TLS support for Postfix server on port TCP/25

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
Dear, I want mail clients to send messages to Internet through an own mail relay Posfix as smtpd server (no as client), let's say:

Mail client ---STARTTLS ---- Postfix listening on Port TCP/25 --- Internet SMTP servers

Also, I don't need authentication to send mails from the Postfix mail relay.

In /etc/postfix/main.cf I setup:

# TLS parameters for smtpd

smtpd_tls_cert_file=/etc/postfix/SSL/MailRelay-server-public.crt

smtpd_tls_key_file=/etc/postfix/SSL/MailRelay-server-private.pem

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_loglevel = 2

tls_random_source = dev:/dev/urandom

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_CApath = /etc/ssl/certs

Is this configuration Ok in order to let Postfix accept STARTTLS connectiosn from clients ???

Thanks a lot,

Jelo
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Noel Jones-2
On 3/13/2017 1:18 PM, Jeronimo L. Cabral wrote:

> Dear, I want mail clients to send messages to Internet through an
> own mail relay Posfix as smtpd server (no as client), let's say:
>
> Mail client ---STARTTLS ---- Postfix listening on Port TCP/25 ---
> Internet SMTP servers
>
> Also, I don't need authentication to send mails from the Postfix
> mail relay.
>
> In /etc/postfix/main.cf <http://main.cf> I setup:
>
> # TLS parameters for smtpd
>
> smtpd_tls_cert_file=/etc/postfix/SSL/MailRelay-server-public.crt
>
> smtpd_tls_key_file=/etc/postfix/SSL/MailRelay-server-private.pem
>
> smtpd_use_tls=yes

postfix requires spaces around the " = " in the above parameters in
main.cf

Note that "smtpd_use_tls" is a deprecated parameter.  The
correct/current parameter for postfix 2.3 and newer is
smtpd_tls_security_level. You didn't mention which version of
postfix you're using, but hopefully you're not stuck on a 10 year
old version, or using a 10 year old how-to.
http://www.postfix.org/TLS_README.html#client_tls
http://www.postfix.org/postconf.5.html#smtp_tls_security_level


>
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The TLS session cache is no longer necessary or desirable. Remove
these two parameters to allow openssl to automatically use session
tickets, which are better than the cache.

>
> smtpd_tls_loglevel = 2

Use a loglevel of 0 or 1.  Loglevels above 1 will bury the important
and useful log entries.

>
> tls_random_source = dev:/dev/urandom
>
> smtpd_tls_session_cache_timeout = 3600s

Since you're not using cache, you can remove this entry too.


>
> smtpd_tls_CApath = /etc/ssl/certs
>
> Is this configuration Ok in order to let Postfix accept STARTTLS
> connectiosn from clients ???
>
> Thanks a lot,
>
> Jelo




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni
In reply to this post by Jeronimo L. Cabral
On Mon, Mar 13, 2017 at 03:18:07PM -0300, Jeronimo L. Cabral wrote:

> Dear, I want mail clients to send messages to Internet through an own mail
> relay Posfix as smtpd server (no as client), let's say:

This is not a well formed question.  There is no such thing as
sending mail as a server vs as a client.  In each SMTP transaction
the sending side is a client, and the receiving side is a server.

The standard way of handling *outbound* email, i.e. email from your
users to remote destinations, is via a *submission* service on port
587.  The submission service authenticates the users (with TLS to
protect the transmission of passwords and confidentiality of the
message) and then relays the mail on towards its destination.

> Mail client ---STARTTLS ---- Postfix listening on Port TCP/25 --- Internet SMTP servers

Change port 25 to 587.

> Also, I don't need authentication to send mails from the Postfix mail relay.

Certainly not *from* the relay to the Internet, but you would
typically authenticate mail coming in *to* the relay.  Why would
that not be necessary in your case?

> In /etc/postfix/main.cf I setup:
>
> smtpd_tls_cert_file=/etc/postfix/SSL/MailRelay-server-public.crt
> smtpd_tls_key_file=/etc/postfix/SSL/MailRelay-server-private.pem

OK.

> smtpd_use_tls=yes

Replace that with "smtpd_tls_security_level = may" for port 25, or
"-o smtpd_tls_security_level=encrypt" in master.cf for the submission
service on port 587 (aka "submission inet ... smtpd ...").

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

As of Postfix 2.11, TLS session tickets obsolete the server-side cache,
so set this empty with Postfix 2.11 or later.

> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_loglevel = 2

Except when debugging a system to report more detail as requested
on this list, the log level should be 1.  Log level 2 is too verbose
for production use.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni
In reply to this post by Noel Jones-2
On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:

> > smtpd_use_tls=yes
>
> postfix requires spaces around the " = " in the above parameters in
> main.cf

That's not accurate, while " = " is the "normal form" of main.cf
settings as output by "postconf -n", the spaces are optional.

> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> The TLS session cache is no longer necessary or desirable. Remove
> these two parameters to allow openssl to automatically use session
> tickets, which are better than the cache.

As of Postfix 2.11.

> > smtpd_tls_session_cache_timeout = 3600s
>
> Since you're not using cache, you can remove this entry too.

This parameter also controls the lifetime of sesssion tickets, but
since 3600s is the default value, there's no need to set it
explicitly.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Noel Jones-2
On 3/13/2017 2:04 PM, Viktor Dukhovni wrote:
> On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:
>
>>> smtpd_use_tls=yes
>>
>> postfix requires spaces around the " = " in the above parameters in
>> main.cf
>
> That's not accurate, while " = " is the "normal form" of main.cf
> settings as output by "postconf -n", the spaces are optional.

Dang. 10+ years and I'm still learning new stuff.
Thanks!


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
In reply to this post by Viktor Dukhovni
Thanks to both of you !!!

I need STARTTLS server side connection, because the client side connection is working OK.

I have Postfix 2.11, so you say if I use STARTTLS with port TCP/25 the authentication is in plain text...but if I set up STARTTLS on port TCP/587 the authentication is encrypted too with TLS....I believed using STARTTLS on port TCP/25 I have encrypted both login and data.

In case I set up STARTTLS in port TCP/587, both login and data go through it ??? Or just login through port TCP/587 and the data go through port TCP/25 ???

Thanks again, regards !!!

On Mon, Mar 13, 2017 at 4:04 PM, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:

> > smtpd_use_tls=yes
>
> postfix requires spaces around the " = " in the above parameters in
> main.cf

That's not accurate, while " = " is the "normal form" of main.cf
settings as output by "postconf -n", the spaces are optional.

> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> The TLS session cache is no longer necessary or desirable. Remove
> these two parameters to allow openssl to automatically use session
> tickets, which are better than the cache.

As of Postfix 2.11.

> > smtpd_tls_session_cache_timeout = 3600s
>
> Since you're not using cache, you can remove this entry too.

This parameter also controls the lifetime of sesssion tickets, but
since 3600s is the default value, there's no need to set it
explicitly.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
Sorry, I repeat Postfix doesn't need to authenticate any user sending throug it (not login/password)

This implies an extra configuration line?

Thanks again.

On Mon, Mar 13, 2017 at 4:19 PM, Jeronimo L. Cabral <[hidden email]> wrote:
Thanks to both of you !!!

I need STARTTLS server side connection, because the client side connection is working OK.

I have Postfix 2.11, so you say if I use STARTTLS with port TCP/25 the authentication is in plain text...but if I set up STARTTLS on port TCP/587 the authentication is encrypted too with TLS....I believed using STARTTLS on port TCP/25 I have encrypted both login and data.

In case I set up STARTTLS in port TCP/587, both login and data go through it ??? Or just login through port TCP/587 and the data go through port TCP/25 ???

Thanks again, regards !!!

On Mon, Mar 13, 2017 at 4:04 PM, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Mar 13, 2017 at 01:47:49PM -0500, Noel Jones wrote:

> > smtpd_use_tls=yes
>
> postfix requires spaces around the " = " in the above parameters in
> main.cf

That's not accurate, while " = " is the "normal form" of main.cf
settings as output by "postconf -n", the spaces are optional.

> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> The TLS session cache is no longer necessary or desirable. Remove
> these two parameters to allow openssl to automatically use session
> tickets, which are better than the cache.

As of Postfix 2.11.

> > smtpd_tls_session_cache_timeout = 3600s
>
> Since you're not using cache, you can remove this entry too.

This parameter also controls the lifetime of sesssion tickets, but
since 3600s is the default value, there's no need to set it
explicitly.

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni
In reply to this post by Jeronimo L. Cabral
On Mon, Mar 13, 2017 at 04:19:48PM -0300, Jeronimo L. Cabral wrote:

> I need STARTTLS server side connection, because the client side connection
> is working OK.

This may mean something to you, but I for one have no idea what
you have in mind when you say that.

> I have Postfix 2.11, so you say if I use STARTTLS with port TCP/25 the
> authentication is in plain text...but if I set up STARTTLS on port TCP/587
> the authentication is encrypted too with TLS....

No.  However, on port 587 you can *require* TLS, while on port 25
TLS is generally optional.  Of course you can restrict "AUTH" to
TLS only, but it is best to not offer AUTH on port 25.

> I believed using STARTTLS on port TCP/25 I have encrypted both login and data.

If the client chooses to use TLS.

> In case I set up STARTTLS in port TCP/587, both login and data go through
> it ??? Or just login through port TCP/587 and the data go through port
> TCP/25 ???

No everything is will be on 587, SMTP is a single-channel protocol.
Of course the client has to be configured to submit via 587, and
needs to authenticate.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni
In reply to this post by Jeronimo L. Cabral
On Mon, Mar 13, 2017 at 04:33:15PM -0300, Jeronimo L. Cabral wrote:

> Sorry, I repeat Postfix doesn't need to authenticate any user sending
> through it (not login/password)

Why is that?  How are you planning to prevent abuse by spammers
exploiting open relays?

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
At the moment, the mail relay is reached just from inside our company and several applications use it to send mail through Internet. In this scenario, one of these applications take the user "[hidden email]" and send mail to the Postfix relay. So the apps will be configured in this way (after your advice):

Postfix server: x.x.x.x
Port: TCP/587
Security: STARTTLS
User: [hidden email]
Pass: <empty>

Using mailx is in this manner:

$ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.10.12.5:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

That last question please: what type of authentication is this? Normal password ? This implies an extra line un main.cf?

Hundreds of thanks :)

Jelo



On Mon, Mar 13, 2017 at 4:38 PM, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Mar 13, 2017 at 04:33:15PM -0300, Jeronimo L. Cabral wrote:

> Sorry, I repeat Postfix doesn't need to authenticate any user sending
> through it (not login/password)

Why is that?  How are you planning to prevent abuse by spammers
exploiting open relays?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni
On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:

> At the moment, the mail relay is reached just from inside our company and
> several applications use it to send mail through Internet.

If the submission port is only reachable from internal trusted
networks, then authentication is optional.  You'll need to make
sure that Postfix will not be listening for port 587 on any public
IP addresses.

> Using mailx is in this manner:

My first encounter with "heirloom-mailx", with SMTP and TLS bolted
in mailx, my is the world getting fancy...

> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.10.12.5:587" -S
> smtp-use-starttls -S ssl-verify=ignore [hidden email]

This is fine, provided that 10.10.12.5 is not reachable from outside via
NAT, and no other IP address reaches the same port 587 service.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Alejandro Cabrera Obed-2
Sorry but why do you suggest yo use port 587 for TLS optional for auth + data , and not port 25 for the same proposal, if the goal is using TLS if possible?

Thanking un advance.

El 13 mar. 2017 5:18 PM, "Viktor Dukhovni" <[hidden email]> escribió:
On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:

> At the moment, the mail relay is reached just from inside our company and
> several applications use it to send mail through Internet.

If the submission port is only reachable from internal trusted
networks, then authentication is optional.  You'll need to make
sure that Postfix will not be listening for port 587 on any public
IP addresses.

> Using mailx is in this manner:

My first encounter with "heirloom-mailx", with SMTP and TLS bolted
in mailx, my is the world getting fancy...

> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.10.12.5:587" -S
> smtp-use-starttls -S ssl-verify=ignore [hidden email]

This is fine, provided that 10.10.12.5 is not reachable from outside via
NAT, and no other IP address reaches the same port 587 service.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
In reply to this post by Viktor Dukhovni
Daer Viktor, I´ve followed your instructions and setup the submission port in master.cf as you said:

Mail client ---STARTTLS ---- Postfix listening on Port TCP/587 - Internet SMTP servers

But when I execute from a client 172.1.1.1 to the Postfix server 10.1.1.1:

$ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

the command never ends in the shell and the Postfix log just says:

Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the server-side TLS engine
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection from unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept initialization

The mail doesn't go out from Postfix.

What can be the reason I can't send a mail using STARTTLS through the Postfix server ???

On Mon, Mar 13, 2017 at 5:18 PM, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:

> At the moment, the mail relay is reached just from inside our company and
> several applications use it to send mail through Internet.

If the submission port is only reachable from internal trusted
networks, then authentication is optional.  You'll need to make
sure that Postfix will not be listening for port 587 on any public
IP addresses.

> Using mailx is in this manner:

My first encounter with "heirloom-mailx", with SMTP and TLS bolted
in mailx, my is the world getting fancy...

> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.10.12.5:587" -S
> smtp-use-starttls -S ssl-verify=ignore [hidden email]

This is fine, provided that 10.10.12.5 is not reachable from outside via
NAT, and no other IP address reaches the same port 587 service.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni

> On Mar 13, 2017, at 6:53 PM, Jeronimo L. Cabral <[hidden email]> wrote:
>
> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]
>
> the command never ends in the shell and the Postfix log just says:
>
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the server-side TLS engine
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from unknown[172.1.1.1]
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection from unknown[172.1.1.1]
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
> Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept initialization
>
> The mail doesn't go out from Postfix.
>
> What can be the reason I can't send a mail using STARTTLS through the Postfix server ???

The mailx command expects to read a file from standard input...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
In reply to this post by Jeronimo L. Cabral
Dear Viktor. sorry but I'll try to be more explicite because I have to put to work the submission and I can't:


# TLS parameters (server side)
smtpd_tls_cert_file=/etc/ssl/certs/relay.pem
smtpd_tls_key_file=/etc/ssl/private/key.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2

# TLS parameters (client side)
smtp_tls_security_level = may
smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
smtp_tls_key_file = /etc/postfix/SSL/privada.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_starttls_timeout = 300s
smtp_tls_CApath = /etc/ssl/certs


submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

And when I send a message with mailx from client 172.1.1.1:

$ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

I get this log in Postfix:


Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect from unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up TLS connection from unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept error from unknown[172.1.1.1]: lost connection
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost connection after STARTTLS from unknown[172.1.1.1]
Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect from unknown[172.1.1.1]

Thanks a lot,

Jelo

On Mon, Mar 13, 2017 at 7:53 PM, Jeronimo L. Cabral <[hidden email]> wrote:
Daer Viktor, I´ve followed your instructions and setup the submission port in master.cf as you said:

Mail client ---STARTTLS ---- Postfix listening on Port TCP/587 - Internet SMTP servers

But when I execute from a client 172.1.1.1 to the Postfix server 10.1.1.1:

$ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

the command never ends in the shell and the Postfix log just says:

Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: initializing the server-side TLS engine
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: connect from unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: setting up TLS connection from unknown[172.1.1.1]
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: unknown[172.1.1.1]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Mar 13 19:41:56 MITLPSMT01 postfix/smtpd[20302]: SSL_accept:before/accept initialization

The mail doesn't go out from Postfix.

What can be the reason I can't send a mail using STARTTLS through the Postfix server ???

On Mon, Mar 13, 2017 at 5:18 PM, Viktor Dukhovni <[hidden email]> wrote:
On Mon, Mar 13, 2017 at 04:49:23PM -0300, Jeronimo L. Cabral wrote:

> At the moment, the mail relay is reached just from inside our company and
> several applications use it to send mail through Internet.

If the submission port is only reachable from internal trusted
networks, then authentication is optional.  You'll need to make
sure that Postfix will not be listening for port 587 on any public
IP addresses.

> Using mailx is in this manner:

My first encounter with "heirloom-mailx", with SMTP and TLS bolted
in mailx, my is the world getting fancy...

> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.10.12.5:587" -S
> smtp-use-starttls -S ssl-verify=ignore [hidden email]

This is fine, provided that 10.10.12.5 is not reachable from outside via
NAT, and no other IP address reaches the same port 587 service.

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni

> On Mar 13, 2017, at 7:37 PM, Jeronimo L. Cabral <[hidden email]> wrote:
>
> Dear Viktor. sorry but I'll try to be more explicit because
> I have to put to work the submission and I can't:
>
> main.cf:
>
> smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
> smtp_tls_key_file = /etc/postfix/SSL/privada.pem

Though not related to your current problem, client certificates
are not recommended for MTAs, leave these two parameters empty.

> smtp_tls_loglevel = 2

And the log level at 1.

> master.cf:
>
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

Do uncomment the remaining options, but change "smtpd_client_restrictions"
to "permit_mynetworks, reject", making sure that "172.1.1.1" et. al. are
listed in my networks.

> And when I send a message with mailx from client 172.1.1.1:
>
> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

I still don't see where you're specifying the message to be sent.

> I get this log in Postfix:
>
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up TLS connection from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept error from unknown[172.1.1.1]: lost connection
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost connection after STARTTLS from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect from unknown[172.1.1.1]

The client disconnected, by the look of things without even sending
a TLS client HELLO.  Postfix can't tell you the reason for that.
Get more verbose diagnostics from "mailx".

You can try:

        # postconf -e "debug_peer_list = 172.1.1.1"
        # postfix reload

but you probably won't see anything new and interesting on the Postfix
side.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
Viktor, I have to tell you that it doesn't work for me.

Main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no

# TLS parameters (como servidor)
smtpd_tls_cert_file = /etc/postfix/SSL/publica.crt
smtpd_tls_key_file = /etc/postfix/SSL/privada.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no

# TLS parameters (como cliente)
smtp_tls_security_level = may
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_starttls_timeout = 300s

myhostname = relay.mycompany.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = relay.mycomany.com, localhost
relayhost = 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all 

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_non_fqdn_sender,
    reject_unknown_recipient_domain,
    reject_unknown_sender_domain,
    reject_unauth_destination,
    reject_rbl_client zombie.dnsbl.sorbs.net,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client pbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org
        check_policy_service unix:private/policy

disable_vrfy_command = yes

smtpd_hard_error_limit = 4

message_size_limit = 15240000

transport_maps = hash:/etc/postfix/transport
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client opm.blitzed.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client cbl.abuseat.org check_policy_service unix:private/policy

anvil_rate_time_unit=60s
smtpd_client_message_rate_limit = 50

Master.cf:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

# Agregado para que funcione la implementacion SPF
policy    unix  -   n   n   -   -   spawn
    user=nobody   argv=/usr/bin/perl   /usr/sbin/postfix-policyd-spf-perl
spamassassin    unix    -   n   n   -   -   pipe
 user=nobody argv=/usr/bin/spamc --socket=/tmp/spamd.sock  -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#Added by hand
smtp-amavis    unix    -   -   y   -   30  smtp
  -o smtp_data_done_timeout=1200s
  -o smtp_tls_security_level=none

## -o smtp_never_send_ehlo=yes
  -o disable_dns_lookups=yes
127.0.0.1:10025 inet   n   -   y   -   -   smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8

Execution of mailx and output in the client:

# mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

TYPE A MESSAGE 
.
EOT
Resolving host 10.1.1.1 . . . done.
Connecting to 10.1.1.1:587 . . . connected.
220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
>>> EHLO HOST341
250-PIPELINING
250-SIZE 15240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> STARTTLS
220 2.0.0 Ready to start TLS
Missing "nss-config-dir" variable.
"/root/dead.letter" 11/314
. . . message not sent.

Can you help me again please???

Really thanks, I'm desperate. 

On Mon, Mar 13, 2017 at 9:43 PM, Viktor Dukhovni <[hidden email]> wrote:

> On Mar 13, 2017, at 7:37 PM, Jeronimo L. Cabral <[hidden email]> wrote:
>
> Dear Viktor. sorry but I'll try to be more explicit because
> I have to put to work the submission and I can't:
>
> main.cf:
>
> smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
> smtp_tls_key_file = /etc/postfix/SSL/privada.pem

Though not related to your current problem, client certificates
are not recommended for MTAs, leave these two parameters empty.

> smtp_tls_loglevel = 2

And the log level at 1.

> master.cf:
>
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING

Do uncomment the remaining options, but change "smtpd_client_restrictions"
to "permit_mynetworks, reject", making sure that "172.1.1.1" et. al. are
listed in my networks.

> And when I send a message with mailx from client 172.1.1.1:
>
> $ mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]

I still don't see where you're specifying the message to be sent.

> I get this log in Postfix:
>
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up TLS connection from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept error from unknown[172.1.1.1]: lost connection
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost connection after STARTTLS from unknown[172.1.1.1]
> Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect from unknown[172.1.1.1]

The client disconnected, by the look of things without even sending
a TLS client HELLO.  Postfix can't tell you the reason for that.
Get more verbose diagnostics from "mailx".

You can try:

        # postconf -e "debug_peer_list = 172.1.1.1"
        # postfix reload

but you probably won't see anything new and interesting on the Postfix
side.

--
        Viktor.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni

> On Mar 13, 2017, at 9:07 PM, Jeronimo L. Cabral <[hidden email]> wrote:
>
> Viktor, I have to tell you that it doesn't work for me.
>
> # TLS parameters (como servidor)
> smtpd_tls_cert_file = /etc/postfix/SSL/publica.crt
> smtpd_tls_key_file = /etc/postfix/SSL/privada.pem
> smtpd_tls_security_level = may
> smtpd_tls_loglevel = 1
> smtpd_tls_auth_only = no

Much better.

> # TLS parameters (como cliente)
> smtp_tls_security_level = may
> smtp_tls_cert_file =
> smtp_tls_key_file =
> smtp_tls_loglevel = 1
> smtp_starttls_timeout = 300s
> smtp_tls_note_starttls_offer = yes

Good, but you don't need the last setting, it'll never
be used.

> mynetworks = 127.0.0.0/8 10.0.0.0/8 192.168.69.0/24 172.0.0.0/8

Change 172.0.0.0/8 to 172.16.0.0/12, only the 172.16.0.0 throuh 172.31.255.255
are RFC1918 private addresses, the rest of 172 is public space.

> smtpd_recipient_restrictions =
>     permit_sasl_authenticated,
>     permit_mynetworks,
>     reject_invalid_helo_hostname,
>     reject_non_fqdn_helo_hostname,
>     reject_non_fqdn_sender,
>     reject_unknown_recipient_domain,
>     reject_unknown_sender_domain,
>     reject_unauth_destination,
>     reject_rbl_client zombie.dnsbl.sorbs.net,
>     reject_rbl_client opm.blitzed.org,
>     reject_rbl_client sbl.spamhaus.org,
>     reject_rbl_client pbl.spamhaus.org,
>     reject_rbl_client cbl.abuseat.org
>         check_policy_service unix:private/policy

You'll want to override this in the submission entry.
Since you have 2.11, you should have in main.cf:

        smtpd_relay_restrictions =
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destinations

Which lets you set "-o smtpd_recipient_restrictions="
in master.cf for the submission service.  For good
measure you should also clear all four of:

   smtpd_{helo,sender,data,end_of_data}_restrictions

> smtpd_hard_error_limit = 4

I would not do that.

> smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_non_fqdn_sender, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client opm.blitzed.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client cbl.abuseat.org check_policy_service unix:private/policy

This is a really bad idea, use relay restrictions *JUST* to avoid
being an open relay, put anti-spam access control in
smtpd_recipient_restictions.


>
> submission inet n       -       -       -       -       smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_mynetworks,reject

Plus:

   -o smtpd_recipient_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=

>   -o milter_macro_daemon_name=ORIGINATING

And now to the root of your problem:

> # mailx -v -r "[hidden email]" -s "TLS test" -S smtp="10.1.1.1:587" -S smtp-use-starttls -S ssl-verify=ignore [hidden email]
>
> TYPE A MESSAGE
> .
> EOT
> Resolving host 10.1.1.1 . . . done.
> Connecting to 10.1.1.1:587 . . . connected.
> 220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
> >>> EHLO HOST341
> 250-relay.mycompany.com
> 250-PIPELINING
> 250-SIZE 15240000
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> >>> STARTTLS
> 220 2.0.0 Ready to start TLS
> Missing "nss-config-dir" variable.
> "/root/dead.letter" 11/314
> . . . message not sent.
>
> Can you help me again please???

I must say that you're not paying attention here.  That

        Missing nss-config-dir variable.

message should not have been ignored.  Your mailx program
wants to find a certificate directory even when ignoring
certificate verification failure.

        https://stackoverflow.com/questions/16799407/mailx-and-gmail-nss-config-dir

You must have seen this message all along, and should be feeling
ashamed to not have reported it before...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Jeronimo L. Cabral
Dear Viktor, I apologize for my new interruption....but after follow your instructions, the Postfix server doesn't show the STARTTLS support via telnet:

$ telnet 10.1.1.1 587
Trying 10.1.1.1...
Connected to 10.1.1.1.
Escape character is '^]'.

NOTHING TO SHOW!!!

Now I have:


smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

append_dot_mydomain = no

readme_directory = no

# TLS parameters (server side)
smtpd_tls_cert_file = /etc/postfix/SSL/MailRelay-server-publica.crt
smtpd_tls_key_file = /etc/postfix/SSL/MailRelay-server-privada.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1

# TLS parameters (client side)
smtp_tls_security_level = may
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 1

myhostname = relay.mycompany.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = relay.mycompany.com, localhost.mycompany.com, localhost
relayhost = 
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all 

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_non_fqdn_sender,
    reject_unknown_recipient_domain,
    reject_unknown_sender_domain,
    reject_unauth_destination,
    reject_rbl_client zombie.dnsbl.sorbs.net,
    reject_rbl_client opm.blitzed.org,
    reject_rbl_client sbl.spamhaus.org,
    reject_rbl_client pbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org
        check_policy_service unix:private/policy

smtpd_relay_restrictions =
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destinations

disable_vrfy_command = yes

smtpd_hard_error_limit = 4

message_size_limit = 15240000

transport_maps = hash:/etc/postfix/transport

anvil_rate_time_unit=60s
smtpd_client_message_rate_limit = 50


#==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_recipient_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_data_restrictions=
  -o smtpd_end_of_data_restrictions=
  -o milter_macro_daemon_name=ORIGINATING

#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

# Agregado para que funcione la implementacion SPF
policy    unix  -   n   n   -   -   spawn
    user=nobody   argv=/usr/bin/perl   /usr/sbin/postfix-policyd-spf-perl
spamassassin    unix    -   n   n   -   -   pipe
 user=nobody argv=/usr/bin/spamc --socket=/tmp/spamd.sock  -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#Added by hand
smtp-amavis    unix    -   -   y   -   30  smtp
  -o smtp_data_done_timeout=1200s
  -o smtp_tls_security_level=none

## -o smtp_never_send_ehlo=yes
  -o disable_dns_lookups=yes
127.0.0.1:10025 inet   n   -   y   -   -   smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8

When I execute mailx, it doesn't show anything because the Postfix has not STARTTLS capabilities at this moment.

Thanks again and apologize for this new message!!!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS support for Postfix server on port TCP/25

Viktor Dukhovni

> On Mar 13, 2017, at 10:07 PM, Jeronimo L. Cabral <[hidden email]> wrote:
>
> Dear Viktor, I apologize for my new interruption....but after follow your instructions, the Postfix server doesn't show the STARTTLS support via telnet:

   http://www.postfix.org/DEBUG_README.html#mail
   http://www.postfix.org/DEBUG_README.html#logging

--
        Viktor.

12
Loading...