NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2009-07

Re: TLS / SASL Help

From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Jul 20 2009 - 12:25:34 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Carlos Williams wrote:
> I am unable to understand why I can't get TLS / SASL working on my
> Postfix server. I am using Postfix 2.3 (postfix-2.3.3-2.1.el5_2) on
> CentOS 5 x64. I followed the CentOS guide and enabled this in my
> main.cf & dovecot.conf. When I telnet into my server, I see the
> following:
> ...
> Transcript of session follows.
>
> Out: 220 mail.iamghost.com ESMTP
> In: EHLO [10.1.1.204]
> Out: 250-mail.iamghost.com
> Out: 250-PIPELINING
> Out: 250-SIZE 10240000
> Out: 250-VRFY
> Out: 250-ETRN
> Out: 250-STARTTLS
> Out: 250-ENHANCEDSTATUSCODES
> Out: 250-8BITMIME
> Out: 250 DSN
> In: STARTTLS
> Out: 454 4.3.0 TLS not available due to local problem
> In: QUIT
> Out: 221 2.0.0 Bye

Details of a problem are not divulged to outsiders, so the
transcript intentionally gives vague information.

Something broken in your config. Check your logs, postfix
probably tells you where to look further there.

>
> I don't understand. Can someone please help me understand why this is
> not working? I did notice that when I enter the below TLS settings,
> 'smtpd_tls_security_level = may' is a difference color from all the
> other entries which usually means it can't read or determine that
> value. Perhaps my Postfix version is too old to use this config for
> TLS?
>
> I am pasting an output of 'postfconf -n'
>
> [rootmail /]# postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, $mydomain, mail.$mydomain
> mydomain = iamghost.com
> myhostname = mail.iamghost.com
> mynetworks = $config_directory/mynetworks
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> relay_domains =
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP
> smtpd_delay_reject = yes
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,
> reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
> permit

you should add permit_sasl_authenticated just after
permit_mynetworks in the above restrictions.

> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_pipelining,
> reject_non_fqdn_recipient, reject_unknown_recipient_domain,
> reject_unauth_destination, reject_unlisted_recipient,
> check_policy_service unix:postgrey/socket, check_sender_access
> hash:/etc/postfix/sender_access, reject_rbl_client
> zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_sender_restrictions = permit_mynetworks,
> reject_non_fqdn_sender, reject_unknown_sender_domain,
> reject_unknown_reverse_client_hostname, permit

You should add permit_sasl_authenticated just after
permit_mynetworks in the above restrictions.

> smtpd_tls_CAfile = /etc/ssl/intermediate.crt
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file =
> smtpd_tls_key_file =

Not sure how postfix is supposed to do TLS without a
certificate or key file. This looks like the problem.

> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550

You can test TLS with

# openssl s_client -connect ip.add.re.ss:port -starttls smtp

after some TLS handshake garbage, you should get a
250 ...
greeting from postfix. If it gets that far, TLS is working
correctly.

-- Noel Jones

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]