On Tue, 07 Feb 2012 18:04:03 -0800 Nataraj <incoming-centos at rjl.com> wrote: > On 02/07/2012 04:50 PM, Kumar Krishna wrote: > > Hi List, > > > > I have a postfix server based on CentOS 5 in which I have been > > trying to add TLS encryption support for SMTP. > > > > >From the localhost when I do an EHLO, following is the output > > > > [root at xxxxxxx ~]# nc localhost 25 > > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix > > EHLO localhost > > 250-xxxxxxx.xxxx.xxx.xx > > 250-PIPELINING > > 250-SIZE 41943040 > > 250-VRFY > > 250-ETRN > > 250-STARTTLS > > 250-AUTH PLAIN LOGIN > > 250-AUTH=PLAIN LOGIN > > 250-ENHANCEDSTATUSCODES > > 250-8BITMIME > > 250 DSN > > > > However from a remote location when I do the EHLO, the response > > does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN > > > > krishna at L03:~$ nc xxxxxxx.xxxx.xxx.xx 25 > > 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix > > EHLO localhost > > 250-xxxxxxx.xxxx.xxx.xx > > 250-PIPELINING > > 250-SIZE 41943040 > > 250-VRFY > > 250-ETRN > > 250-AUTH PLAIN LOGIN > > 250 8BITMIME > > > > > > I have done some googling and found this might be because of the > > Cisco Router's "ESMTP Fix". However Can someone here tell me if > > there are any settings in master.cf or main.cf that might result in > > similar behaviour? > > > > Regards, > > KRiSHNA > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > http://lists.centos.org/mailman/listinfo/centos > > >From http://www.postfix.org/TLS_README.html > > By default, TLS is disabled in the Postfix SMTP server, so no > difference to plain Postfix is visible. Explicitly switch it on with > "smtpd_tls_security_level = may". /etc/postfix/main.cf: > smtpd_tls_security_level = may > > With this, the Postfix SMTP server announces STARTTLS support to > remote SMTP clients, but does not require that clients use TLS > encryption. > > > > My tls configuration looks something like this: > > # INCOMING TLS (smtpd server) > smtpd_tls_security_level = may > smtpd_note_starttls_offer = yes > smtpd_tls_key_file = /etc/postfix/certs/tls.key > smtpd_tls_cert_file = /etc/postfix/certs/tls.crt > smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt > smtpd_tls_CApath = /etc/postfix/certs > smtpd_tls_loglevel = 1 > > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom > > # OUTGOING TLS (SMTP transport) > smtp_tls_loglevel = 1 > smtp_tls_session_cache_database = > btree:/var/run/smtp_tls_session_cache smtp_tls_security_level = may > smtp_tls_note_starttls_offer = yes > > > Nataraj > Yes, I did restarted postfix. I ran tcpdump on the mail server while connecting to it from a remote location and then analysed the dump file. It seems that the server is working fine and offering STARTTLS, but the Cisco Router en route is messing things up. Regards, KRiSHNA