  n   -   -   -   -   showq
error  unix  -   -   -   -   -   error
retry  unix  -   -   -   -   -   error
discardunix  -   -   -   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   -   -   -   lmtp
anvil  unix  -   -   -   -   1   anvil
scache unix  -   -   -   -   1   scache
policy unix  -   n   n   -   -   spawn user=nobody
argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
spamassassin unix -  n   n   -   -   pipe user=nobody
argv=/usr/bin/spamc --socket=/tmp/spamd.sock -e /usr/sbin/sendmail -oi -f
${sender} ${recipient}
maildrop   unix  -   n   n   -   -   pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp   unix  -   n   n   -   -   pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix  -   n   n   -   -   pipe flags=F user=ftn
argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp  unix  -   n   n   -   -   pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n   n   -   2   pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailmanunix  -   n   n   -   -   pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop}
${user}
smtp-amavis unix -   -   y   -   30  smtp
-o smtp_data_done_timeout=1200s
-o smtp_tls_security_level=none
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n   -   y   -   -   smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 60s
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 1524
mydestination = relay.p

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Dear Viktor, I apologize for my new interruptionbut after follow your
instructions, the Postfix server doesn't show the STARTTLS support via
telnet:

$ telnet 10.1.1.1 587
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.
ehlo relay.mycompany.com

NOTHING TO SHOW!!!

Now I have:

*main.cf :*

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no

readme_directory = no

# TLS parameters (server side)
smtpd_tls_cert_file = /etc/postfix/SSL/MailRelay-server-publica.crt
smtpd_tls_key_file = /etc/postfix/SSL/MailRelay-server-privada.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

# TLS parameters (client side)
smtp_tls_security_level = may
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 1

myhostname = relay.mycompany.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = relay.mycompany.com, localhost.mycompany.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 10.0.0.0/8 192.168.69.0/24 172.16.0.0/12
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client opm.blitzed.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org
check_policy_service unix:private/policy

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destinations

disable_vrfy_command = yes

smtpd_hard_error_limit = 4

message_size_limit = 1524

transport_maps = hash:/etc/postfix/transport

anvil_rate_time_unit=60s
smtpd_client_message_rate_limit = 50

*master.cf :*

#==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtp  inet  n   -   -   -   -   smtpd
#smtp  inet  n   -   -   -   1   postscreen
#smtpd pass  -   -   -   -   -   smtpd
#dnsblog   unix  -   -   -   -   0   dnsblog
#tlsproxy  unix  -   -   -   -   0   tlsproxy
submission inet n   -   -   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_data_restrictions=
  -o smtpd_end_of_data_restrictions=
  -o milter_macro_daemon_name=ORIGINATING

#smtps inet  n   -   -   -   -   smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628   inet  n   -   -   -   -   qmqpd
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache

# Agregado para que funcione la 

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

   argv=/usr/bin/perl   /usr/sbin/postfix-policyd-spf-perl
spamassassinunix-   n   n   -   -   pipe
 user=nobody argv=/usr/bin/spamc --socket=/tmp/spamd.sock  -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# 
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# 
#
# See the Postfix UUCP_README file for configuration details.
#
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -   n   n   -   -   pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#Added by hand
smtp-amavisunix-   -   y   -   30  smtp
  -o smtp_data_done_timeout=1200s
  -o smtp_tls_security_level=none

## -o smtp_never_send_ehlo=yes
  -o disable_dns_lookups=yes
127.0.0.1:10025 inet   n   -   y   -   -   smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8

Execution of mailx and output in the client:

# mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S
smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com

TYPE A MESSAGE
.
EOT
Resolving host 10.1.1.1 . . . done.
Connecting to 10.1.1.1:587 . . . connected.
220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
>>> EHLO HOST341
250-relay.mycompany.com
250-PIPELINING
250-SIZE 1524
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> STARTTLS
220 2.0.0 Ready to start TLS
Missing "nss-config-dir" variable.
"/root/dead.letter" 11/314
. . . message not sent.

Can you help me again please???

Really thanks, I'm desperate.

On Mon, Mar 13, 2017 at 9:43 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

>
> > On Mar 13, 2017, at 7:37 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
> wrote:
> >
> > Dear Viktor. sorry but I'll try to be more explicit because
> > I have to put to work the submission and I can't:
> >
> > main.cf:
> >
> > smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
> > smtp_tls_key_file = /etc/postfix/SSL/privada.pem
>
> Though not related to your current problem, client certificates
> are not recommended for MTAs, leave these two parameters empty.
>
> > smtp_tls_loglevel = 2
>
> And the log level at 1.
>
> > master.cf:
> >
> > submission inet n   -   -   -   -   smtpd
> >   -o syslog_name=postfix/submission
> > #  -o smtpd_tls_security_level=encrypt
> > #  -o smtpd_sasl_auth_enable=yes
> > #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > #  -o milter_macro_daemon_name=ORIGINATING
>
> Do uncomment the remaining options, but change "smtpd_client_restrictions"
> to "permit_mynetworks, reject", making sure that "172.1.1.1" et. al. are
> listed in my networks.
>
> > And when I send a message with mailx from client 172.1.1.1:
> >
> > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587"
> -S smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com
>
> I still don't see where you're specifying the message to be sent.
>
> > I get this log in Postfix:
> >
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect
> from unknown[172.1.1.1]
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: settin

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Dear Viktor. sorry but I'll try to be more explicite because I have to put
to work the submission and I can't:

main.cf:

# TLS parameters (server side)
smtpd_tls_cert_file=/etc/ssl/certs/relay.pem
smtpd_tls_key_file=/etc/ssl/private/key.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2

# TLS parameters (client side)
smtp_tls_security_level = may
smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
smtp_tls_key_file = /etc/postfix/SSL/privada.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_starttls_timeout = 300s
smtp_tls_CApath = /etc/ssl/certs

master.cf:

submission inet n   -   -   -   -   smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

And when I send a message with mailx from client 172.1.1.1:

$ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S
smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com

I get this log in Postfix:


Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect from
unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up TLS
connection from unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]:
unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept
error from unknown[172.1.1.1]: lost connection
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost connection
after STARTTLS from unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect from
unknown[172.1.1.1]

Thanks a lot,

Jelo

On Mon, Mar 13, 2017 at 7:53 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
wrote:

> Daer Viktor, I´ve followed your instructions and setup the submission port
> in master.cf as you said:
>
> Mail client ---STARTTLS  Postfix listening on Port TCP/587 - Internet
> SMTP servers
>
> But when I execute from a client 172.1.1.1 to the Postfix server 10.1.1.1:
>
> $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S
> smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com
>
> the command never ends in the shell and the Postfix log just says:
>
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the
> server-side TLS engine
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from
> unknown[172.1.1.1]
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection
> from unknown[172.1.1.1]
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS
> cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept
> initialization
>
> The mail doesn't go out from Postfix.
>
> What can be the reason I can't send a mail using STARTTLS through the
> Postfix server ???
>
> On Mon, Mar 13, 2017 at 5:18 PM, Viktor Dukhovni <
> postfix-us...@dukhovni.org> wrote:
>
>> On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:
>>
>> > At the moment, the mail relay is reached just from inside our company
>> and
>> > several applications use it to send mail through Internet.
>>
>> If the submission port is only reachable from internal trusted
>> networks, then authentication is optional.  You'll need to make
>> sure that Postfix will not be listening for port 587 on any public
>> IP addresses.
>>
>> > Using mailx is in this manner:
>>
>> My first encounter with "heirloom-mailx", with SMTP and TLS bolted
>> in mailx, my is the world getting fancy...
>>
>> > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.10.12.5:587"
>> -S
>> > smtp-use-starttls -S ssl-verify=ignore u...@gmail.com
>>
>> This is fine, provided that 10.10.12.5 is not reachable from outside via
>> NAT, and no other IP address reaches the same port 587 service.
>>
>> --
>> Viktor.
>>
>
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Daer Viktor, I´ve followed your instructions and setup the submission port
in master.cf as you said:

Mail client ---STARTTLS  Postfix listening on Port TCP/587 - Internet
SMTP servers

But when I execute from a client 172.1.1.1 to the Postfix server 10.1.1.1:

$ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S
smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com

the command never ends in the shell and the Postfix log just says:

Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the
server-side TLS engine
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from
unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection
from unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS
cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept
initialization

The mail doesn't go out from Postfix.

What can be the reason I can't send a mail using STARTTLS through the
Postfix server ???

On Mon, Mar 13, 2017 at 5:18 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

> On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:
>
> > At the moment, the mail relay is reached just from inside our company and
> > several applications use it to send mail through Internet.
>
> If the submission port is only reachable from internal trusted
> networks, then authentication is optional.  You'll need to make
> sure that Postfix will not be listening for port 587 on any public
> IP addresses.
>
> > Using mailx is in this manner:
>
> My first encounter with "heirloom-mailx", with SMTP and TLS bolted
> in mailx, my is the world getting fancy...
>
> > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.10.12.5:587"
> -S
> > smtp-use-starttls -S ssl-verify=ignore u...@gmail.com
>
> This is fine, provided that 10.10.12.5 is not reachable from outside via
> NAT, and no other IP address reaches the same port 587 service.
>
> --
> Viktor.
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

At the moment, the mail relay is reached just from inside our company and
several applications use it to send mail through Internet. In this
scenario, one of these applications take the user "f...@mycompany.com" and
send mail to the Postfix relay. So the apps will be configured in this way
(after your advice):

Postfix server: x.x.x.x
Port: TCP/587
Security: STARTTLS
User: f...@mycompany.com
Pass: 

Using mailx is in this manner:

$ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.10.12.5:587" -S
smtp-use-starttls -S ssl-verify=ignore u...@gmail.com

That last question please: what type of authentication is this? Normal
password ? This implies an extra line un main.cf?

Hundreds of thanks :)

Jelo



On Mon, Mar 13, 2017 at 4:38 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:

> On Mon, Mar 13, 2017 at 04:33:15PM -0300, Jeronimo L. Cabral wrote:
>
> > Sorry, I repeat Postfix doesn't need to authenticate any user sending
> > through it (not login/password)
>
> Why is that?  How are you planning to prevent abuse by spammers
> exploiting open relays?
>
> --
> Viktor.
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Sorry, I repeat Postfix doesn't need to authenticate any user sending
throug it (not login/password)

This implies an extra configuration line?

Thanks again.

On Mon, Mar 13, 2017 at 4:19 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
wrote:

> Thanks to both of you !!!
>
> I need STARTTLS server side connection, because the client side connection
> is working OK.
>
> I have Postfix 2.11, so you say if I use STARTTLS with port TCP/25 the
> authentication is in plain text...but if I set up STARTTLS on port TCP/587
> the authentication is encrypted too with TLSI believed using STARTTLS
> on port TCP/25 I have encrypted both login and data.
>
> In case I set up STARTTLS in port TCP/587, both login and data go through
> it ??? Or just login through port TCP/587 and the data go through port
> TCP/25 ???
>
> Thanks again, regards !!!
>
> On Mon, Mar 13, 2017 at 4:04 PM, Viktor Dukhovni <
> postfix-us...@dukhovni.org> wrote:
>
>> On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:
>>
>> > > smtpd_use_tls=yes
>> >
>> > postfix requires spaces around the " = " in the above parameters in
>> > main.cf
>>
>> That's not accurate, while " = " is the "normal form" of main.cf
>> settings as output by "postconf -n", the spaces are optional.
>>
>> > > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_
>> scache
>> > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>> >
>> > The TLS session cache is no longer necessary or desirable. Remove
>> > these two parameters to allow openssl to automatically use session
>> > tickets, which are better than the cache.
>>
>> As of Postfix 2.11.
>>
>> > > smtpd_tls_session_cache_timeout = 3600s
>> >
>> > Since you're not using cache, you can remove this entry too.
>>
>> This parameter also controls the lifetime of sesssion tickets, but
>> since 3600s is the default value, there's no need to set it
>> explicitly.
>>
>> --
>> Viktor.
>>
>
>

Re: TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Thanks to both of you !!!

I need STARTTLS server side connection, because the client side connection
is working OK.

I have Postfix 2.11, so you say if I use STARTTLS with port TCP/25 the
authentication is in plain text...but if I set up STARTTLS on port TCP/587
the authentication is encrypted too with TLSI believed using STARTTLS
on port TCP/25 I have encrypted both login and data.

In case I set up STARTTLS in port TCP/587, both login and data go through
it ??? Or just login through port TCP/587 and the data go through port
TCP/25 ???

Thanks again, regards !!!

On Mon, Mar 13, 2017 at 4:04 PM, Viktor Dukhovni  wrote:

> On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:
>
> > > smtpd_use_tls=yes
> >
> > postfix requires spaces around the " = " in the above parameters in
> > main.cf
>
> That's not accurate, while " = " is the "normal form" of main.cf
> settings as output by "postconf -n", the spaces are optional.
>
> > > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_
> scache
> > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> >
> > The TLS session cache is no longer necessary or desirable. Remove
> > these two parameters to allow openssl to automatically use session
> > tickets, which are better than the cache.
>
> As of Postfix 2.11.
>
> > > smtpd_tls_session_cache_timeout = 3600s
> >
> > Since you're not using cache, you can remove this entry too.
>
> This parameter also controls the lifetime of sesssion tickets, but
> since 3600s is the default value, there's no need to set it
> explicitly.
>
> --
> Viktor.
>

TLS support for Postfix server on port TCP/25

[Jeronimo L. Cabral]

Dear, I want mail clients to send messages to Internet through an own mail
relay Posfix as smtpd server (no as client), let's say:

Mail client ---STARTTLS  Postfix listening on Port TCP/25 --- Internet
SMTP servers

Also, I don't need authentication to send mails from the Postfix mail relay.

In /etc/postfix/main.cf I setup:

# TLS parameters for smtpd
smtpd_tls_cert_file=/etc/postfix/SSL/MailRelay-server-public.crt

smtpd_tls_key_file=/etc/postfix/SSL/MailRelay-server-private.pem

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_loglevel = 2

tls_random_source = dev:/dev/urandom

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_CApath = /etc/ssl/certs

Is this configuration Ok in order to let Postfix accept STARTTLS
connectiosn from clients ???

Thanks a lot,

Jelo

Relay and mynetworks

[Jeronimo]

Hi,

I always think that only hosts in mynetworks can do relay on my server,
but...
I created the following rule

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/dominios_permitidos,
reject

and put this on the dominios_permitidos map
meudominio.com.br OK

But when I do this, all hosts that use meudominio.com.br on the MAIL FROM
command are allow to use my server to relay to the outside world. Even this
host don't list on mynetworks.

My main.cf file is following

myhostname = r01.meudominio.com.br
myorigin = $myhostname
mydestination =
local_recipient_maps =
local_transport = error:Nao aceitamos entrega local
mynetworks = 127.0.0.0/8

relay_domains = $mydestination

inet_interfaces = all

smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/dominios_permitidos,
reject


If I remove this last three lines the relay becomes close.
Anyone knows how to restrict relay and only accept MAIL FROM my domain?

Thanks for your attention!!

Jerônimo

Re: Relay and mynetworks

[Jeronimo]

I put the restriction on smtpd_recipient_restriction to log all attempts to
send email.
There is no difference to put this restriction on smtpd_sender_restriction.
Only change the time that server rejects the message. I guess..

I chance the restriction because I want that only messages from mydomain
pass through the relay.

Thanks


2009/11/20 Victor Duchovni victor.ducho...@morganstanley.com

 On Fri, Nov 20, 2009 at 05:04:44PM -0200, Jeronimo wrote:

  Hi,
 
  I always think that only hosts in mynetworks can do relay on my server,
  but...
  I created the following rule
 
  smtpd_recipient_restrictions =
  check_sender_access hash:/etc/postfix/dominios_permitidos,
  reject

 This is a disasterously bad idea and turns you into an open relay.

  and put this on the dominios_permitidos map
  meudominio.com.br OK

 DO NOT do this. Restore smtpd_recipient_restrictions to its correct
 default value, and then start a new thread where you describe what
 problem motivated you do do this.

  If I remove this last three lines the relay becomes close.
  Anyone knows how to restrict relay and only accept MAIL FROM my domain?

 Set mynetworks correctly. Do NOTHING else. Postfix works correctly by
 default. What caused you to change the recipient restrictions?

 --
Viktor.

 Disclaimer: off-list followups get on-list replies or get ignored.
 Please do not ignore the Reply-To header.

 To unsubscribe from the postfix-users list, visit
 http://www.postfix.org/lists.html or click the link below:
 mailto:majord...@postfix.org?body=unsubscribe%20postfix-users

 If my response solves your problem, the best way to thank me is to not
 send an it worked, thanks follow-up. If you must respond, please put
 It worked, thanks in the Subject so I can delete these quickly.