Surefoot3
asked on
530 5.7.0 Must issue a STARTTLS command first
I have RedHat 9 and I’ve followed the ‘Gmail on Home Linux Box using Postfix and Fetchmail” instructions with what I thought was great success. (I didn’t see any errors through the process) I’ve got the fetchmail piece working just fine, but I just can’t seem to find what I’ve done wrong with the postfix config. I’ve search google for the error below and got some hits but no answers that fixed my problem. You can see the errorlog below.
Postfix Error: 530 5.7.0 Must issue a STARTTLS command first
My Network Arch
lnxsrv01.domain01.sw(RH9, Postfix) --> Cisco Firewall--> INTERNET-->smtp.google.com
Can you point me in a direction to figure out what is causing this.
Thanks for your help
Dave
/var/log/maillog
Apr 7 14:57:54 lnxsrv01 postfix/qmgr[4584]: A5BF21C050: from=<root@domain01.sw>, size=428, nrcpt=1 (queue active)
Apr 7 14:57:54 lnxsrv01 postfix/smtp[4587]: initializing the client-side TLS engine
Apr 7 14:57:54 lnxsrv01 postfix/smtp[4587]: A5BF21C050: to=<user100@companyx.com>,
Apr 7 14:57:54 lnxsrv01 postfix/cleanup[4585]: D987D1C052: message-id=<20060407185754
Apr 7 14:57:54 lnxsrv01 postfix/qmgr[4584]: D987D1C052: from=<>, size=2346, nrcpt=1 (queue active)
Apr 7 14:57:54 lnxsrv01 postfix/qmgr[4584]: A5BF21C050: removed
Apr 7 14:57:55 lnxsrv01 postfix/smtp[4587]: D987D1C052: to=<root@domain01.sw>, relay=smtp.gmail.com[64.23
Apr 7 14:57:55 lnxsrv01 postfix/qmgr[4584]: D987D1C052: removed
Not to confuse the issue but I was doing some trouble shooting by taking postfix out of the equation by using the openssl s_client command and I get the following error message from smtp.gmail.com . 502 5.5.1 Unrecognized command after the STARTTLS has been issued which results in SSL routines:SSL23_GET_SERVER_
lnxsrv01:/root# openssl s_client -starttls smtp -debug -CApath /usr/share/ssl/certs/ -connect smtp.gmail.com:25
CONNECTED(00000003)
read from 08194320 [08174D80] (8192 bytes => 39 (0x27))
0000 - 32 32 30 20 2a 2a 2a 2a-2a 2a 2a 2a 2a 2a 2a 2a 220 ************
0010 - 2a 2a 2a 2a 2a 2a 2a 2a-2a 2a 2a 2a 2a 2a 2a 2a ****************
0020 - 2a 2a 2a 2a 2a 0d 0a *****..
write to 08194320 [BFFFEAA0] (21 bytes => 21 (0x15))
0000 - 45 48 4c 4f 20 73 6f 6d-65 2e 68 6f 73 74 2e 6e EHLO some.host.n
0010 - 61 6d 65 0d 0a ame..
read from 08194320 [08174D80] (8192 bytes => 106 (0x6A))
0000 - 32 35 30 2d 6d 78 2e 67-6d 61 69 6c 2e 63 6f 6d 250-mx.gmail.com
0010 - 20 61 74 20 79 6f 75 72-20 73 65 72 76 69 63 65 at your service
0020 - 0d 0a 32 35 30 2d 53 49-5a 45 20 32 30 39 37 31 ..250-SIZE 20971
0030 - 35 32 30 0d 0a 32 35 30-2d 38 42 49 54 4d 49 4d 520..250-8BITMIM
0040 - 45 0d 0a 32 35 30 2d 58-58 58 58 58 58 58 41 0d E..250-XXXXXXXA.
0050 - 0a 32 35 30 20 45 4e 48-41 4e 43 45 44 53 54 41 .250 ENHANCEDSTA
0060 - 54 55 53 43 4f 44 45 53-0d 0a TUSCODES..
write to 08194320 [BFFFEAA0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 08194320 [08172D78] (8192 bytes => 47 (0x2F))
0000 - 35 30 32 20 35 2e 35 2e-31 20 55 6e 72 65 63 6f 502 5.5.1 Unreco
0010 - 67 6e 69 7a 65 64 20 63-6f 6d 6d 61 6e 64 20 32 gnized command 2
0020 - 34 73 6d 33 32 38 30 30-39 31 6e 7a 6e 0d 0a 4sm3280091nzn..
write to 08194320 [081AF8D0] (148 bytes => 148 (0x94))
0000 - 80 92 01 03 01 00 69 00-00 00 20 00 00 39 00 00 ......i... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../.......
0030 - 00 80 00 00 66 00 00 05-00 00 04 01 00 80 08 00 ....f...........
0040 - 80 00 00 63 00 00 62 00-00 61 00 00 15 00 00 12 ...c..b..a......
0050 - 00 00 09 06 00 40 00 00-65 00 00 64 00 00 60 00 .....@..e..d..`.
0060 - 00 14 00 00 11 00 00 08-00 00 06 04 00 80 00 00 ................
0070 - 03 02 00 80 b0 c3 5e 1d-87 5a ea 1c 64 d5 ef 94 ......^..Z..d...
0080 - 17 c0 9b b0 84 cc a5 68-75 2f 18 7e 76 1d ea 3f .......hu/.~v..?
0090 - 2d dc 1c c4 -...
read from 08194320 [081B4E30] (7 bytes => 7 (0x7))
0000 - 35 30 32 20 35 2e 35 502 5.5
11686:error:140770FC:SSL routines:SSL23_GET_SERVER_
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Cyclops3590
in which case should be a simple change of the relay you are using. Instead of "smtp.google.com" it should just be "smtp.google.com:587"
I don't think the gmail smtp server listens on port 25 for mail, anyway, but a custom port. It also uses SMTPAUTH, if I'm not mistaken. At least for regular, non-paying customers.
/RID
/RID
Surefoot3, are you finding any of this to be any help at all?
ASKER
Thank you all for the help. I actually solved this myself (I continued working the problem) by buying the "The book of Postfix" and finding the out how to turn on deeper level logging.
I'm going to award 450 points to Cyclops3590 because He/She would have lead me down the right path to figuring out the multiple issues that I had in my configuration and 50 points to Nopius for picking up the port 587 issue i had.
The answer was multi-layered and I began to find it out by locating where to turn on the additional logging for the smtp process. In my scenorio, postfix was acting as the client connecting to google smtpd server so I found the master.cf file and modified the smtp line to include an smtp -v on it. Then the /var/log/maillog started include a bunch of good error messages to help me track it down.
A. Turn on logging.
master.cf
smtp unix - - n - - smtp -v
B. main.cf changes. ( see my comment below on what I changed to get it to work)
relayhost = [smtp.gmail.com]:587 --> Can't use the default port with gmail, it must be 587
disable_dns_lookkups = yes
queue_directory = /var/spool/postfix
program_directory = /usr/libexec/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mail_owner = postfix
default_privs = nobody
debug_peer_level = 1
local_destination_concurre
default_destination_concur
mynetworks = 10.1.1.0/24, 127.0.0.0/8
myhostname = lnxsrv01.domain01.sw
mydomain = domain01.sw
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain
smtp_tls_loglevel = 1
smtp_enforce_tls = no ---> I had this set to YES and had to change to NO.
---- smtp.gmail.com is actually a CNAME value and this postfix setting forces a
---- comparision of the dns A record gmail-smtp.l.google.com that smtp.gmail.com
---- CNAME points to with the common name (CN) value in the public certificate i
---- downloaded from gmail.com. The CN value in the certificate is smtp.gmail.com
---- so the tls session was not authenticating gmails public certificate.
---- dig smtp.gmail.com
---- smtp.gmail.com. 300 IN CNAME gmail-smtp.l.google.com.
---- gmail-smtp.l.google.com. 300 IN A 64.233.163.111
---- gmail-smtp.l.google.com. 300 IN A 64.233.163.109
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_certfile = /etc/postfix/lnxsrv01-cert
smtp_tls_keyfile = /etc/postfix/lnxsrv01-key.
smtp_tls_session_cache_dat
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pas
--- relay host value changed above, postfix actually
--- looks for the exact same value in your passwd file
--- my sasl_passwd file contains the following
---
--- [smtp.gmail.com]:587 xxxxxx@gmail.com:yyyyyy
smtp_sasl_security_options
inet_interfaces = all
default_transport = smtp
sender_canonical_maps = hash:/etc/postfix/sender_c
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
transport_maps = hash:/etc/postfix/transpor
I'm going to award 450 points to Cyclops3590 because He/She would have lead me down the right path to figuring out the multiple issues that I had in my configuration and 50 points to Nopius for picking up the port 587 issue i had.
The answer was multi-layered and I began to find it out by locating where to turn on the additional logging for the smtp process. In my scenorio, postfix was acting as the client connecting to google smtpd server so I found the master.cf file and modified the smtp line to include an smtp -v on it. Then the /var/log/maillog started include a bunch of good error messages to help me track it down.
A. Turn on logging.
master.cf
smtp unix - - n - - smtp -v
B. main.cf changes. ( see my comment below on what I changed to get it to work)
relayhost = [smtp.gmail.com]:587 --> Can't use the default port with gmail, it must be 587
disable_dns_lookkups = yes
queue_directory = /var/spool/postfix
program_directory = /usr/libexec/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
mail_owner = postfix
default_privs = nobody
debug_peer_level = 1
local_destination_concurre
default_destination_concur
mynetworks = 10.1.1.0/24, 127.0.0.0/8
myhostname = lnxsrv01.domain01.sw
mydomain = domain01.sw
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, $mydomain
smtp_tls_loglevel = 1
smtp_enforce_tls = no ---> I had this set to YES and had to change to NO.
---- smtp.gmail.com is actually a CNAME value and this postfix setting forces a
---- comparision of the dns A record gmail-smtp.l.google.com that smtp.gmail.com
---- CNAME points to with the common name (CN) value in the public certificate i
---- downloaded from gmail.com. The CN value in the certificate is smtp.gmail.com
---- so the tls session was not authenticating gmails public certificate.
---- dig smtp.gmail.com
---- smtp.gmail.com. 300 IN CNAME gmail-smtp.l.google.com.
---- gmail-smtp.l.google.com. 300 IN A 64.233.163.111
---- gmail-smtp.l.google.com. 300 IN A 64.233.163.109
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_certfile = /etc/postfix/lnxsrv01-cert
smtp_tls_keyfile = /etc/postfix/lnxsrv01-key.
smtp_tls_session_cache_dat
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_pas
--- relay host value changed above, postfix actually
--- looks for the exact same value in your passwd file
--- my sasl_passwd file contains the following
---
--- [smtp.gmail.com]:587 xxxxxx@gmail.com:yyyyyy
smtp_sasl_security_options
inet_interfaces = all
default_transport = smtp
sender_canonical_maps = hash:/etc/postfix/sender_c
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
transport_maps = hash:/etc/postfix/transpor
for future ref, i'm a he.
You'll love that book. I own 5 postfix books and that one is no contest the best one I've come across for explaining everything in postfix.
You'll love that book. I own 5 postfix books and that one is no contest the best one I've come across for explaining everything in postfix.
I had the same problem but using IMAP in Outlook 2003. The Google specific help page is: - http://mail.google.com/support/bin/answer.py?answer=77661&topic=12920.
Kind regards
Kind regards