Quantcast

authenticated smtp relay and ssl/tls

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

authenticated smtp relay and ssl/tls

Fabien COMBERNOUS-4

Hi there,

Is it possible to ask postfix to relay mail to an authenticated smtp
service ? This remote smtp service is using ssl or tls. I know it is
possible to relay mail to an authenticated smtp service but without ssl/tls.

Any peace of information or howto about this is welcome.

Best regards,

--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: authenticated smtp relay and ssl/tls

Gabriel Craciun
http://www.dslreports.com/faq/6456


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Fabien COMBERNOUS
Sent: Tuesday, April 12, 2011 12:12 PM
To: [hidden email]
Subject: authenticated smtp relay and ssl/tls


Hi there,

Is it possible to ask postfix to relay mail to an authenticated smtp service ? This remote smtp service is using ssl or tls. I know it is possible to relay mail to an authenticated smtp service but without ssl/tls.

Any peace of information or howto about this is welcome.

Best regards,

--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Noel Jones-2
In reply to this post by Fabien COMBERNOUS-4
On 4/12/2011 4:12 AM, Fabien COMBERNOUS wrote:

>
> Hi there,
>
> Is it possible to ask postfix to relay mail to an
> authenticated smtp service ? This remote smtp service is using
> ssl or tls. I know it is possible to relay mail to an
> authenticated smtp service but without ssl/tls.
>
> Any peace of information or howto about this is welcome.
>
> Best regards,
>

Yes, TLS and authentication are set up separately in postfix
and can be (and frequently are) used together.

http://www.postfix.org/SASL_README.html#client_sasl_enable
http://www.postfix.org/TLS_README.html#client_tls

   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Fabien COMBERNOUS-4
Thank you for URL pointers.

On 12/04/2011 13:53, Noel Jones wrote:

[...]
> Yes, TLS and authentication are set up separately in postfix and can
> be (and frequently are) used together.
>
> http://www.postfix.org/SASL_README.html#client_sasl_enable

Authentication with a remote smtp without SSL/TLS (port 25) is running well.
> http://www.postfix.org/TLS_README.html#client_tls
About TLS, i want to use smtp.gmail.com and a gmail account.
I started by getting certificates of the remote smtp service with the
command :
#> openssl s_client -connect smtp.gmail.com:465 -showcerts
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
    i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKaM9uMQADAAAirTANBgkqhkiG9w0BAQUFADBGMQswCQYD
[...]
Ouo+mV5BJSkDXH/qbG6wiBdEIypseBEbG+XJMxTSaYVgUjY313rBbAvQ0Uf7ZGQ=
-----END CERTIFICATE-----
[...]

Then i put the certificate in the file /etc/postfix/certs/googlesmtp.pem
beginning by -----BEGIN CERTIFICATE-----, ending by -----END
CERTIFICATE-----

Then i added the following key in main.cf :
/etc/postfix/main.cf:smtp_tls_cert_file = /etc/postfix/certs/googlesmtp.pem

Then i reloaded the postfix config.

But, with or without the key smtp_tls_cert_file, I get the following
logs if my postfix wants to send a mail to via relay :
Apr 12 15:12:57 dns postfix/smtp[94247]: DA42493725:
to=<[hidden email]>, relay=smtp.gmail.com[209.85.227.109]:465,
delay=1174, delays=873/0.06/301/0, dsn=4.4.2, status=deferred
(conversation with smtp.gmail.com[209.85.227.109] timed out while
receiving the initial server greeting)

Regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Noel Jones-2
On 4/12/2011 9:24 AM, Fabien COMBERNOUS wrote:

> Thank you for URL pointers.
>
> On 12/04/2011 13:53, Noel Jones wrote:
>
> [...]
>> Yes, TLS and authentication are set up separately in postfix
>> and can be (and frequently are) used together.
>>
>> http://www.postfix.org/SASL_README.html#client_sasl_enable
>
> Authentication with a remote smtp without SSL/TLS (port 25) is
> running well.
>> http://www.postfix.org/TLS_README.html#client_tls
> About TLS, i want to use smtp.gmail.com and a gmail account.
> I started by getting certificates of the remote smtp service
> with the command :
> #> openssl s_client -connect smtp.gmail.com:465 -showcerts
> CONNECTED(00000003)
> depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google
> Inc/CN=smtp.gmail.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority
> -----BEGIN CERTIFICATE-----
> MIIDWzCCAsSgAwIBAgIKaM9uMQADAAAirTANBgkqhkiG9w0BAQUFADBGMQswCQYD
> [...]
> Ouo+mV5BJSkDXH/qbG6wiBdEIypseBEbG+XJMxTSaYVgUjY313rBbAvQ0Uf7ZGQ=
> -----END CERTIFICATE-----
> [...]
>
> Then i put the certificate in the file
> /etc/postfix/certs/googlesmtp.pem beginning by -----BEGIN
> CERTIFICATE-----, ending by -----END CERTIFICATE-----
>
> Then i added the following key in main.cf :
> /etc/postfix/main.cf:smtp_tls_cert_file =
> /etc/postfix/certs/googlesmtp.pem
>
> Then i reloaded the postfix config.

It's fine to load google's certs, but that isn't required.


>
> But, with or without the key smtp_tls_cert_file, I get the
> following logs if my postfix wants to send a mail to via relay :
> Apr 12 15:12:57 dns postfix/smtp[94247]: DA42493725:
> to=<[hidden email]>,
> relay=smtp.gmail.com[209.85.227.109]:465, delay=1174,
> delays=873/0.06/301/0, dsn=4.4.2, status=deferred
> (conversation with smtp.gmail.com[209.85.227.109] timed out
> while receiving the initial server greeting)

Port 465 is the deprecated "SSL wrapper mode" smtps.  The
postfix smtp client doesn't support wrapper mode.
Use the submission port 587 instead, or if you must use 465
see http://www.postfix.org/TLS_README.html#client_smtps


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Fabien COMBERNOUS-4
Thank you for your answer.

On 12/04/2011 17:06, Noel Jones wrote:

[...]
> Port 465 is the deprecated "SSL wrapper mode" smtps.  The postfix smtp
> client doesn't support wrapper mode.
> Use the submission port 587 instead, or if you must use 465 see
> http://www.postfix.org/TLS_README.html#client_smtps

I tested also 587 port. But i this case i get the following message :
Apr 12 11:21:58 dns postfix/smtp[83627]: 484E193000:
to=<[hidden email]>, relay=smtp.gmail.com[209.85.227.109]:587,
delay=0.69, delays=0/0.01/0.6/0.08, dsn=5.7.0, status=bounced (host
smtp.gmail.com[209.85.227.109] said: 530 5.7.0 Must issue a STARTTLS
command first. a50sm3091196wer.42 (in reply to MAIL FROM command))

Regards,
--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Noel Jones-2
On 4/12/2011 10:31 AM, Fabien COMBERNOUS wrote:

> Thank you for your answer.
>
> On 12/04/2011 17:06, Noel Jones wrote:
>
> [...]
>> Port 465 is the deprecated "SSL wrapper mode" smtps. The
>> postfix smtp client doesn't support wrapper mode.
>> Use the submission port 587 instead, or if you must use 465
>> see http://www.postfix.org/TLS_README.html#client_smtps
>
> I tested also 587 port. But i this case i get the following
> message :
> Apr 12 11:21:58 dns postfix/smtp[83627]: 484E193000:
> to=<[hidden email]>,
> relay=smtp.gmail.com[209.85.227.109]:587, delay=0.69,
> delays=0/0.01/0.6/0.08, dsn=5.7.0, status=bounced (host
> smtp.gmail.com[209.85.227.109] said: 530 5.7.0 Must issue a
> STARTTLS command first. a50sm3091196wer.42 (in reply to MAIL
> FROM command))
>
> Regards,


Your postfix needs to be compiled with TLS support, and TLS
must be enabled in the smtp client.

http://www.postfix.org/TLS_README.html#build_tls
(or install a TLS-enabled postfix package from your OS vendor)

http://www.postfix.org/TLS_README.html#client_tls_levels
# main.cf
smtp_tls_security_level = may

Or use stunnel and port 465 if you can't get postifix TLS working.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Fabien COMBERNOUS-4
On 12/04/2011 17:50, Noel Jones wrote:

> On 4/12/2011 10:31 AM, Fabien COMBERNOUS wrote:
>> Thank you for your answer.
>>
>> On 12/04/2011 17:06, Noel Jones wrote:
>>
>> [...]
>>> Port 465 is the deprecated "SSL wrapper mode" smtps. The
>>> postfix smtp client doesn't support wrapper mode.
>>> Use the submission port 587 instead, or if you must use 465
>>> see http://www.postfix.org/TLS_README.html#client_smtps
>>
>> I tested also 587 port. But i this case i get the following
>> message :
>> Apr 12 11:21:58 dns postfix/smtp[83627]: 484E193000:
>> to=<[hidden email]>,
>> relay=smtp.gmail.com[209.85.227.109]:587, delay=0.69,
>> delays=0/0.01/0.6/0.08, dsn=5.7.0, status=bounced (host
>> smtp.gmail.com[209.85.227.109] said: 530 5.7.0 Must issue a
>> STARTTLS command first. a50sm3091196wer.42 (in reply to MAIL
>> FROM command))
>>
>> Regards,
>
>
> Your postfix needs to be compiled with TLS support, and TLS must be
> enabled in the smtp client.
>
> http://www.postfix.org/TLS_README.html#build_tls
> (or install a TLS-enabled postfix package from your OS vendor)
I this it is. It understand the key smtp_tls_security_level
>
> http://www.postfix.org/TLS_README.html#client_tls_levels
> # main.cf
> smtp_tls_security_level = may

It is what i did :
smtp_tls_security_level = may
smtp_tls_session_cache_database =
btree:/var/spool/postfix/tls/smtp_session_cache

Now i get this message :
postfix/smtp[3372]: certificate verification failed for
smtp.gmail.com[209.85.227.109]:587: untrusted issuer
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I'm pretty surprised.

--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Victor Duchovni
In reply to this post by Fabien COMBERNOUS-4
On Tue, Apr 12, 2011 at 04:24:47PM +0200, Fabien COMBERNOUS wrote:

> I started by getting certificates of the remote smtp service with the
> command :
> [...]
>
> Then i put the certificate in the file /etc/postfix/certs/googlesmtp.pem
> beginning by -----BEGIN CERTIFICATE-----, ending by -----END
> CERTIFICATE-----
>
> Then i added the following key in main.cf :
> /etc/postfix/main.cf:smtp_tls_cert_file = /etc/postfix/certs/googlesmtp.pem

This is WRONG. The "smtp_tls_cert_file" is for the public certificate
of your SMTP client, you need to have the matching private key! It is not
for the public certificates of remote servers.

If you want to verify the remote certificate, see:

        http://www.postfix.org/TLS_README.html#client_tls_secure
        http://www.postfix.org/TLS_README.html#client_tls_fprint
        http://www.postfix.org/TLS_README.html#client_tls_policy

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Noel Jones-2
In reply to this post by Fabien COMBERNOUS-4
On 4/12/2011 11:30 AM, Fabien COMBERNOUS wrote:

>> http://www.postfix.org/TLS_README.html#client_tls_levels
>> # main.cf
>> smtp_tls_security_level = may
>
> It is what i did :
> smtp_tls_security_level = may
> smtp_tls_session_cache_database =
> btree:/var/spool/postfix/tls/smtp_session_cache
>
> Now i get this message :
> postfix/smtp[3372]: certificate verification failed for
> smtp.gmail.com[209.85.227.109]:587: untrusted issuer
> /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
>
> I'm pretty surprised.
>

You're missing the Equifax root certificate.  But this is just
a warning, and won't prevent it from working.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: authenticated smtp relay and ssl/tls

Fabien COMBERNOUS-4
In reply to this post by Fabien COMBERNOUS-4
On 12/04/2011 11:12, Fabien COMBERNOUS wrote:

>
> Hi there,
>
> Is it possible to ask postfix to relay mail to an authenticated smtp
> service ? This remote smtp service is using ssl or tls. I know it is
> possible to relay mail to an authenticated smtp service but without
> ssl/tls.
>
> Any peace of information or howto about this is welcome.
>
> Best regards,
>
Thank you all for your help.

I get the last informations here :
http://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/

Now the relay works fine.

Regards.

--
*Fabien COMBERNOUS*
/unix system engineer/
www.kezia.com <http://www.kezia.com/>
*Tel: +33 (0) 467 992 986*
Kezia Group
Loading...