On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj <incoming-centos at rjl.com> wrote: > On 02/07/2012 04:50 PM, Kumar Krishna wrote: > > Hi List, > > > > I have a postfix server based on CentOS 5 in which I have been > > trying to add TLS encryption support for SMTP. > > > > >From the localhost when I do an EHLO, following is the output > > > > [root at xxxxxxx ~]# nc localhost 25 > > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix > > EHLO localhost > > 250-xxxxxxx.xxxx.xxx.xx > > 250-PIPELINING > > 250-SIZE 41943040 > > 250-VRFY > > 250-ETRN > > 250-STARTTLS > > 250-AUTH PLAIN LOGIN > > 250-AUTH=PLAIN LOGIN > > 250-ENHANCEDSTATUSCODES > > 250-8BITMIME > > 250 DSN > > > > However from a remote location when I do the EHLO, the response > > does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN > > > > krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 > > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix > > EHLO localhost > > 250-xxxxxxx.xxxx.xxx.xx > > 250-PIPELINING > > 250-SIZE 41943040 > > 250-VRFY > > 250-ETRN > > 250-AUTH PLAIN LOGIN > > 250 8BITMIME > > > > > > I have done some googling and found this might be because of the > > Cisco Router's "ESMTP Fix". However Can someone here tell me if > > there are any settings in master.cf or main.cf that might result in > > similar behaviour? > > > > Regards, > > KRiSHNA > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > >From http://www.postfix.org/TLS_README.html > > By default, TLS is disabled in the Postfix SMTP server, so no > difference to plain Postfix is visible. Explicitly switch it on with > "smtpd_tls_security_level = may". /etc/postfix/main.cf: > smtpd_tls_security_level = may > > With this, the Postfix SMTP server announces STARTTLS support to > remote SMTP clients, but does not require that clients use TLS > encryption. > > > > My tls configuration looks something like this: > > # INCOMING TLS (smtpd server) > smtpd_tls_security_level = may > smtpd_note_starttls_offer = yes > smtpd_tls_key_file = /etc/postfix/certs/tls.key > smtpd_tls_cert_file = /etc/postfix/certs/tls.crt > smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt > smtpd_tls_CApath = /etc/postfix/certs > smtpd_tls_loglevel = 1 > > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom > > # OUTGOING TLS (SMTP transport) > smtp_tls_loglevel = 1 > smtp_tls_session_cache_database = > btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may > smtp_tls_note_starttls_offer = yes > > > Nataraj Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. Any ideas what else I might need to change in the configuration? Here is how my configuration looks like #ENCRYPTION #==========# # Incoming smtpd_tls_auth_only = no smtpd_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_session_cache_timeout = 3600s smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom # Outgoing smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may Regards, KRiSHNA