lost connection after STARTTLS from localhost[127.0.0.1]

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

lost connection after STARTTLS from localhost[127.0.0.1]

wp.rauchholz
Good day.

I am trying to get a webmail client up and running. It works fine w/o
security settings. But when  I try to implement SATARTTLS on port 587 I lose
connection to localhost as described in Subject.

My config is the following:
CENTOS 7.6, postfix-2.10.1-7.el7.x86_64, dovecot-2.2.36-3.el7.x86_64 I'd
apreciate very much, if comebody could point me to the mistake in my config.

Saludos, Wolfgang


Here is my config
master.cf

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${recipient}
smtp-amavis unix -      -       n       -       2       smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
127.0.0.1:10025 inet n    -     n       -       -       smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = wo-lar.com
myhostname = home.wo-lar.com
mynetworks = 10.5.2.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/letsencrypt/live/wo-lar.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/wo-lar.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550




--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: lost connection after STARTTLS from localhost[127.0.0.1]

Wietse Venema
wp.rauchholz:
> Good day.
>
> I am trying to get a webmail client up and running. It works fine w/o
> security settings. But when  I try to implement SATARTTLS on port 587 I lose
> connection to localhost as described in Subject.

Does the webmail client provide any clues about why it is hanging up?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: lost connection after STARTTLS from localhost[127.0.0.1]

wp.rauchholz
Unfortunately not.
I am using roudcubemail, there is nothing in the log files.

Woflgang

On Mon, Dec 17, 2018 at 12:48 PM Wietse Venema <[hidden email]> wrote:
wp.rauchholz:
> Good day.
>
> I am trying to get a webmail client up and running. It works fine w/o
> security settings. But when  I try to implement SATARTTLS on port 587 I lose
> connection to localhost as described in Subject.

Does the webmail client provide any clues about why it is hanging up?

        Wietse


--

Wolfgang Rauchholz



Reply | Threaded
Open this post in threaded view
|

Re: lost connection after STARTTLS from localhost[127.0.0.1]

Benny Pedersen-2
Wolfgang Paul Rauchholz skrev den 2018-12-17 13:06:
> Unfortunately not.
> I am using roudcubemail, there is nothing in the log files.


$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_conn_options'] = array(
  'ssl' => array(
      'verify_peer'  => false,
      'verify_peer_name'  => false,
  ),
);
$config['smtp_server'] = 'ssl://localhost';
$config['smtp_port'] = 465;
$config['smtp_conn_options'] = array(
    'ssl'         => array(
      'verify_peer'  => false,
      'verify_peer_name'  => false,
    ),
);
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_helo_host'] = 'localhost.example.org';
$config['smtp_log'] = false;

works for me :=)
Reply | Threaded
Open this post in threaded view
|

Re: lost connection after STARTTLS from localhost[127.0.0.1]

Viktor Dukhovni
In reply to this post by wp.rauchholz
On Mon, Dec 17, 2018 at 01:28:56AM -0700, wp.rauchholz wrote:

> I am trying to get a webmail client up and running. It works fine w/o
> security settings. But when  I try to implement SATARTTLS on port 587 I lose
> connection to localhost as described in Subject.

Note that the "lost connection to localhost" is an issue when sending
email, while TLS on port 587 is inbound email, only tangentially
related to the reported problem.  STARTTLS on ports 25 and 587 is
working just fine for your domain.

> smtp-amavis unix -      -       n       -       2       smtp
>     -o smtp_data_done_timeout=1200
>     -o smtp_send_xforward_command=yes
>     -o disable_dns_lookups=yes

Here you mmay want to also add:

      -o smtp_tls_security_level=none

> postconf -n
> content_filter = smtp-amavis:[127.0.0.1]:10024

Your amavis content filter is on localhost, and may not handle
STARTTLS correctly.

> smtp_tls_security_level = may

But you try TLS if offered.  You can also disable TLS in the
port 10025 post-filter service:

> 127.0.0.1:10025 inet n    -     n       -       -       smtpd
>     -o content_filter=
>     -o local_recipient_maps=
>     -o relay_recipient_maps=
>     -o smtpd_restriction_classes=
>     -o smtpd_client_restrictions=
>     -o smtpd_helo_restrictions=
>     -o smtpd_sender_restrictions=
>     -o smtpd_recipient_restrictions=permit_mynetworks,reject
>     -o mynetworks=127.0.0.0/8
>     -o strict_rfc821_envelopes=yes
>     -o smtpd_error_sleep_time=0
>     -o smtpd_soft_error_limit=1001
>     -o smtpd_hard_error_limit=1000

by adding:

      -o smtpd_tls_security_level=none

There's no need for TLS on the loopback interface except in the
unlikely case that you're authenticating to an LMTP server with
client certificates, or the loopback SMTP service is actually TCP
tunnel to a remote destination.

--
        Viktor.