Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj incoming-centos@rjl.com wrote:
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. Any ideas what else I might need to change in the configuration?
Here is how my configuration looks like
#ENCRYPTION #==========# # Incoming smtpd_tls_auth_only = no smtpd_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom
# Outgoing smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
Regards, KRiSHNA
On 02/07/2012 09:50 PM, Kumar Krishna wrote:
On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj incoming-centos@rjl.com wrote:
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos From http://www.postfix.org/TLS_README.html
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. Any ideas what else I might need to change in the configuration?
Here is how my configuration looks like
#ENCRYPTION #==========# # Incoming smtpd_tls_auth_only = no smtpd_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom
# Outgoing smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Did you reload the configuration with 'postfix reload' or 'service postfix restart' after updating your config file?
Have you setup certificates? I suggest you read http://www.postfix.org/TLS_README.html If you think you've set everything up correctly, run the command 'postconf -n | grep tls' and post the output. You might also check the archives of the postfix mailing list. I'm sure there are extensive postings for issues like this.
Nataraj
On 02/07/2012 09:50 PM, Kumar Krishna wrote:
On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj incoming-centos@rjl.com wrote:
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos From http://www.postfix.org/TLS_README.html
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. Any ideas what else I might need to change in the configuration?
Here is how my configuration looks like
#ENCRYPTION #==========# # Incoming smtpd_tls_auth_only = no smtpd_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom
# Outgoing smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It is also possible to configure postfix so that it uses TLS but does not announce the availability of STARTTLS. If somebody did this on your system you would have "smtpd_tls_wrappermode=yes" somewhere in your master.cf file, something like this.
/etc/postfix/master.cf:
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
Nataraj
On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj incoming-centos@rjl.com wrote:
On 02/07/2012 04:50 PM, Kumar Krishna wrote:
Hi List,
I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
From the localhost when I do an EHLO, following is the output
[root@xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250 8BITMIME
I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
Regards, KRiSHNA _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may". /etc/postfix/main.cf: smtpd_tls_security_level = may
With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
My tls configuration looks something like this:
# INCOMING TLS (smtpd server) smtpd_tls_security_level = may smtpd_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/certs/tls.key smtpd_tls_cert_file = /etc/postfix/certs/tls.crt smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
# OUTGOING TLS (SMTP transport) smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes
Nataraj
Yes, I did restarted postfix. I ran tcpdump on the mail server while connecting to it from a remote location and then analysed the dump file. It seems that the server is working fine and offering STARTTLS, but the Cisco Router en route is messing things up.
Regards, KRiSHNA
On Wed, Feb 8, 2012 at 12:36 AM, Kumar Krishna krishnak5891@gmail.comwrote:
Yes, I did restarted postfix. I ran tcpdump on the mail server while connecting to it from a remote location and then analysed the dump file. It seems that the server is working fine and offering STARTTLS, but the Cisco Router en route is messing things up.
A normal router shouldn't interfere. Is this a PIX or ASA firewall? I haven't used one for a few years but you used to have to do a
no fixup protocol smtp 25
to get them to pass things correctly.
On Wed, 8 Feb 2012 17:09:51 -0600 Les Mikesell lesmikesell@gmail.com wrote:
On Wed, Feb 8, 2012 at 12:36 AM, Kumar Krishna krishnak5891@gmail.comwrote:
Yes, I did restarted postfix. I ran tcpdump on the mail server while connecting to it from a remote location and then analysed the dump file. It seems that the server is working fine and offering STARTTLS, but the Cisco Router en route is messing things up.
A normal router shouldn't interfere. Is this a PIX or ASA firewall? I haven't used one for a few years but you used to have to do a
no fixup protocol smtp 25
to get them to pass things correctly.
I believe it is a PIX or ASA firewall.
On Sat, Feb 11, 2012 at 3:21 AM, Kumar Krishna krishnak5891@gmail.com wrote:
Yes, I did restarted postfix. I ran tcpdump on the mail server while connecting to it from a remote location and then analysed the dump file. It seems that the server is working fine and offering STARTTLS, but the Cisco Router en route is messing things up.
A normal router shouldn't interfere. Is this a PIX or ASA firewall? I haven't used one for a few years but you used to have to do a
no fixup protocol smtp 25
to get them to pass things correctly.
I believe it is a PIX or ASA firewall.
In that case it is very likely to be the problem.
-
Kumar Krishna -
Les Mikesell -
Nataraj