no response from postfix on submission port (or 465)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

no response from postfix on submission port (or 465)

Alef Veld

It's open, but i just don't get any welcome message.

[ec2-user@www postfix]$ telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
ehlo www.example.com

maillog:

Aug 21 22:29:01 www postfix/smtpd[26978]: initializing the server-side TLS engine
Aug 21 22:29:01 www postfix/smtpd[26978]: connect from www.test.com[127.0.0.1]
Aug 21 22:29:01 www postfix/smtpd[26978]: setting up TLS connection from www.test.com[127.0.0.1]
Aug 21 22:29:01 www postfix/smtpd[26978]: www.test.com[127.0.0.1]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Aug 21 22:29:01 www postfix/smtpd[26978]: SSL_accept:before/accept initialization
Aug 21 22:29:01 www postfix/smtpd[26978]: read from 55795D643090 [55795D650B90] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Aug 21 22:29:08 www postfix/smtpd[26978]: read from 55795D643090 [55795D650B90] (11 bytes => 11 (0xB))
Aug 21 22:29:08 www postfix/smtpd[26978]: 0000 65 68 6c 6f 20 77 77 77|2e 65 78                 ehlo www .ex
Aug 21 22:29:08 www postfix/smtpd[26978]: SSL_accept:error in SSLv2/v3 read client hello A
Aug 21 22:29:08 www postfix/smtpd[26978]: SSL_accept error from www.test.com[127.0.0.1]: -1
Aug 21 22:29:08 www postfix/smtpd[26978]: warning: TLS library problem: 26978:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:650:
Aug 21 22:29:08 www postfix/smtpd[26978]: lost connection after CONNECT from www.test.com[127.0.0.1]
Aug 21 22:29:08 www postfix/smtpd[26978]: disconnect from www.test.com[127.0.0.1]

I fear this has something to do why i've been having problems with setting up the mail accounts on other systems as well. I get these -1 messages when i try to "auto discover" the mail server on iMac mail.app as well.

Usually switching to non secure and then back to SSL fixes it. It has something to do with SSL i'm sure. I'm using self signed certificates and i can send and receive fine (dovecot and postfix). 

Anyway just wondering. I should at least be able to get a welcome message?


Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Noel Jones-2
On 8/21/2017 5:44 PM, Alef Veld wrote:

> It's open, but i just don't get any welcome message.
>
> |[ec2-user@www postfix]$ telnet localhost 587 Trying 127.0.0.1...
> Connected to localhost. Escape character is '^]'. ehlo
> www.example.com <http://www.example.com> |
>
> maillog:
>
> |Aug 21 22:29:01 www postfix/smtpd[26978]: initializing the
> server-side TLS engine Aug 21 22:29:01 www postfix/smtpd[26978]:
> connect from www.test.com <http://www.test.com>[127.0.0.1] Aug 21
> 22:29:01 www postfix/smtpd[26978]: setting up TLS connection from

[logs unreadable due to html markup. plain text only please]

>
> I fear this has something to do why i've been having problems with
> setting up the mail accounts on other systems as well. I get these
> -1 messages when i try to "auto discover" the mail server on iMac
> mail.app as well.
>
> Usually switching to non secure and then back to SSL fixes it. It
> has something to do with SSL i'm sure. I'm using self signed
> certificates and i can send and receive fine (dovecot and postfix). 
>
> Anyway just wondering. I should at least be able to get a welcome
> message?
>
>


You should get a 220 greeting message on the submission port 587
unless you've mistakenly enabled smtpd_tls_wrappermode on that port.

To test smtps port 465, you'll need to use the openssl s_client
command to establish an encrypted connection.  Something like:
  openssl s_client -connect localhost:465
If that connection works, you'll get a screen full of key exchange
followed by a 220 greeting.

For more help, please show your "postconf -n" and the submission and
smtps entries you've made in master.cf.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Peter Ajamian
In reply to this post by Alef Veld


On 22/08/17 10:44, Alef Veld wrote:
> It's open, but i just don't get any welcome message.

Do not set smtpd_tls_wrappermode for port 587.

> Usually switching to non secure and then back to SSL fixes it.

You'll be switching to SSL (as opposed to STARTTLS).  The appropriate
setting for port 587 is STARTTLS.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Alef Veld
Hi Peter and Noel,
What is wrappermode ?

I see i have it enabled both for submission and smtps. Is it enabled by default ?
I can still send and receive email although some clients seem to have problems with it.

These are my master.cf entries:
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Apologies for the html logs earlier, i copied and pasted them, didn’t realize.


On 22 Aug 2017, at 04:44, Peter <[hidden email]> wrote:



On 22/08/17 10:44, Alef Veld wrote:
It's open, but i just don't get any welcome message.

Do not set smtpd_tls_wrappermode for port 587.

Usually switching to non secure and then back to SSL fixes it.

You'll be switching to SSL (as opposed to STARTTLS).  The appropriate
setting for port 587 is STARTTLS.


Peter

Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Alef Veld

Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to support outlook expresss or other clients which want it and put 587 without.

Thanks for the answer, I can now telnet to the port and get a greeting. I didn't understand it was encrypted, but that explains the logs as well.

I have a inkling this will fix the problems with my mac clients as well.

Sent from my iPhone

On 22 Aug 2017, at 09:12, Alef Veld <[hidden email]> wrote:

Hi Peter and Noel,
What is wrappermode ?

I see i have it enabled both for submission and smtps. Is it enabled by default ?
I can still send and receive email although some clients seem to have problems with it.

These are my master.cf entries:
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Apologies for the html logs earlier, i copied and pasted them, didn’t realize.


On 22 Aug 2017, at 04:44, Peter <[hidden email]> wrote:



On 22/08/17 10:44, Alef Veld wrote:
It's open, but i just don't get any welcome message.

Do not set smtpd_tls_wrappermode for port 587.

Usually switching to non secure and then back to SSL fixes it.

You'll be switching to SSL (as opposed to STARTTLS).  The appropriate
setting for port 587 is STARTTLS.


Peter

Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Postfix User-2
On Tue, 22 Aug 2017 10:14:11 +0000, Alef Veld stated:

>Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to
>support outlook expresss or other clients which want it and put 587 without.

MS Outlook Express was depreciated in Windows 7, way back on Oct 2009. It has
been years since I have seen anyone actually use it. I removed wrapper mode 5
years ago and never looked back.

--
Jerry
Reply | Threaded
Open this post in threaded view
|

Re: no response from postfix on submission port (or 465)

Matus UHLAR - fantomas
>On Tue, 22 Aug 2017 10:14:11 +0000, Alef Veld stated:
>>Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to
>>support outlook expresss or other clients which want it and put 587 without.

On 22.08.17 07:23, Postfix User wrote:
>MS Outlook Express was depreciated in Windows 7, way back on Oct 2009. It has
>been years since I have seen anyone actually use it. I removed wrapper mode 5
>years ago and never looked back.

I've seen comments from users/admins who recommend using SSL-only ports like
465, as opposed to 587 where plaintext is technically possible.

I've also seen problem where port 587 was blocked by antivirus trying to
scan the connection, where 465 went OK.

That's why I better provide both 587 and 465 on servers I maintain...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
Reply | Threaded
Open this post in threaded view
|

RE: no response from postfix on submission port (or 465)

Fazzina, Angelo
If anyone needs for future testing

openssl s_client -starttls smtp -connect mail6.uits.uconn.edu:587
openssl s_client -connect 137.99.26.36:465

Replace IP/hostname with yours.
-ALF



-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Matus UHLAR - fantomas
Sent: Tuesday, August 22, 2017 11:35 AM
To: [hidden email]
Subject: Re: no response from postfix on submission port (or 465)

>On Tue, 22 Aug 2017 10:14:11 +0000, Alef Veld stated:
>>Now which clarifies things a lot. I'll probably keep 465 with wrapper mode to
>>support outlook expresss or other clients which want it and put 587 without.

On 22.08.17 07:23, Postfix User wrote:
>MS Outlook Express was depreciated in Windows 7, way back on Oct 2009. It has
>been years since I have seen anyone actually use it. I removed wrapper mode 5
>years ago and never looked back.

I've seen comments from users/admins who recommend using SSL-only ports like
465, as opposed to 587 where plaintext is technically possible.

I've also seen problem where port 587 was blocked by antivirus trying to
scan the connection, where 465 went OK.

That's why I better provide both 587 and 465 on servers I maintain...

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.