On 02/07/2012 09:50 PM, Kumar Krishna wrote: > On Tue, 07 Feb 2012 18:04:03 -0800 > Nataraj <incoming-centos at rjl.com> wrote: > >> On 02/07/2012 04:50 PM, Kumar Krishna wrote: >>> Hi List, >>> >>> I have a postfix server based on CentOS 5 in which I have been >>> trying to add TLS encryption support for SMTP. >>> >>> >From the localhost when I do an EHLO, following is the output >>> >>> [root at xxxxxxx ~]# nc localhost 25 >>> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix >>> EHLO localhost >>> 250-xxxxxxx.xxxx.xxx.xx >>> 250-PIPELINING >>> 250-SIZE 41943040 >>> 250-VRFY >>> 250-ETRN >>> 250-STARTTLS >>> 250-AUTH PLAIN LOGIN >>> 250-AUTH=PLAIN LOGIN >>> 250-ENHANCEDSTATUSCODES >>> 250-8BITMIME >>> 250 DSN >>> >>> However from a remote location when I do the EHLO, the response >>> does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN >>> >>> krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 >>> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix >>> EHLO localhost >>> 250-xxxxxxx.xxxx.xxx.xx >>> 250-PIPELINING >>> 250-SIZE 41943040 >>> 250-VRFY >>> 250-ETRN >>> 250-AUTH PLAIN LOGIN >>> 250 8BITMIME >>> >>> >>> I have done some googling and found this might be because of the >>> Cisco Router's "ESMTP Fix". However Can someone here tell me if >>> there are any settings in master.cf or main.cf that might result in >>> similar behaviour? >>> >>> Regards, >>> KRiSHNA >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> http://lists.centos.org/mailman/listinfo/centos >> >From http://www.postfix.org/TLS_README.html >> >> By default, TLS is disabled in the Postfix SMTP server, so no >> difference to plain Postfix is visible. Explicitly switch it on with >> "smtpd_tls_security_level = may". /etc/postfix/main.cf: >> smtpd_tls_security_level = may >> >> With this, the Postfix SMTP server announces STARTTLS support to >> remote SMTP clients, but does not require that clients use TLS >> encryption. >> >> >> >> My tls configuration looks something like this: >> >> # INCOMING TLS (smtpd server) >> smtpd_tls_security_level = may >> smtpd_note_starttls_offer = yes >> smtpd_tls_key_file = /etc/postfix/certs/tls.key >> smtpd_tls_cert_file = /etc/postfix/certs/tls.crt >> smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt >> smtpd_tls_CApath = /etc/postfix/certs >> smtpd_tls_loglevel = 1 >> >> smtpd_tls_session_cache_timeout = 3600s >> tls_random_source = dev:/dev/urandom >> >> # OUTGOING TLS (SMTP transport) >> smtp_tls_loglevel = 1 >> smtp_tls_session_cache_database = >> btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may >> smtp_tls_note_starttls_offer = yes >> >> >> Nataraj > Thanks for the reply Nataraj, but still no joy. I tried adding 'smtp_tls_security_level = may' & 'smtpd_tls_security_level = may' to my existing configuration, but it didn't helped. > Any ideas what else I might need to change in the configuration? > > Here is how my configuration looks like > > #ENCRYPTION > #==========# > # Incoming > smtpd_tls_auth_only = no > smtpd_note_starttls_offer = yes > smtpd_use_tls = yes > smtpd_tls_security_level = may > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_loglevel = 1 > smtpd_tls_session_cache_timeout = 3600s > smtpd_tls_received_header = yes > tls_random_source = dev:/dev/urandom > > # Outgoing > smtp_use_tls = yes > smtp_tls_loglevel = 1 > smtp_tls_note_starttls_offer = yes > smtp_tls_security_level = may > > Regards, > KRiSHNA > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Did you reload the configuration with 'postfix reload' or 'service postfix restart' after updating your config file? Have you setup certificates? I suggest you read http://www.postfix.org/TLS_README.html If you think you've set everything up correctly, run the command 'postconf -n | grep tls' and post the output. You might also check the archives of the postfix mailing list. I'm sure there are extensive postings for issues like this. Nataraj