OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: TLS Problems (was: Compiling 101 for Dummies)

From: /dev/rob0 (rob0gmx.co.uk)
Date: Tue Jul 25 2006 - 20:19:25 CDT

On Tuesday 25 July 2006 19:49, Rick Zeman wrote:
> > small step for you guys, but it's huge for me. Tomorrow, I get to
> > do the certs, but I've already done all that with Postfix so I'm in
> > the clear.
>
> I can't believe I believe I said that.

Relax, you're almost there.

> I LITERALLY did a cut and paste job from Wietze's
> http://www.postfix.org/TLS_README.html#quick-start and neither smtp
> or smtpd are working now, though Postfix does have port 25 open, but
> I can't even ehlo after telnetting, either to localhost or from
> remotely.
>
> # netstat -pantu | grep :25
> tcp 0 0 192.168.1.1:25 0.0.0.0:*
> LISTEN 1

You're only listening on 192.168.1.1 ?

> The logs (at least at the default log level) report no errors when
> Postfix starts up:

Does your OS have more than one place for mail.* logs? Look in
/etc/syslog.conf .

> However, mail won't go in or out. Looking at the mailq:
> A9F1319E 290 Tue Jul 25 20:12:42 rzemanpointyears.net
> (Cannot start TLS: handshake
> failure) fooexample.com
>
> Looking at the logs:
>
> Jul 25 20:37:15 tux postfix/qmgr[17529]: 833951AF:
> to=<rzemanpointyears.net>, relay=none, delay=0, status=deferred
> (delivery temporarily suspended: Cannot start TLS: handshake failure)
> Jul 25 20:38:12 tux postfix/smtpd[17563]: SSL_accept error from
> localhost[127.0.0.1]: -1
> Jul 25 20:38:12 tux postfix/smtpd[17563]: lost connection after
> STARTTLS from localhost[127.0.0.1]

Trying to use TLS with the content_filter? Why?

> Any suggestions? Tnx.
>
>
> # postconf -n
> alias_database = hash:/etc/postfix/aliases
> alias_maps = hash:/etc/postfix/aliases,
> hash:/var/lib/mailman/data/aliases command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = smtp:127.0.0.1:10025

Perhaps this doesn't support TLS. TLS to localhost is wasteful, not
needed anyway.

> daemon_directory = /usr/lib/postfix
> debug_peer_level = 2
> delay_warning_time = 4
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/postfix-2.1.1/html

You might want to change that to a version-neutral name. This *is*
Postfix 2.3, no?

> inet_interfaces = $myhostname, localhost

Any reason why you don't want the default setting for this?

> mail_owner = postfix
> mail_spool_directory = /var/spool/mail
> mailbox_command = /usr/bin/procmail -Y -a $DOMAIN

Unless you're using procmail in some way, you should remove that. At
home I use procmail, but I'm the only user who does, so I invoke it
from my ~/.forward file.

> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> maximal_queue_lifetime = 3d

3 days?

> message_size_limit = 20480000
> mydestination = pointyears.net,tux.pointyears.net
> mynetworks_style = subnet
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> owner_request_special = no
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.1.1/README_FILES
> recipient_delimiter = -
> sample_directory = /usr/share/doc/postfix-2.1.1/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtp_tls_CAfile = /etc/postfix/cacert.pem
> smtp_tls_session_cache_database =
> btree:/var/spool/postfix/smtp_tls_session_cache
> smtp_use_tls = yes
> smtpd_banner = tux.pointyears.net ESMTP: $mail_name $mail_version
> smtpd_client_restrictions = permit_mynetworks
> reject_rbl_client sbl-xbl.spamhaus.org reject_rbl_client
> list.dsbl.org
> permit
> smtpd_hard_error_limit = 12
> smtpd_helo_required = yes
> smtpd_helo_restrictions = reject_invalid_hostname, permit
> smtpd_recipient_restrictions = permit_mynetworks
> reject_unauth_destinationcheck_recipient_access
                          ^^ missing a space? This would explain it.
> hash:/etc/postfix/deniedusers reject_unverified_recipient
> check_policy_service unix:private/tumgreyspf permit

The missing space would be logged as a fatal error.

> smtpd_tls_CAfile = /etc/postfix/cacert.pem
> smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
> smtpd_tls_key_file = /etc/postfix/FOO-key.pem

Haha, indeed you *did* do a copy-and-paste job. :)

> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database =
> btree:/var/spool/postfix/smtpd_tls_session_cache
> smtpd_use_tls = yes
> soft_bounce = no

You might want that as "yes" until things are working. :)

> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> unverified_recipient_reject_code = 550
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header