Hello, Le 19/01/2012 08:39, bsd a écrit : > Le 19 janv. 2012 à 02:18, Wietse Venema a écrit : > >> bsd: >>> I wanted to know what are the symptoms of "SSL_accept error" and >>> "lost connection after CONNECT" ?? >> The client hangs up when Postfix expects the TLS handshake. >> >> There was two ways that Postfix provides TLS service. One is STARTTLS >> mode (usually TCP port 587), and the other is TLS wrapper mode >> (usually TCP port 465). >> >> Does the client connect to port 587 or to port 465? How do you know >> that it connects to this port and not to the other one? > ... > > From what I can read on netstat there is nothing listening on port 587. > Maybe the client tries to initiate a connexion on this port… but this will > surely fails ! > > > newmail ~ --> netstat -an -f inet | grep LISTEN > ... > tcp4 0 0 8x.9x.2x6.99.465 *.* LISTEN > tcp4 0 0 8x.9x.2x6.99.25 *.* LISTEN > tcp4 0 0 *.993 *.* LISTEN > tcp4 0 0 *.143 *.* LISTEN > tcp4 0 0 *.110 *.* LISTEN > ... > > Maybe I should use STARTTLS instead of the wrapper mode ? > > What are the pros and cons of each solution ? I'am using STARTTLS and dovecot and it works great with Thunderbird, I don't have made/test it with Apple Mail. In this configuration client may be set to try or should starttls if available. So it first connect to standard smpt port (25 by default), present themselves and then send startls command it the server capability list contain it, like below.
#telnet 127.0.0.1 25 Trying 127.0.0.1 ... ... 220 server.com EHLO toto.eu ... 250-STARTTLS ... Client ask for opening SSL/TLS channel on the same port (there is a technical name for this, I just don't remember what it is) before sending any other smtp command. In wrapper mode client is configured to connect directly on port 465 (by default) is ssl mode, "like" https. Then it talk with smtpd process. STARTTLS was implemented after SSL port (wrapper mode). Somebody will correct me if I was wrong. I think this is a client misconfiguration (Certificate Authority or type of port SSL/STARTTLS mode) or incompatibility. Do you use your own certificate authority or your smtpd certificate is signed by any kind of "official" CA. _ _ > Can I provide both with the same auth backend mechanism (I use dovecot) ? > Dovecot use a "socket" fie which is used by postfix process to check if credential are valid or not. As many mysql client on localhost can connect to the same server thought the server socket, many postfix process could ask Dovecot. So it should works. Be careful about the socket file owner and permissions.
