Postfix TLS

Having a problem on a clean install of Centos 5.4 with VMin loaded

Followed Documentation in the documentation section but only seems to activate the TLS on mail inbound to the server. Doesnt activate outbound STARTTLS.

Verified that maillog shows no errors or warnings

I did some google searches and added these lines that were mentioned in the centos wiki:
smtp_tls_security_level = may

smtp_tls_note_starttls_offer = yes

smtp_tls_key_file = /etc/pki/tls/private/mail.domain.key

smtp_tls_cert_file = /etc/pki/tls/certs/mail.domain.crt

still to no resolve
The server still doesnt offer STARTTLS first before sending.

And you tested it with…

openssl s_client -starttls smtp -connect 127.0.0.1:25

when i issue the s_client connect command all goes properly no errors. Certs pass properly.

If I am correct this would only test inbound connections. My problem is with outbound.

Outbound stmp is controlled by the receiving mail server – if the receiving smtp server doesnt support it it wont ask for it.

The only way to know is by looking at the headers or mail logs from the server that accepted the email.

If inbound is testing ok then outbound will as well. There isn’t any other answer to this.

I have two servers that I have tested with that I will require TLS for but neither issue STARTTLS command.
One requires TLS to connect and fails with an error saying STARTTLS not sent and disconnects.
Other recieves mail but always goes non TLS. That server recieves TLS mail from other servers daily.

It should… you didn’t break your config ? Any errors in the mail.err ?

Only errors in maillog are the ones i see for the server that required TLS

“TLS required but not offered by server”

The TLS is not being offered. Check your config again.

this is the exact error
(host asdfasdf.com[*********] said: 530 Must issue STARTTLS (in reply to RCPT TO command))

here are the main.cf additions

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_tls_cert_file = /etc/pki/tls/certs/certname.crt
smtpd_tls_key_file = /etc/pki/tls/private/keyname.key
smtpd_tls_security_level = encrypt
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/pki/tls/private/keyname.key
smtp_tls_cert_file = /etc/pki/tls/certs/certname.crt

exact clip from maillog

duplicate post

I think you are missing:

smtpd_use_tls = yes
smtpd_tls_received_header = yes

smtpd_use_tls = yes and smtp_use_tls = yes
have been replaced with
smtpd_tls_security_level = encrypt (encrypt = forced tls)
smtp_tls_security_level = may (may = when available)

I added the
smtpd_tls_received_header = yes

sent a test message and errors show the same.
Its almost like postfix is never probing the second server to see what protocols can be used.

Don’t know then… Ask the postfix people.

thanks for your help

Just found this and tested the instructions… they worked for me.

http://wiki.redwall-firewall.com/index.php/Implementing_Upstream_SMTP_Authentication_for_Postfix#Setting_Postfix_to_use_TLS-based_sessions

This is my TLS/SSL section and it works… if yours doesn’t then something is broken or the sending server is not sending the STARTTLS command.

smtpd_tls_cert_file=/etc/ssl/certs/roddenberry-cert.pem

smtpd_tls_key_file=/etc/ssl/private/roddenberry-key.pem

smtp_tls_CAfile = /etc/postfix/tls/Equifax.pem

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtpd_tls_session_cache_timeout = 3600s

smtp_sasl_tls_security_options = $smtp_sasl_security_options

smtp_sasl_tls_verified_security_options = $smtp_sasl_security_options

smtpd_tls_mandatory_protocols = SSLv3, TLSv1

smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

smtpd_tls_mandatory_ciphers = medium

tls_random_source = dev:/dev/urandom

smtp_tls_loglevel = 2

Hi bbranham,

As you’re aware, you’ll have to test against a server which you are certain(*) accepts, or requires, TLS.

Try setting your smtp client configuration smtp_tls_security_level from ‘may’ to ‘encrypt’ for debugging this.

Use smtp_tls_loglevel = 2
Use smtp_tls_note_starttls_offer = yes

Check your other smtp_tls_* parameters aren’t inducing your trouble.

Maybe add the target server to your debug_peer_list and adjust debug_peer_level up as necessary in order to learn from your logfile.

Verify that your cert and key files exist, though the debug logs should disclose this for you.
postconf |egrep “smtpd*tls(cert|key).*file”
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

See the TLS_README file

(*)if you need something to verify that your remote smtpd server uses or requires TLS, install and use the ‘swaks’ package|utility.

Be patient and alert

You’ll want to make sure that the “submission” is enabled… you can do that by editing /etc/postfix/master.cf, and uncomment the lines relating to “submission”. After enabling it, you’ll need to restart Postfix.

If that doesn’t work, what error are you receiving in Thunderbird when you attempt to connect? Also, what shows up in /var/log/maillog?

Lastly, if you enable SMTPS in the master.cf, are you able to connect on port 465?

-Eric