Discussion:
Problems setting up client side tls.
(too old to reply)
j***@gmail.com
2014-11-01 11:02:56 UTC
Permalink
Hello all.

I have a server (Ubuntu 14.04LTS) running postfix 2.11. Server side TLS is working fine with a StartSSL certificate.

I am trying to set up another postfix (2.9.6) on a Debian 7 to act as a client with no success.

With smtp[d]_tls_loglevel set to 4 on both sides, what I get into the log is:

client:
--clip--
Nov 1 12:50:49 ostovoima postfix/smtp[14763]: initializing the client-side TLS engine
Nov 1 12:55:49 ostovoima postfix/smtp[14763]: E972128A2: to=<XXXXXX>, orig_to=<root>, relay=192.26.111.22[192.26.111.22]:587, delay=154890, delays=154590/0.12/300/0, dsn=4.4.2, status=deferred (conversation with 192.26.111.22[192.26.111.22] timed out while receiving the initial server greeting)
--clap--

server:
--clip--
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: initializing the server-side TLS engine
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: connect from ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: setting up TLS connection from ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: SSL_accept:before/accept initialization
Nov 1 12:50:49 taustavoima postfix/smtpd[7530]: read from 7F4DE3685B90 [7F4DE368B970] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Nov 1 12:55:49 taustavoima postfix/smtpd[7530]: SSL_accept error from ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]: Connection timed out
Nov 1 12:55:49 taustavoima postfix/smtpd[7530]: lost connection after CONNECT from ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]
Nov 1 12:55:49 taustavoima postfix/smtpd[7530]: disconnect from ip-hml-567385-18.dhcp.inet.fi[86.115.133.18]
--clap--

I can connect with openssl:
--clip--
***@ostovoima:~$ openssl s_client -CApath /etc/ssl/certs -connect 192.26.111.22:587
...
Start Time: 1414839452
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 taustavoima.kivela.net ESMTP Postfix
EHLO ostovoima.kivela.net
250-taustavoima.kivela.net
250-PIPELINING
250-SIZE 60240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
DONE
***@ostovoima:~$
--clap--

Client configuration:
--clip--
***@ostovoima:/etc/postfix# postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
biff = no
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = loopback-only
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = ostovoima.kivela.net, localhost.kivela.net, localhost
myhostname = ostovoima.kivela.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost = [192.26.111.22]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 4
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
***@ostovoima:/etc/postfix#
--clap--

Server configuration:
--clip--
***@taustavoima:/etc/postfix# postconf -nf
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
cyrus_sasl_config_path = /etc/postfix/sasl
daemon_directory = /usr/lib/postfix
debugger_command = PATH=/usr/bin strace -o /tmp/$process_name -p $process_id &
sleep 5
disable_dns_lookups = no
home_mailbox = Maildir/
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command = /usr/bin/procmail
mailbox_size_limit = 602400000
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 14d
message_size_limit = 60240000
mydestination = $myhostname, localhost.$mydomain, $mydomain, jaska.iki.fi,
varilo.fi, caladan.fi, mixijobi.fi, kantti.org, hgsjk.fi
mydomain = kivela.net
myhostname = taustavoima.kivela.net
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_delimiter = +
relay_domains = /etc/postfix/relay_domains
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain,
reject_non_fqdn_sender
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/lib/courier/imapd.pem
smtpd_tls_key_file = /usr/lib/courier/imapd.pem
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/var/lib/mailman/data/virtual-mailman
***@taustavoima:/etc/postfix#
--clap--


What is going on here?
Jaska Kivelä
2014-11-01 11:44:36 UTC
Permalink
Changed
smtp_use_tls = yes
to
smtp_tls_security_level = encrypt
on the client side.

Does not help.
Burkhard Ott
2014-11-01 16:14:03 UTC
Permalink
Post by j***@gmail.com
Hello all.
I have a server (Ubuntu 14.04LTS) running postfix 2.11. Server side TLS
is working fine with a StartSSL certificate.
I am trying to set up another postfix (2.9.6) on a Debian 7 to act as a
client with no success.
Why are you using submission, port 465 for ssl only exists, besides the
fact that you also can enforce it on port 25.

Looks to me like your connections time out, your clinet postfix is not
using ssl while the server is expecting it. Otherwise you'd see the
algorythm used on the server side (check with tcpdump on the server if
you see the ssl handshake).

cheers
Jaska Kivelä
2014-11-01 19:07:32 UTC
Permalink
Post by Burkhard Ott
Why are you using submission, port 465 for ssl only exists, besides the
fact that you also can enforce it on port 25.
Using
relayhost = [192.26.111.22]:465
leads to:
--clip--
Nov 1 20:29:52 ostovoima postfix/smtp[30644]: CLIENT wrappermode (port smtps/465) is unimplemented
Nov 1 20:29:52 ostovoima postfix/smtp[30644]: instead, send to (port submission/587) with STARTTLS
--clap--

I cannot use port 25, as that is blocked in all consumer networks in Finland.
(I can only connect to my operator's relays, nothing else).
Post by Burkhard Ott
Looks to me like your connections time out, your clinet postfix is not
using ssl while the server is expecting it. Otherwise you'd see the
algorythm used on the server side (check with tcpdump on the server if
you see the ssl handshake).
tcpdump reveals that there is absolutelu no data moving between the server and client. I get a three-way handshake with Len=0 packets, then five minutes pause
and a FIN sequence with Len=0 packets.
Burkhard Ott
2014-11-01 19:27:12 UTC
Permalink
Post by j***@gmail.com
Post by Burkhard Ott
Why are you using submission, port 465 for ssl only exists, besides the
fact that you also can enforce it on port 25.
--clip--
Nov 1 20:29:52 ostovoima postfix/smtp[30644]: CLIENT wrappermode (port
smtps/465) is unimplemented Nov 1 20:29:52 ostovoima
postfix/smtp[30644]: instead, send to (port submission/587) with
STARTTLS --clap--
I cannot use port 25, as that is blocked in all consumer networks in Finland.
(I can only connect to my operator's relays, nothing else).
Post by Burkhard Ott
Looks to me like your connections time out, your clinet postfix is not
using ssl while the server is expecting it. Otherwise you'd see the
algorythm used on the server side (check with tcpdump on the server if
you see the ssl handshake).
tcpdump reveals that there is absolutelu no data moving between the
server and client. I get a three-way handshake with Len=0 packets, then
five minutes pause and a FIN sequence with Len=0 packets.
Are you sure you have setup ssl on the submission port, check your
master.cf.
Aftet the tcp handshake it's waiting on ssl, you should use 465 for ssl
connections.

What did you setup in master.cf for smtps?

cheers
Jaska Kivelä
2014-11-01 19:30:10 UTC
Permalink
Post by Burkhard Ott
What did you setup in master.cf for smtps?
submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
-o smtpd_enforce_tls=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Jaska Kivelä
2014-11-01 19:44:04 UTC
Permalink
Post by Jaska Kivelä
Post by Burkhard Ott
What did you setup in master.cf for smtps?
submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
-o smtpd_enforce_tls=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
OK, there's the problem. Have to disable wrappermode for submission.
Thanks for pointing me into the right direction.
Burkhard Ott
2014-11-01 20:17:10 UTC
Permalink
Post by Jaska Kivelä
Post by Jaska Kivelä
Post by Burkhard Ott
What did you setup in master.cf for smtps?
submission inet n - - - - smtpd -o
smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
-o smtpd_enforce_tls=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd -o
smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
OK, there's the problem. Have to disable wrappermode for submission.
Thanks for pointing me into the right direction.
That was waht I was looking for. I suppose it's working now.

cheers
Jaska Kivelä
2014-11-01 20:20:16 UTC
Permalink
Post by Burkhard Ott
That was waht I was looking for. I suppose it's working now.
Yes, it is working now.
Thanks.

Loading...