Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jona Joachim (jajhcl-club.lu)
Date: Fri Jun 08 2007 - 12:07:38 CDT
On Fri, 08 Jun 2007 11:00:33 -0500
Noel Jones <njonesmegan.vbhcs.org> wrote:
> At 06:55 AM 6/8/2007, Jona Joachim wrote:
> >On Fri, 8 Jun 2007 12:57:23 +0200
> >Patrick Ben Koetter <pstate-of-mind.de> wrote:
> > > * Jona Joachim <jajhcl-club.lu>:
> > > > > Your local server must start a TLS session before it can
> > > > > 'see' any AUTH mechanisms. As long as it doesn't do that it
> > > > > will never see any worthy mechanism.
> > > >
> > > > And how can I tell it to start a TLS session before looking for
> > > > AUTH mechanisms?
> > >
> > > Start reading here to get a basic overview:
> > >
> > > TLS Readme
> > > <http://www.postfix.org/TLS_README.html>
> > >
> > > Pay particular attention to this section:
> > >
> > > Mandatory TLS encryption
> > > <http://www.postfix.org/TLS_README.html#client_tls_encrypt>
> >I read that page before mailing to the list. I do have
> >smtp_tls_security_level = encrypt defined on my local postfix.
> >I put the main.cf files for both postfix instances online:
> >Here's what the logs say when I try to send a mail using sendmail:
> >Jun 8 13:43:53 nirvana postfix/pickup: 863F67E31: uid=1005
> >Jun 8 13:43:53 nirvana postfix/cleanup: 863F67E31:
> >Jun 8 13:43:53 nirvana postfix/qmgr: 863F67E31:
> >from=<jajnirvana.my.domain>, size=301, nrcpt=1 (queue active)
> >Jun 8 13:43:54 nirvana postfix/smtp: warning: SASL
> >authentication failure: No worthy mechs found
> >Jun 8 13:43:54 nirvana postfix/smtp: 863F67E31:
> >to=<jajhcl-club.lu>, relay=0b10111.de[188.8.131.52]:25, delay=2,
> >delays=1.5/0.03/0.54/0, dsn=4.7.0, status=deferred (SASL
> >authentication failed; cannot authenticate to server
> >0b10111.de[184.108.40.206]: no mechanism available)
> >local mail_version is 2.4.3
> >remote mail_version is 2.3.8
> "smtp_tls_security_level = may" should be sufficient to establish a
> TLS session with any server that offers TLS.
> Is the client postfix built with TLS? Does "postconf | grep tls"
> show any tls parameters?
Yes, I built postfix from source with TLS support.
"postconf | grep tls" shows a lot of TLS options.
> Is there some firewall or proxy in between that is eating the
> STARTTLS or EHLO?
> When you telnet to the server and tell it EHLO from that same client
> does it offer STARTTLS?
I use this mail server for some time now with various mail clients like
Claws Mail and Thunderbird. It works like a charm. It does offer
STARTTLS and SMTP AUTH also works fine.
It's only the smtp client of my
local postfix that doesn't want to connect to it. I assume this is
because my remote server doesn't show it's AUTH mechs in reply to EHLO.
I need to either force my local postfix to not check for AUTH mechs or
force my remote server to show AUTH mechanisms before the client has
established a TLS connection.
At least I think that this is the problem.
> You can test TLS with openssl's s_client command, which will issue
> the STARTTLS command and establish encryption, and then start a
> telnet-like interactive session. If this doesn't work, likely
> something is interfering with STARTTLS or EHLO. If so, maybe you can
> use the submission port (587) to send your mail.
> # openssl s_client -connect server:port -starttls smtp
Yes, that works. If I connect through openssl s_client it also shows
250-AUTH PLAIN LOGIN
"I am chaos. I am the substance from which your artists and scientists
build rhythms. I am the spirit with which your children and clowns
laugh in happy anarchy. I am chaos. I am alive, and tell you that you
are free." Eris, Goddess Of Chaos, Discord & Confusion