NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-05

TLS support

From: Alex Feldman (alexalexfeldman.org)
Date: Wed May 21 2008 - 17:34:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, let me give this another try. I'm trying to follow the
instructions, which call for lots of output, so this letter is kind of
long. I have put $$ in front of my own comments to make it easy to skip
around the output. Thanks in advance.

I have installed Postfix and SASL in my Fedora 9 distribution, two
different ways. I get the same problem either way:

I believe I have sasl support compiled in to postfix - I believe this
because of both the output from saslfinger, which I will give at the end
(it is long), and from ldd, which I will paste right here:

[rootXXX ssl]# ldd /usr/libexec/postfix/smtpd
    linux-gate.so.1 => (0x0012e000)
    libldap-2.4.so.2 => /usr/lib/libldap-2.4.so.2 (0x0012f000)
    liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0x00171000)
    libpcre.so.0 => /lib/libpcre.so.0 (0x00180000)
    libmysqlclient.so.15 => /usr/lib/mysql/libmysqlclient.so.15 (0x001aa000)
    libm.so.6 => /lib/libm.so.6 (0x00310000)
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)
    libssl.so.7 => /lib/libssl.so.7 (0x00352000)
    libcrypto.so.7 => /lib/libcrypto.so.7 (0x0039d000)
    libdl.so.2 => /lib/libdl.so.2 (0x004eb000)
    libz.so.1 => /lib/libz.so.1 (0x004f0000)
    libdb-4.6.so => /lib/libdb-4.6.so (0x00504000)
    libnsl.so.1 => /lib/libnsl.so.1 (0x0064c000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x00666000)
    libc.so.6 => /lib/libc.so.6 (0x0067b000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0x007e4000)
    /lib/ld-linux.so.2 (0x00110000)
    libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00816000)
    libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00845000)
    libcom_err.so.2 => /lib/libcom_err.so.2 (0x008e5000)
    libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x008e8000)
    libpthread.so.0 => /lib/libpthread.so.0 (0x0090d000)
    libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00926000)
    libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x0092f000)
    libselinux.so.1 => /lib/libselinux.so.1 (0x00932000)

$$ I have added the lines to main.cf that were recommended in several
howtos (one at a time), including the "Getting started, quick and dirty"
TLS documentation on the Postfix site. Here is the output from postconf -n:

[rootXXX ssl]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.5.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/alexcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/alexkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

$$ It is that fifth to last line, smtpd_tls_security_level = may that
seems to break things. Without that line, there I can have a "normal"
telnet conversation with postfix, viz:

[rootXXX ssl]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 XXX.org ESMTP Postfix
EHLO x.com
250-XXX.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]

telnet> q
Connection closed.

$$ However, with that line, I get no response, either to the initial
connection or to my EHLO request:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
EHLO co.com
^]

telnet> quit
Connection closed.

$$ I did run saslfinger both on the client side and the server side.
The client side objected to
smtp_sasl_password_maps not being in main.cf, but that line didn't
appear in the howtos I looked at. The server side didn't seem to object
to anything. I am appending all the saslfinger output.

[rootXXX ssl]# saslfinger -c
saslfinger - postfix Cyrus sasl configuration Wed May 21 15:58:05 MDT 2008
version: 1.0.2
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Fedora release 9 (Sulphur)

-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)

-- active SMTP AUTH and TLS parameters for smtp --
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache

-- listing of /usr/lib/sasl --
total 128
drwxr-xr-x 2 root root 4096 2008-05-18 16:59 .
drwxr-xr-x 166 root root 118784 2008-05-21 04:21 ..
-rw-r--r-- 1 root root 70 2008-03-12 06:21 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 4140
drwxr-xr-x 2 root root 4096 2008-05-21 11:47 .
drwxr-xr-x 166 root root 118784 2008-05-21 04:21 ..
-rwxr-xr-x 1 root root 14688 2008-02-21 01:18 libanonymous.so
-rwxr-xr-x 1 root root 14688 2008-02-21 01:18 libanonymous.so.2
-rwxr-xr-x 1 root root 14688 2008-02-21 01:18 libanonymous.so.2.0.22
-rwxr-xr-x 1 root root 17276 2008-02-21 01:18 libcrammd5.so
-rwxr-xr-x 1 root root 17276 2008-02-21 01:18 libcrammd5.so.2
-rwxr-xr-x 1 root root 17276 2008-02-21 01:18 libcrammd5.so.2.0.22
-rwxr-xr-x 1 root root 47584 2008-02-21 01:18 libdigestmd5.so
-rwxr-xr-x 1 root root 47584 2008-02-21 01:18 libdigestmd5.so.2
-rwxr-xr-x 1 root root 47584 2008-02-21 01:18 libdigestmd5.so.2.0.22
-rwxr-xr-x 1 root root 27452 2008-02-21 01:18 libgssapiv2.so
-rwxr-xr-x 1 root root 27452 2008-02-21 01:18 libgssapiv2.so.2
-rwxr-xr-x 1 root root 27452 2008-02-21 01:18 libgssapiv2.so.2.0.22
-rwxr-xr-x 1 root root 14972 2008-02-21 01:18 liblogin.so
-rwxr-xr-x 1 root root 14972 2008-02-21 01:18 liblogin.so.2
-rwxr-xr-x 1 root root 14972 2008-02-21 01:18 liblogin.so.2.0.22
-rwxr-xr-x 1 root root 15100 2008-02-21 01:18 libplain.so
-rwxr-xr-x 1 root root 15100 2008-02-21 01:18 libplain.so.2
-rwxr-xr-x 1 root root 15100 2008-02-21 01:18 libplain.so.2.0.22
-rwxr-xr-x 1 root root 1213728 2008-02-21 01:18 libsasldb.so
-rwxr-xr-x 1 root root 1213728 2008-02-21 01:18 libsasldb.so.2
-rwxr-xr-x 1 root root 1213728 2008-02-21 01:18 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 25 2008-03-29 06:27 Sendmail.conf
-rw-r--r-- 1 root root 49 2008-03-12 06:21 smtpd.conf

-- listing of /etc/sasl2 --
total 20
drwxr-xr-x 2 root root 4096 2008-05-18 06:11 .
drwxr-xr-x 128 root root 12288 2008-05-21 07:12 ..
-rw-r--r-- 1 root root 1161 2008-04-08 11:01 libvirt.conf

Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!
[rootXXX ssl]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed May 21 15:58:38 MDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Fedora release 9 (Sulphur)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00339000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/alexcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/alexkey.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/smtpd_tls_session_cache

-- listing of /usr/lib/sasl --
total 128
drwxr-xr-x 2 root root 4096 2008-05-18 16:59 .
drwxr-xr-x 166 root root 118784 2008-05-21 04:21 ..
-rw-r--r-- 1 root root 70 2008-03-12 06:21 smtpd.conf

-- listing of /etc/sasl2 --
total 20
drwxr-xr-x 2 root root 4096 2008-05-18 06:11 .
drwxr-xr-x 128 root root 12288 2008-05-21 07:12 ..
-rw-r--r-- 1 root root 1161 2008-04-08 11:01 libvirt.conf

-- content of /usr/lib/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_version: 2

-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login

-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache

-- mechanisms on localhost --

-- end of saslfinger output --

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]