From: Jona Joachim (jajhcl-club.lu)
Date: Fri Jun 08 2007 - 12:07:38 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 08 Jun 2007 11:00:33 -0500
Noel Jones <njonesmegan.vbhcs.org> wrote:

> At 06:55 AM 6/8/2007, Jona Joachim wrote:
> >On Fri, 8 Jun 2007 12:57:23 +0200
> >Patrick Ben Koetter <pstate-of-mind.de> wrote:
> >
> > > * Jona Joachim <jajhcl-club.lu>:
> > > > > Your local server must start a TLS session before it can
> > > > > 'see' any AUTH mechanisms. As long as it doesn't do that it
> > > > > will never see any worthy mechanism.
> > > >
> > > > And how can I tell it to start a TLS session before looking for
> > > > AUTH mechanisms?
> > >
> > > Start reading here to get a basic overview:
> > >
> > > TLS Readme
> > > <http://www.postfix.org/TLS_README.html>
> > >
> > > Pay particular attention to this section:
> > >
> > > Mandatory TLS encryption
> > > <http://www.postfix.org/TLS_README.html#client_tls_encrypt>
> >
> >I read that page before mailing to the list. I do have
> >smtp_tls_security_level = encrypt defined on my local postfix.
> >
> >I put the main.cf files for both postfix instances online:
> >http://www.hcl-club.lu/~jaj/public/local.main.cf
> >http://www.hcl-club.lu/~jaj/public/remote.main.cf
> >
> >Here's what the logs say when I try to send a mail using sendmail:
> >
> >Jun 8 13:43:53 nirvana postfix/pickup[1929]: 863F67E31: uid=1005
> >from=<jaj>
> >Jun 8 13:43:53 nirvana postfix/cleanup[1932]: 863F67E31:
> >message-id=<20070608114353.863F67E31nirvana.my.domain>
> >Jun 8 13:43:53 nirvana postfix/qmgr[1928]: 863F67E31:
> >from=<jajnirvana.my.domain>, size=301, nrcpt=1 (queue active)
> >Jun 8 13:43:54 nirvana postfix/smtp[1934]: warning: SASL
> >authentication failure: No worthy mechs found
> >Jun 8 13:43:54 nirvana postfix/smtp[1934]: 863F67E31:
> >to=<jajhcl-club.lu>, relay=0b10111.de[62.75.155.129]:25, delay=2,
> >delays=1.5/0.03/0.54/0, dsn=4.7.0, status=deferred (SASL
> >authentication failed; cannot authenticate to server
> >0b10111.de[62.75.155.129]: no mechanism available)
> >
> >local mail_version is 2.4.3
> >remote mail_version is 2.3.8
>
> "smtp_tls_security_level = may" should be sufficient to establish a
> TLS session with any server that offers TLS.
> Is the client postfix built with TLS? Does "postconf | grep tls"
> show any tls parameters?

Yes, I built postfix from source with TLS support.
"postconf | grep tls" shows a lot of TLS options.

> Is there some firewall or proxy in between that is eating the
> STARTTLS or EHLO?
> When you telnet to the server and tell it EHLO from that same client
> does it offer STARTTLS?

I use this mail server for some time now with various mail clients like
Claws Mail and Thunderbird. It works like a charm. It does offer
STARTTLS and SMTP AUTH also works fine.
It's only the smtp client of my
local postfix that doesn't want to connect to it. I assume this is
because my remote server doesn't show it's AUTH mechs in reply to EHLO.
I need to either force my local postfix to not check for AUTH mechs or
force my remote server to show AUTH mechanisms before the client has
established a TLS connection.
At least I think that this is the problem.

> You can test TLS with openssl's s_client command, which will issue
> the STARTTLS command and establish encryption, and then start a
> telnet-like interactive session. If this doesn't work, likely
> something is interfering with STARTTLS or EHLO. If so, maybe you can
> use the submission port (587) to send your mail.
> # openssl s_client -connect server:port -starttls smtp

Yes, that works. If I connect through openssl s_client it also shows
250-AUTH PLAIN LOGIN

--
"I am chaos. I am the substance from which your artists and scientists
build rhythms. I am the spirit with which your children and clowns
laugh in happy anarchy. I am chaos. I am alive, and tell you that you
are free." Eris, Goddess Of Chaos, Discord & Confusion

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]