Solved

Can't solve Postfix SMTP/TLS problems

Posted on 2009-07-04
5
2,192 Views
Last Modified: 2013-11-10
Okay, I'm really at the end of my rope here. I have a mail server that I have set up which was supposed to be copy of a working machine. This machine runs Dovecot as a mail server and Postfix as an SMTP server. I use MySQL for the account information (and postfixadmin to administer).

The email server (IMAP) works, and I can receive email from the outside just fine. Anyone emails my address, I get the email. What is NOT working is using the server as my outbound SMTP server.

I am using a non-standard port, 2525 to send out, with authentication (obviously so it's not an open relay) and I have an SSL certificate, the same one as my web server.

When I attempt to send, it just times out. No specific error message, just seems to go nowhere and eventually on my mail client (Mac Mail.app in this case) it just comes back with a "can't send".

I can telnet to the server (telnet www.eightounce.com 2525) and it will respond, but then closes the connection when I do a test with ehlo. Files and logs below. I'm baffled. I do see TLS errors in the log file, but I don't know how to start to fix them.
main.cf
 
 
# postfix config file eightounce.com
 
# uncomment for debugging if needed
soft_bounce=no
 
# postfix main
mail_owner = postfix
setgid_group = postdrop
delay_warning_time = 4
 
# postfix paths
html_directory = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
queue_directory = /var/spool/postfix
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.2.2/samples
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
 
# network settings
inet_interfaces = all
mydomain = eightounce.com
myhostname = server1.$mydomain
mynetworks = 192.168.0.0/16,
	216.19.0.0/16,
        127.0.0.0/8
mydestination = $myhostname, localhost.$mydomain
#relay_domains = $mydestination
 
#######Changes for MAILMAN
#relay_domains = $mydestination,eightounce.com
#transport_maps = hash:/etc/postfix/transport 
 
message_size_limit = 40960000
 
 
#mailman_destination_recipient_limit = 1
 
# mail delivery
recipient_delimiter = + 
 
# mappings
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/aliases,hash:/etc/postfix/aliases
 
local_recipient_maps = $alias_maps 
 
# virtual setup
virtual_alias_domains = hash:/etc/postfix/virtual_domains
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
 
 
 
virtual_gid_maps = static:89
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 89
virtual_transport = virtual
virtual_uid_maps = static:89
 
# debugging
#debug_peer_level = 1
#debug_peer_list = 127.0.0.1
#debugger_command =
#         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
#         xxgdb $daemon_directory/$process_name $process_id & sleep 5
 
#rules restrictions
smtpd_client_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_hostname
 
smtpd_sender_restrictions =
        reject_non_fqdn_sender,
        reject_unknown_sender_domain
 
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain
 
# authentication
smtpd_use_tls = yes
 
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_authenticated_header = yes
smtp_sasl_mechanism_filter = login, plain
 
# tls config
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer =yes
smtp_use_tls = yes
smtpd_use_tls = yes
 
 
smtpd_tls_cert_file = /etc/ssl/eightounce.crt
smtpd_tls_key_file = /etc/ssl/eightounce.key
smtpd_tls_CAfile = /etc/ssl/bundle.crt
 
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_received_header = no
tls_random_source = dev:/dev/urandom
 
unknown_local_recipient_reject_code = 550
disable_vrfy_command = yes
smtpd_data_restrictions = reject_unauth_pipelining
 
 
master.cf
 
smtp      inet  n       -       n       -       -       smtpd 
smtps     inet  n       -       n       -       -       smtpd -v
	 -o smtpd_sasl_auth_enable=yes
	 -o smtpd_enforce_tls=yes
	 -o smtpd_tls_wrappermode=yes
submission inet n       -       n       -       -       smtpd -v
	 -o smtpd_sasl_auth_enable=yes
	 -o smtpd_enforce_tls=yes
2525     inet   n       -       n       -       -       smtpd -v
	 -o smtpd_sasl_auth_enable=yes
	 -o smtpd_enforce_tls=yes
	 -o smtpd_tls_wrappermode=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
  -o content_filter= 
  -o receive_override_options=no_header_body_checks
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
 
 
maillog (-n200)
 
Jul  4 20:28:27 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 192.168.0.0/16
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 192.168.0.0/16
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 216.19.0.0/16
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 216.19.0.0/16
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 127.0.0.0/8
Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 127.0.0.0/8
Jul  4 20:28:27 www postfix/smtpd[20245]: match_list_match: S010600226b4ce77a.vc.shawcable.net: no match
Jul  4 20:28:27 www postfix/smtpd[20245]: match_list_match: 96.49.199.117: no match
Jul  4 20:28:27 www postfix/smtpd[20245]: send attr request = disconnect
Jul  4 20:28:27 www postfix/smtpd[20245]: send attr ident = 2525:96.49.199.117
Jul  4 20:28:27 www postfix/smtpd[20245]: private/anvil: wanted attribute: status
Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute name: status
Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute value: 0
Jul  4 20:28:27 www postfix/smtpd[20245]: private/anvil: wanted attribute: (list terminator)
Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute name: (end)
Jul  4 20:28:27 www postfix/smtpd[20245]: lost connection after CONNECT from S010600226b4ce77a.vc.shawcable.net[96.49.199.117]
Jul  4 20:28:27 www postfix/smtpd[20245]: disconnect from S010600226b4ce77a.vc.shawcable.net[96.49.199.117]
Jul  4 20:28:27 www postfix/smtpd[20245]: master_notify: status 1
Jul  4 20:28:27 www postfix/smtpd[20245]: connection closed
Jul  4 20:28:28 www postfix/smtpd[20245]: auto_clnt_close: disconnect private/tlsmgr stream
Jul  4 20:28:43 www postfix/smtpd[20245]: connection established
Jul  4 20:28:43 www postfix/smtpd[20245]: master_notify: status 0
Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: resource
Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: software
Jul  4 20:28:43 www postfix/smtpd[20245]: xsasl_cyrus_server_create: SASL service=smtp, realm=server1.eightounce.com
Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: noanonymous
Jul  4 20:28:43 www postfix/smtpd[20245]: connect from localhost[127.0.0.1]
Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: localhost: no match
Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: 127.0.0.1: no match
Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: localhost: no match
Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: 127.0.0.1: no match
Jul  4 20:28:43 www postfix/smtpd[20245]: setting up TLS connection from localhost[127.0.0.1]
Jul  4 20:28:43 www postfix/smtpd[20245]: localhost[127.0.0.1]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jul  4 20:28:43 www postfix/smtpd[20245]: auto_clnt_open: connected to private/tlsmgr
Jul  4 20:28:43 www postfix/smtpd[20245]: send attr request = seed
Jul  4 20:28:43 www postfix/smtpd[20245]: send attr size = 32
Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: status
Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: status
Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute value: 0
Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: seed
Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: seed
Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute value: daRlRjHOPU7GEqT4AAE2vPZgUd6lVsb/OFN8FYfwCUQ=
Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: (list terminator)
Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: (end)
Jul  4 20:28:43 www postfix/smtpd[20245]: SSL_accept:before/accept initialization
Jul  4 20:28:43 www postfix/smtpd[20245]: read from 004B4CE0 [004C21F8] (11 bytes => -1 (0xFFFFFFFF))
Jul  4 20:28:44 www postfix/smtpd[20245]: read from 004B4CE0 [004C21F8] (11 bytes => 11 (0xB))
Jul  4 20:28:44 www postfix/smtpd[20245]: 0000 65 68 6c 6f 20 6c 6f 63|61 6c 68                 ehlo loc alh
Jul  4 20:28:44 www postfix/smtpd[20245]: SSL_accept:error in SSLv2/v3 read client hello A
Jul  4 20:28:44 www postfix/smtpd[20245]: SSL_accept error from localhost[127.0.0.1]: -1
Jul  4 20:28:44 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 192.168.0.0/16
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 192.168.0.0/16
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 216.19.0.0/16
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 216.19.0.0/16
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 127.0.0.0/8
Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
Jul  4 20:28:44 www postfix/smtpd[20245]: lost connection after CONNECT from localhost[127.0.0.1]
Jul  4 20:28:44 www postfix/smtpd[20245]: disconnect from localhost[127.0.0.1]
Jul  4 20:28:44 www postfix/smtpd[20245]: master_notify: status 1
Jul  4 20:28:44 www postfix/smtpd[20245]: connection closed
Jul  4 20:28:48 www postfix/smtpd[20245]: auto_clnt_close: disconnect private/tlsmgr stream
Jul  4 20:29:13 www postfix/smtpd[20285]: warning: database /etc/aliases.db is older than source file /etc/aliases
Jul  4 20:29:13 www postfix/smtpd[20285]: initializing the server-side TLS engine
Jul  4 20:29:13 www postfix/smtpd[20285]: connect from k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]
Jul  4 20:29:13 www postfix/smtpd[20285]: DF7E7412001: client=k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]
Jul  4 20:29:13 www postfix/cleanup[20289]: DF7E7412001: message-id=<2703D51A-BE39-4C17-9AEF-FEFDB236BB2E@eightounce.com>
Jul  4 20:29:14 www postfix/qmgr[6302]: DF7E7412001: from=<kris.white@eightounce.com>, size=1147, nrcpt=1 (queue active)
Jul  4 20:29:14 www postfix/smtpd[20285]: disconnect from k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]
Jul  4 20:29:14 www postfix/virtual[20291]: DF7E7412001: to=<kris.white@eightounce.com>, relay=virtual, delay=0.34, delays=0.26/0.01/0/0.07, dsn=2.0.0, status=sent (delivered to maildir)
Jul  4 20:29:14 www postfix/qmgr[6302]: DF7E7412001: removed
Jul  4 20:29:20 www postfix/smtpd[20285]: connect from k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]
Jul  4 20:29:20 www postfix/smtpd[20285]: 857D8412001: client=k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]
Jul  4 20:29:20 www postfix/cleanup[20289]: 857D8412001: message-id=<E9E5686B-A900-4D04-9EED-72C96F5B1184@eightounce.com>
Jul  4 20:29:20 www postfix/qmgr[6302]: 857D8412001: from=<kris.white@eightounce.com>, size=1147, nrcpt=1 (queue active)
Jul  4 20:29:20 www postfix/smtpd[20285]: disconnect from k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]
Jul  4 20:29:20 www postfix/virtual[20291]: 857D8412001: to=<kris.white@eightounce.com>, relay=virtual, delay=0.24, delays=0.19/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)
Jul  4 20:29:20 www postfix/qmgr[6302]: 857D8412001: removed
Jul  4 20:30:24 www postfix/smtpd[20245]: idle timeout -- exiting
Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max connection rate 1/60s for (smtp:64.202.189.88) at Jul  4 20:29:13
Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max connection count 1 for (smtp:64.202.189.88) at Jul  4 20:29:13
Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max cache size 2 at Jul  4 20:29:20

Open in new window

0
Comment
Question by:ktwdallas
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:martino87r
ID: 24783500
Now, first question:

Your machine have a reverse DNS record? To check open a terminal and write:

nslookup [youripaddress]

if no reverse record is found in the dns, then you have to modify the config file to accept connections from host that doesn't have an FQDN

let me know
0
 
LVL 2

Expert Comment

by:martino87r
ID: 24783541
After check if you have the openssl package on your server and check if they match the same version on both machines.
There was a known problem with the Hello extension for OpenSSL during initialization of TLS channels, the suggestion is to get the latest version of OpenSSL and compile it from sources.
0
 

Author Comment

by:ktwdallas
ID: 24787307
Reverse lookup is working, it shows the ISP instead of my domain but it is working (below). OpenSSL is actually newer (0.9.8g) on the machine that's not working than on the original I coped from (0.9.8b) that is working.


Server:            216.19.176.6
Address:      216.19.176.6#53

Non-authoritative answer:
53.176.19.216.in-addr.arpa      name = 216-19-176-53.stc.novuscom.net.

Authoritative answers can be found from:
176.19.216.in-addr.arpa      nameserver = ns1.novuscom.net.
176.19.216.in-addr.arpa      nameserver = ns2.novuscom.net.
ns1.novuscom.net      internet address = 216.19.176.13
ns2.novuscom.net      internet address = 216.19.176.16
0
 
LVL 2

Accepted Solution

by:
martino87r earned 500 total points
ID: 24794825
Clearly seems to be a problem with the OpenSSL library, try to get it and recompile it entirely from sources.

Update to version 9.8K or try the beta 1.0.0

This is why i think so:

(Jul  4 20:28:27 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:)


0
 

Author Closing Comment

by:ktwdallas
ID: 31599865
looks like a "yum install openssl" did an update and that worked. Thank you much.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to use question mark (?) in filename with html 25 73
Intel fortran compiler (ifort) 5 38
Moving from Mcrypt to OpenSSL 18 46
RHEL 6.7 Gnome Desktop on VMware 6 VM 9 69
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question