Problem with using STARTTLS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
K F
Reply | Threaded
Open this post in threaded view
|

Problem with using STARTTLS

K F
Hi Guys

I'm having a couple of problems.
I have the certificate configured, but I can't seem to be able to send to the server with STARTTLS

If I connect on port 25 with EHLO, it doesn't show that it can do starttls?

If I connect on port 587, it shows that it can do starttls, but the receipient is rejected.

Some examples from the logfile, both sending with the same info:

Without TLS:
Nov 21 14:33:31 bounce postfix/lmtp[14706]: B0E8110092B71: to=<[hidden email]>, relay=bounce[private/dovecot-lmtp], delay=0.06, delays=0.05/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> dXDgL/oqFFpzOQAAtPSY4w Saved)

With TLS
Nov 21 14:32:02 bounce postfix/submission/smtpd[14601]: NOQUEUE: reject: RCPT from alpha00021[x.x.x.x]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<domain.dk>

This will be a public SMTP server, so there is no authentication, but it should allow STARTTLS to run anyways.

I hope somebody can tell me what I did wrong in postfix?

This is from main.cf

myhostname = bounce
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/star.domain.combined.pem
smtpd_tls_key_file = /etc/pki/tls/private/star.domain.dk.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mynetworks = 127.0.0.0/8
Reply | Threaded
Open this post in threaded view
|

Re: Problem with using STARTTLS

Matus UHLAR - fantomas
On 21.11.17 13:53, K F wrote:
>I'm having a couple of problems.I have the certificate configured, but I can't seem to be able to send to the server with STARTTLS
>If I connect on port 25 with EHLO, it doesn't show that it can do starttls?
>If I connect on port 587, it shows that it can do starttls, but the receipient is rejected.

>This will be a public SMTP server, so there is no authentication, but it should allow STARTTLS to run anyways.

port 587 is designed for authenticated SMTP, so the default configuration
won't allow sending mail unless you have authenticated.

the default configuration also enables tls on 587, while it's not enabled by
default (25).

set smtpd_tls_security_level=may in main.cf and you'll be able to send mail
through port 25.

note that many mailservers don't require TLS and don't verify certificates.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
In reply to this post by K F
Hi All

Thankyou all for helping me out, and giving me ideas on what to look at.

The argument

smtpd_tls_security_level = may

didn't help according to openssl

openssl s_client -connect bounce:25 -starttls smtp
Loading 'screen' into random state - done
CONNECTED(00000244)
didn't found starttls in server response, try anyway...
write:errno=10053

Can the mysql queries really be affected by using or not using ssl? I don't understand how, if the connecting SMTP is not using authentication?
The Dovecot authenticates fine to the db.
The configuration is completely ripped from Set up a mail server with PostfixAdmin and MariaDB on CentOS 7
as I couldn't get it working myself :-)


The mysql config files:
mysql_virtual_alias_domain_catchall_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query  = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

mysql_virtual_alias_domain_mailbox_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query = SELECT maildir FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'

mysql_virtual_alias_domain_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'

mysql_virtual_alias_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query = SELECT goto FROM alias WHERE address='%s' AND active = '1'
#expansion_limit = 100

mysql_virtual_domains_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query          = SELECT domain FROM domain WHERE domain='%s' AND active = '1'
#query          = SELECT domain FROM domain WHERE domain='%s'
#optional query to use when relaying for backup MX
#query           = SELECT domain FROM domain WHERE domain='%s' AND backupmx = '0' AND active = '1'
#expansion_limit = 100

mysql_virtual_mailbox_limit_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query = SELECT quota FROM mailbox WHERE username='%s' AND active = '1'

mysql_virtual_mailbox_maps.cf
user = foouser
password = foopass
hosts = localhost
dbname = postfixadmin
query           = SELECT maildir FROM mailbox WHERE username='%s' AND active = '1'
#expansion_limit = 100

I'll try and have a look at the MYSQL log, thanks.

Best regards
Kenneth


Den 15:23 tirsdag den 21. november 2017 skrev Michael Munger <[hidden email]>:


For the lack of STARTTLS offers:
 
/etc/postfix/main.cf:
    smtpd_tls_security_level = may
 
For the rejections:
 
Most likely, your recipient is getting rejected because postfix cannot properly communicate with MySQL or the queries are wrong.
 
Since you’re trying to do this with a MySQL backend, we need (at minimum) the MySQL  conf files.
 
Sanitize ONLY the passwords to foopass and main username to foouser. Don’t try to change table names or columns to obfuscate your structure.
 
A good place to start is to look at the actual queries being sent to MySQL. You can do that by enabling logging in the CLI, and then looking at the queries that are coming through:
 
To enable logging:
 
       SET global general_log = 1;
       SET global log_output = 'table';
View the log
       select * from mysql.general_log
Disable Query logging on the database
       SET global general_log = 0;
 
 
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
[hidden email]
 
From: [hidden email] [mailto:[hidden email]] On Behalf Of K F
Sent: Tuesday, November 21, 2017 8:53 AM
To: [hidden email]
Subject: Problem with using STARTTLS
 
Hi Guys
 
I'm having a couple of problems.
I have the certificate configured, but I can't seem to be able to send to the server with STARTTLS
 
If I connect on port 25 with EHLO, it doesn't show that it can do starttls?
 
If I connect on port 587, it shows that it can do starttls, but the receipient is rejected.
 
Some examples from the logfile, both sending with the same info:
 
Without TLS:
Nov 21 14:33:31 bounce postfix/lmtp[14706]: B0E8110092B71: to=<[hidden email]>, relay=bounce[private/dovecot-lmtp], delay=0.06, delays=0.05/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> dXDgL/oqFFpzOQAAtPSY4w Saved)
 
With TLS
Nov 21 14:32:02 bounce postfix/submission/smtpd[14601]: NOQUEUE: reject: RCPT from alpha00021[x.x.x.x]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<domain.dk>
 
This will be a public SMTP server, so there is no authentication, but it should allow STARTTLS to run anyways.
 
I hope somebody can tell me what I did wrong in postfix?
 
This is from main.cf
 
myhostname = bounce
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/star.domain.combined.pem
smtpd_tls_key_file = /etc/pki/tls/private/star.domain.dk.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mynetworks = 127.0.0.0/8


K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
In reply to this post by K F
Hi 'Postmaster'

As I see it, that doesn't offer starttls in the ehlo handshake either?


Den 19:45 tirsdag den 21. november 2017 skrev Postmaster <[hidden email]>:


Hi,

ISPs do not validate certificate when Starttls is used, however it can very helpful for inbound trusted sources. I wrote quick howto, it may helpful for you. https://www.postfix.io/how-to-enable-inbound-tlsstarttls-in-postfix-with-signed-certificate-from-caletsencrypt/

Thanks.

On Nov 21, 2017 14:54, "K F" <[hidden email]> wrote:
Hi Guys

I'm having a couple of problems.
I have the certificate configured, but I can't seem to be able to send to the server with STARTTLS

If I connect on port 25 with EHLO, it doesn't show that it can do starttls?

If I connect on port 587, it shows that it can do starttls, but the receipient is rejected.

Some examples from the logfile, both sending with the same info:

Without TLS:
Nov 21 14:33:31 bounce postfix/lmtp[14706]: B0E8110092B71: to=<[hidden email]>, relay=bounce[private/dovecot- lmtp], delay=0.06, delays=0.05/0/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> dXDgL/oqFFpzOQAAtPSY4w Saved)

With TLS
Nov 21 14:32:02 bounce postfix/submission/smtpd[ 14601]: NOQUEUE: reject: RCPT from alpha00021[x.x.x.x]: 554 5.7.1 <[hidden email]>: Recipient address rejected: Access denied; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<domain.dk>

This will be a public SMTP server, so there is no authentication, but it should allow STARTTLS to run anyways.

I hope somebody can tell me what I did wrong in postfix?

This is from main.cf

myhostname = bounce
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/m ysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/m ysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/m ysql_virtual_alias_domain_ maps.cf, proxy:mysql:/etc/postfix/sql/m ysql_virtual_alias_domain_ catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/m ysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/m ysql_virtual_alias_domain_ mailbox_maps.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/star. domain.combined.pem
smtpd_tls_key_file = /etc/pki/tls/private/star. domain.dk.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mynetworks = <a rel="nofollow" shape="rect" target="_blank" onclick="return window.theMainWindow.showLinkWarning(this)" href="http://127.0.0.0/8">127.0.0.0/8


Reply | Threaded
Open this post in threaded view
|

Re: Problem with using STARTTLS

Viktor Dukhovni
In reply to this post by K F


> On Nov 22, 2017, at 2:33 AM, K F <[hidden email]> wrote:
>
> Thankyou all for helping me out, and giving me ideas on what to look at.

http://www.postfix.org/DEBUG_README.html#logging
http://www.postfix.org/DEBUG_README.html#mail

Run "postfix reload" and post the any pre-connection warnings
logged by the first post-reload smtpd(8) process, as well as
full logging from "connect" to "disconnect" for its first client.
Your certificate chain is likely misconfigured and so TLS is
disabled.

--
        Viktor.

K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
Hi Viktor

openssl confirms that the chain is valid, this is what I see when I restart postfix:

Nov 22 09:29:00 bounce postfix/postfix-script[21178]: stopping the Postfix mail system
Nov 22 09:29:00 bounce postfix/master[18258]: terminating on signal 15
Nov 22 09:29:00 bounce postfix/postfix-script[21256]: starting the Postfix mail system
Nov 22 09:29:00 bounce postfix/master[21258]: daemon started -- version 2.10.1, configuration /etc/postfix



Den 8:50 onsdag den 22. november 2017 skrev Viktor Dukhovni <[hidden email]>:




> On Nov 22, 2017, at 2:33 AM, K F <[hidden email]> wrote:
>
> Thankyou all for helping me out, and giving me ideas on what to look at.


http://www.postfix.org/DEBUG_README.html#logging
http://www.postfix.org/DEBUG_README.html#mail

Run "postfix reload" and post the any pre-connection warnings
logged by the first post-reload smtpd(8) process, as well as
full logging from "connect" to "disconnect" for its first client.
Your certificate chain is likely misconfigured and so TLS is
disabled.

--
    Viktor.




Reply | Threaded
Open this post in threaded view
|

Re: SV: Problem with using STARTTLS

Matus UHLAR - fantomas
In reply to this post by K F
On 22.11.17 07:33, K F wrote:
>Thankyou all for helping me out, and giving me ideas on what to look at.
>
>The argument
>smtpd_tls_security_level = may

if you have working TLS on port 587, but not on port 25, while the same
postfix listens on those, there's apparently a problem

where did you put it? Into the main.cf ?

>didn't help according to openssl
>openssl s_client -connect bounce:25 -starttls smtp
>Loading 'screen' into random state - done
>CONNECTED(00000244)
>didn't found starttls in server response, try anyway...
>write:errno=10053
>
>Can the mysql queries really be affected by using or not using ssl? I don't
> understand how, if the connecting SMTP is not using authentication?

why do you bother with MySQL when your problem lies elsewhere?
Or did you miss something when you asked for TLS?

1. TLS on port 25 did not work, because you did not enable it.
2. recipient got rejected on 587, because port 587 requires authentication.

Neither of those is related to MySQL.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
K F
Reply | Threaded
Open this post in threaded view
|

SV: SV: Problem with using STARTTLS

K F
Hi Matus

Well, I was asked about mysql, so I posted it.
I didn't know the 587 required authentication, I've tried activating authentication on the client, and then it works perfectly.
So now it's just a question of getting port 25 to show starttls :-)
I added it to main.cf

main.cf:
myhostname = bounce
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
smtpd_tls_cert_file = /etc/pki/tls/certs/domain.combined.pem
smtpd_tls_key_file = /etc/pki/tls/private/domain.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mynetworks = 127.0.0.0/8
virtual_transport = lmtp:unix:private/dovecot-lmtp
smtpd_tls_received_header = yes
smtpd_tls_security_level = may


Den 14:07 onsdag den 22. november 2017 skrev Matus UHLAR - fantomas <[hidden email]>:


On 22.11.17 07:33, K F wrote:
>Thankyou all for helping me out, and giving me ideas on what to look at.
>
>The argument
>smtpd_tls_security_level = may

if you have working TLS on port 587, but not on port 25, while the same
postfix listens on those, there's apparently a problem

where did you put it? Into the main.cf ?


>didn't help according to openssl
>openssl s_client -connect bounce:25 -starttls smtp
>Loading 'screen' into random state - done
>CONNECTED(00000244)
>didn't found starttls in server response, try anyway...
>write:errno=10053
>
>Can the mysql queries really be affected by using or not using ssl? I don't
> understand how, if the connecting SMTP is not using authentication?


why do you bother with MySQL when your problem lies elsewhere?
Or did you miss something when you asked for TLS?

1. TLS on port 25 did not work, because you did not enable it.
2. recipient got rejected on 587, because port 587 requires authentication.

Neither of those is related to MySQL.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*



Reply | Threaded
Open this post in threaded view
|

Re: Problem with using STARTTLS

Viktor Dukhovni
In reply to this post by K F


> On Nov 22, 2017, at 3:30 AM, K F <[hidden email]> wrote:
>
> Hi Viktor
>
> openssl confirms that the chain is valid, this is what I see when I restart postfix:
>
> Nov 22 09:29:00 bounce postfix/postfix-script[21178]: stopping the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[18258]: terminating on signal 15
> Nov 22 09:29:00 bounce postfix/postfix-script[21256]: starting the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[21258]: daemon started -- version 2.10.1, configuration /etc/postfix

You really should read what you were asked to post with a
bit more attention...

>>> Thankyou all for helping me out, and giving me ideas on what to look at.
>>
>> http://www.postfix.org/DEBUG_README.html#logging
>> http://www.postfix.org/DEBUG_README.html#mail

Read the above and post as directed.

>>
>> Run "postfix reload" and post the any pre-connection warnings
>> logged by the first post-reload smtpd(8) process, as well as
>> full logging from "connect" to "disconnect" for its first client.
>> Your certificate chain is likely misconfigured and so TLS is
>> disabled.

Read the above and post as directed.

--
        Viktor.

K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
Let me reiterate, that I do appreaciate the help from everyone, secondly I would suggest you work on your people skills, if it's too bothersome for you to treat others with respect, then don't answer.

The first reply I got to this question was from Michael Munger, it read:
  For the lack of STARTTLS offers:
  /etc/postfix/main.cf:
    smtpd_tls_security_level = may
  For the rejections:
  Most likely, your recipient is getting rejected because postfix cannot properly communicate with MySQL or the queries are wrong.
  Since you’re trying to do this with a MySQL backend, we need (at minimum) the MySQL  conf files.
  Sanitize ONLY the passwords to foopass and main username to foouser. Don’t try to change table names or columns to obfuscate your structure.
  A good place to start is to look at the actual queries being sent to MySQL. You can do that by enabling logging in the CLI, and then looking at the queries that are coming through:

Thus, I provided the Mysql lines, and wrote that I didnn't see the relevance, but having asked for help, I felt that I couldn't just deny it.
On closer inspection of the original mail, I can see it was sent directly to me, and not to the list, so you might not have seen it in the thread, but give others the benefit of the doubt.

Lastly, I will set up the debugging as you've suggested to investigate further.




Den 19:18 onsdag den 22. november 2017 skrev Viktor Dukhovni <[hidden email]>:




> On Nov 22, 2017, at 3:30 AM, K F <[hidden email]> wrote:
>
> Hi Viktor
>
> openssl confirms that the chain is valid, this is what I see when I restart postfix:
>
> Nov 22 09:29:00 bounce postfix/postfix-script[21178]: stopping the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[18258]: terminating on signal 15
> Nov 22 09:29:00 bounce postfix/postfix-script[21256]: starting the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[21258]: daemon started -- version 2.10.1, configuration /etc/postfix

You really should read what you were asked to post with a
bit more attention...

>>> Thankyou all for helping me out, and giving me ideas on what to look at.
>>
>> http://www.postfix.org/DEBUG_README.html#logging
>> http://www.postfix.org/DEBUG_README.html#mail

Read the above and post as directed.

>>
>> Run "postfix reload" and post the any pre-connection warnings
>> logged by the first post-reload smtpd(8) process, as well as
>> full logging from "connect" to "disconnect" for its first client.
>> Your certificate chain is likely misconfigured and so TLS is
>> disabled.

Read the above and post as directed.


--
    Viktor.


K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
Ok, very interesting, I've gone through all the settings with the postfinger, and it looked ok.
So I tried just telnetting in to port 25 locally, and oddly enough it showed starttls :-) ?
So I did a 'openssl s_client -starttls smtp ... ' on port 25 locally, and that showed the certificate and chain correctly.
This is all good, but I couldn't figure out why it worked all of the sudden.

Done locally
220 bounce ESMTP Postfix
ehlo google.dk
250-bounce
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Done from my workstation
220 ********************
ehlo google.dk
250-bounce
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XXXXXXXA
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

AHaaaa, so I guess some cisco sh.. is messing with me, obfuscating the output (note the 220 ******)
I might have to kill the firewall dude after this :-D

Best regards


Den 8:38 torsdag den 23. november 2017 skrev K F <[hidden email]>:


Let me reiterate, that I do appreaciate the help from everyone, secondly I would suggest you work on your people skills, if it's too bothersome for you to treat others with respect, then don't answer.

The first reply I got to this question was from Michael Munger, it read:
  For the lack of STARTTLS offers:
  /etc/postfix/main.cf:
    smtpd_tls_security_level = may
  For the rejections:
  Most likely, your recipient is getting rejected because postfix cannot properly communicate with MySQL or the queries are wrong.
  Since you’re trying to do this with a MySQL backend, we need (at minimum) the MySQL  conf files.
  Sanitize ONLY the passwords to foopass and main username to foouser. Don’t try to change table names or columns to obfuscate your structure.
  A good place to start is to look at the actual queries being sent to MySQL. You can do that by enabling logging in the CLI, and then looking at the queries that are coming through:

Thus, I provided the Mysql lines, and wrote that I didnn't see the relevance, but having asked for help, I felt that I couldn't just deny it.
On closer inspection of the original mail, I can see it was sent directly to me, and not to the list, so you might not have seen it in the thread, but give others the benefit of the doubt.

Lastly, I will set up the debugging as you've suggested to investigate further.




Den 19:18 onsdag den 22. november 2017 skrev Viktor Dukhovni <[hidden email]>:




> On Nov 22, 2017, at 3:30 AM, K F <[hidden email]> wrote:
>
> Hi Viktor
>
> openssl confirms that the chain is valid, this is what I see when I restart postfix:
>
> Nov 22 09:29:00 bounce postfix/postfix-script[21178]: stopping the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[18258]: terminating on signal 15
> Nov 22 09:29:00 bounce postfix/postfix-script[21256]: starting the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[21258]: daemon started -- version 2.10.1, configuration /etc/postfix

You really should read what you were asked to post with a
bit more attention...

>>> Thankyou all for helping me out, and giving me ideas on what to look at.
>>
>> http://www.postfix.org/DEBUG_README.html#logging
>> http://www.postfix.org/DEBUG_README.html#mail

Read the above and post as directed.

>>
>> Run "postfix reload" and post the any pre-connection warnings
>> logged by the first post-reload smtpd(8) process, as well as
>> full logging from "connect" to "disconnect" for its first client.
>> Your certificate chain is likely misconfigured and so TLS is
>> disabled.

Read the above and post as directed.


--
    Viktor.




K F
Reply | Threaded
Open this post in threaded view
|

SV: Problem with using STARTTLS

K F
After a lot of opposition from the Firewall dude "The Cisco can't do that!", he gave in as I found the configuration setting in Cisco, and the documentation clearly stated it was enabled by default, he disabled the feature in the firewall cluster, and lo and behold, the starttls appeared as by magic :-D

The problem is solved, thankyou all for your help!


Den 9:06 torsdag den 23. november 2017 skrev K F <[hidden email]>:


Ok, very interesting, I've gone through all the settings with the postfinger, and it looked ok.
So I tried just telnetting in to port 25 locally, and oddly enough it showed starttls :-) ?
So I did a 'openssl s_client -starttls smtp ... ' on port 25 locally, and that showed the certificate and chain correctly.
This is all good, but I couldn't figure out why it worked all of the sudden.

Done locally
220 bounce ESMTP Postfix
ehlo google.dk
250-bounce
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Done from my workstation
220 ********************
ehlo google.dk
250-bounce
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XXXXXXXA
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

AHaaaa, so I guess some cisco sh.. is messing with me, obfuscating the output (note the 220 ******)
I might have to kill the firewall dude after this :-D

Best regards


Den 8:38 torsdag den 23. november 2017 skrev K F <[hidden email]>:


Let me reiterate, that I do appreaciate the help from everyone, secondly I would suggest you work on your people skills, if it's too bothersome for you to treat others with respect, then don't answer.

The first reply I got to this question was from Michael Munger, it read:
  For the lack of STARTTLS offers:
  /etc/postfix/main.cf:
    smtpd_tls_security_level = may
  For the rejections:
  Most likely, your recipient is getting rejected because postfix cannot properly communicate with MySQL or the queries are wrong.
  Since you’re trying to do this with a MySQL backend, we need (at minimum) the MySQL  conf files.
  Sanitize ONLY the passwords to foopass and main username to foouser. Don’t try to change table names or columns to obfuscate your structure.
  A good place to start is to look at the actual queries being sent to MySQL. You can do that by enabling logging in the CLI, and then looking at the queries that are coming through:

Thus, I provided the Mysql lines, and wrote that I didnn't see the relevance, but having asked for help, I felt that I couldn't just deny it.
On closer inspection of the original mail, I can see it was sent directly to me, and not to the list, so you might not have seen it in the thread, but give others the benefit of the doubt.

Lastly, I will set up the debugging as you've suggested to investigate further.




Den 19:18 onsdag den 22. november 2017 skrev Viktor Dukhovni <[hidden email]>:




> On Nov 22, 2017, at 3:30 AM, K F <[hidden email]> wrote:
>
> Hi Viktor
>
> openssl confirms that the chain is valid, this is what I see when I restart postfix:
>
> Nov 22 09:29:00 bounce postfix/postfix-script[21178]: stopping the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[18258]: terminating on signal 15
> Nov 22 09:29:00 bounce postfix/postfix-script[21256]: starting the Postfix mail system
> Nov 22 09:29:00 bounce postfix/master[21258]: daemon started -- version 2.10.1, configuration /etc/postfix

You really should read what you were asked to post with a
bit more attention...

>>> Thankyou all for helping me out, and giving me ideas on what to look at.
>>
>> http://www.postfix.org/DEBUG_README.html#logging
>> http://www.postfix.org/DEBUG_README.html#mail

Read the above and post as directed.

>>
>> Run "postfix reload" and post the any pre-connection warnings
>> logged by the first post-reload smtpd(8) process, as well as
>> full logging from "connect" to "disconnect" for its first client.
>> Your certificate chain is likely misconfigured and so TLS is
>> disabled.

Read the above and post as directed.


--
    Viktor.