|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Bill Cole (postfixlists-070913
billmail.scconsult.com)
Date: Thu Nov 01 2007 - 02:04:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 10:50 PM -0700 10/31/07, travel kid wrote:
>hello folks,
>
>i found some users having troubles since their isp's
>were blocking outbound 25. so i am attempting to get
>smtp+ssl on port 465 working.
Pure SSL+SMTP on port 465 had credibility as a standard for less than
a year about a decade ago. You should try to avoid it. Unless you
have a bunch of users with old Microsoft clients, you do not need to
participate in the misuse of port 465.
>i would appreciate some
>help on the command not found error below. would
>appreciate it.
>
>thank you
>
>
>/etc/postfix/master.cf
>smtps inet n - - - - smtpd
You appear to be missing the operative part that actually makes it do SSL:
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
You should really encourage your users to use port 587 instead, and
set up a proper submission service:
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
That mandates the use of the STARTTLS command on the submission port,
which provides a little more clarity when logging all traffic.
[big snip of irrelevant log lines...]
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: >
>dhcp-ip.isp.net[w.x.y.z]: 220 mail.foobar.com ESMTP
That's your smtpd sending the initial banner.
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: <
>dhcp-ip.isp.net[w.x.y.z]: ?=??
That's the client sending garbage ('?=??') that it probably thought
was a reasonable start at SSL negotiation. However, you are not
talking SSL.
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
>match_string: ?=?? ~? CONNECT
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
>match_string: ?=?? ~? GET
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
>match_string: ?=?? ~? POST
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]:
>match_list_match: ?=??: no match
That's Postfix checking the garbage against common broken spamware
behavior of sending HTTP commands on a SMTP session. The garbage does
not match.
>Nov 1 01:25:00 li10-54 postfix/smtpd[2086]: >
>dhcp-ip.isp.net[w.x.y.z]: 502 5.5.2 Error: command not
>recognized
Even though the garbage does not match the known list of poison
strings, it still isn't a valid SMTP command.
--
Bill Cole
billscconsult.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]