On 02/07/2012 09:50 PM, Kumar Krishna wrote:
On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj incoming-centos@rjl.com wrote:
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos From http://www.postfix.org/TLS_README.html
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. Any ideas what else I might need to change in the configuration?
Here is how my configuration looks like
#ENCRYPTION #==========# # Incoming smtpd_tls_auth_only = no smtpd_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom
# Outgoing smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It is also possible to configure postfix so that it uses TLS but does not announce the availability of STARTTLS. If somebody did this on your system you would have "smtpd_tls_wrappermode=yes" somewhere in your master.cf file, something like this.
/etc/postfix/master.cf:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
Nataraj