Solved

Can't solve Postfix SMTP/TLS problems

Posted on 2009-07-04
5
2,140 Views
Last Modified: 2013-11-10
Okay, I'm really at the end of my rope here. I have a mail server that I have set up which was supposed to be copy of a working machine. This machine runs Dovecot as a mail server and Postfix as an SMTP server. I use MySQL for the account information (and postfixadmin to administer).

The email server (IMAP) works, and I can receive email from the outside just fine. Anyone emails my address, I get the email. What is NOT working is using the server as my outbound SMTP server.

I am using a non-standard port, 2525 to send out, with authentication (obviously so it's not an open relay) and I have an SSL certificate, the same one as my web server.

When I attempt to send, it just times out. No specific error message, just seems to go nowhere and eventually on my mail client (Mac Mail.app in this case) it just comes back with a "can't send".

I can telnet to the server (telnet www.eightounce.com 2525) and it will respond, but then closes the connection when I do a test with ehlo. Files and logs below. I'm baffled. I do see TLS errors in the log file, but I don't know how to start to fix them.
main.cf
 
 

# postfix config file eightounce.com
 

# uncomment for debugging if needed

soft_bounce=no
 

# postfix main

mail_owner = postfix

setgid_group = postdrop

delay_warning_time = 4
 

# postfix paths

html_directory = no

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

queue_directory = /var/spool/postfix

sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.2.2/samples

readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
 

# network settings

inet_interfaces = all

mydomain = eightounce.com

myhostname = server1.$mydomain

mynetworks = 192.168.0.0/16,

	216.19.0.0/16,

        127.0.0.0/8

mydestination = $myhostname, localhost.$mydomain

#relay_domains = $mydestination
 

#######Changes for MAILMAN

#relay_domains = $mydestination,eightounce.com

#transport_maps = hash:/etc/postfix/transport 
 

message_size_limit = 40960000
 
 

#mailman_destination_recipient_limit = 1
 

# mail delivery

recipient_delimiter = + 
 

# mappings

alias_database = hash:/etc/postfix/aliases

alias_maps = hash:/etc/aliases,hash:/etc/postfix/aliases
 

local_recipient_maps = $alias_maps 
 

# virtual setup

virtual_alias_domains = hash:/etc/postfix/virtual_domains

virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf

 
 
 

virtual_gid_maps = static:89

virtual_mailbox_base = /home/vmail

virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_mailbox_domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 89

virtual_transport = virtual

virtual_uid_maps = static:89
 

# debugging

#debug_peer_level = 1

#debug_peer_list = 127.0.0.1

#debugger_command =

#         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

#         xxgdb $daemon_directory/$process_name $process_id & sleep 5
 

#rules restrictions

smtpd_client_restrictions =

        permit_sasl_authenticated,

        permit_mynetworks,

        reject_unknown_client_hostname

smtpd_helo_required = yes

smtpd_helo_restrictions =

        permit_sasl_authenticated,

        permit_mynetworks,

        reject_non_fqdn_hostname
 

smtpd_sender_restrictions =

        reject_non_fqdn_sender,

        reject_unknown_sender_domain
 

smtpd_recipient_restrictions =

        permit_sasl_authenticated,

        permit_mynetworks,

        reject_unauth_destination,

        reject_non_fqdn_recipient,

        reject_unknown_recipient_domain
 

# authentication

smtpd_use_tls = yes
 

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

#smtpd_sasl_type = dovecot

#smtpd_sasl_path = private/auth

smtpd_sasl_type = cyrus

smtpd_sasl_path = smtpd

smtpd_sasl_authenticated_header = yes

smtp_sasl_mechanism_filter = login, plain
 

# tls config

smtpd_tls_auth_only = no

smtp_tls_note_starttls_offer =yes

smtp_use_tls = yes

smtpd_use_tls = yes
 
 

smtpd_tls_cert_file = /etc/ssl/eightounce.crt

smtpd_tls_key_file = /etc/ssl/eightounce.key

smtpd_tls_CAfile = /etc/ssl/bundle.crt
 

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_received_header = no

tls_random_source = dev:/dev/urandom
 

unknown_local_recipient_reject_code = 550

disable_vrfy_command = yes

smtpd_data_restrictions = reject_unauth_pipelining
 
 

master.cf
 

smtp      inet  n       -       n       -       -       smtpd 

smtps     inet  n       -       n       -       -       smtpd -v

	 -o smtpd_sasl_auth_enable=yes

	 -o smtpd_enforce_tls=yes

	 -o smtpd_tls_wrappermode=yes

submission inet n       -       n       -       -       smtpd -v

	 -o smtpd_sasl_auth_enable=yes

	 -o smtpd_enforce_tls=yes

2525     inet   n       -       n       -       -       smtpd -v

	 -o smtpd_sasl_auth_enable=yes

	 -o smtpd_enforce_tls=yes

	 -o smtpd_tls_wrappermode=yes

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

  -o content_filter= 

  -o receive_override_options=no_header_body_checks

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

tlsmgr    unix  -       -       n       1000?   1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

# When relaying mail as backup MX, disable fallback_relay to avoid MX loops

relay     unix  -       -       n       -       -       smtp

        -o fallback_relay=

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

discard   unix  -       -       n       -       -       discard

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

scache    unix  -       -       n       -       1       scache
 
 

maillog (-n200)
 

Jul  4 20:28:27 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 192.168.0.0/16

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 192.168.0.0/16

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 216.19.0.0/16

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 216.19.0.0/16

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostname: S010600226b4ce77a.vc.shawcable.net ~? 127.0.0.0/8

Jul  4 20:28:27 www postfix/smtpd[20245]: match_hostaddr: 96.49.199.117 ~? 127.0.0.0/8

Jul  4 20:28:27 www postfix/smtpd[20245]: match_list_match: S010600226b4ce77a.vc.shawcable.net: no match

Jul  4 20:28:27 www postfix/smtpd[20245]: match_list_match: 96.49.199.117: no match

Jul  4 20:28:27 www postfix/smtpd[20245]: send attr request = disconnect

Jul  4 20:28:27 www postfix/smtpd[20245]: send attr ident = 2525:96.49.199.117

Jul  4 20:28:27 www postfix/smtpd[20245]: private/anvil: wanted attribute: status

Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute name: status

Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute value: 0

Jul  4 20:28:27 www postfix/smtpd[20245]: private/anvil: wanted attribute: (list terminator)

Jul  4 20:28:27 www postfix/smtpd[20245]: input attribute name: (end)

Jul  4 20:28:27 www postfix/smtpd[20245]: lost connection after CONNECT from S010600226b4ce77a.vc.shawcable.net[96.49.199.117]

Jul  4 20:28:27 www postfix/smtpd[20245]: disconnect from S010600226b4ce77a.vc.shawcable.net[96.49.199.117]

Jul  4 20:28:27 www postfix/smtpd[20245]: master_notify: status 1

Jul  4 20:28:27 www postfix/smtpd[20245]: connection closed

Jul  4 20:28:28 www postfix/smtpd[20245]: auto_clnt_close: disconnect private/tlsmgr stream

Jul  4 20:28:43 www postfix/smtpd[20245]: connection established

Jul  4 20:28:43 www postfix/smtpd[20245]: master_notify: status 0

Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: resource

Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: software

Jul  4 20:28:43 www postfix/smtpd[20245]: xsasl_cyrus_server_create: SASL service=smtp, realm=server1.eightounce.com

Jul  4 20:28:43 www postfix/smtpd[20245]: name_mask: noanonymous

Jul  4 20:28:43 www postfix/smtpd[20245]: connect from localhost[127.0.0.1]

Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: localhost: no match

Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: 127.0.0.1: no match

Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: localhost: no match

Jul  4 20:28:43 www postfix/smtpd[20245]: match_list_match: 127.0.0.1: no match

Jul  4 20:28:43 www postfix/smtpd[20245]: setting up TLS connection from localhost[127.0.0.1]

Jul  4 20:28:43 www postfix/smtpd[20245]: localhost[127.0.0.1]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"

Jul  4 20:28:43 www postfix/smtpd[20245]: auto_clnt_open: connected to private/tlsmgr

Jul  4 20:28:43 www postfix/smtpd[20245]: send attr request = seed

Jul  4 20:28:43 www postfix/smtpd[20245]: send attr size = 32

Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: status

Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: status

Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute value: 0

Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: seed

Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: seed

Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute value: daRlRjHOPU7GEqT4AAE2vPZgUd6lVsb/OFN8FYfwCUQ=

Jul  4 20:28:43 www postfix/smtpd[20245]: private/tlsmgr: wanted attribute: (list terminator)

Jul  4 20:28:43 www postfix/smtpd[20245]: input attribute name: (end)

Jul  4 20:28:43 www postfix/smtpd[20245]: SSL_accept:before/accept initialization

Jul  4 20:28:43 www postfix/smtpd[20245]: read from 004B4CE0 [004C21F8] (11 bytes => -1 (0xFFFFFFFF))

Jul  4 20:28:44 www postfix/smtpd[20245]: read from 004B4CE0 [004C21F8] (11 bytes => 11 (0xB))

Jul  4 20:28:44 www postfix/smtpd[20245]: 0000 65 68 6c 6f 20 6c 6f 63|61 6c 68                 ehlo loc alh

Jul  4 20:28:44 www postfix/smtpd[20245]: SSL_accept:error in SSLv2/v3 read client hello A

Jul  4 20:28:44 www postfix/smtpd[20245]: SSL_accept error from localhost[127.0.0.1]: -1

Jul  4 20:28:44 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 192.168.0.0/16

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 192.168.0.0/16

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 216.19.0.0/16

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 216.19.0.0/16

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostname: localhost ~? 127.0.0.0/8

Jul  4 20:28:44 www postfix/smtpd[20245]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8

Jul  4 20:28:44 www postfix/smtpd[20245]: lost connection after CONNECT from localhost[127.0.0.1]

Jul  4 20:28:44 www postfix/smtpd[20245]: disconnect from localhost[127.0.0.1]

Jul  4 20:28:44 www postfix/smtpd[20245]: master_notify: status 1

Jul  4 20:28:44 www postfix/smtpd[20245]: connection closed

Jul  4 20:28:48 www postfix/smtpd[20245]: auto_clnt_close: disconnect private/tlsmgr stream

Jul  4 20:29:13 www postfix/smtpd[20285]: warning: database /etc/aliases.db is older than source file /etc/aliases

Jul  4 20:29:13 www postfix/smtpd[20285]: initializing the server-side TLS engine

Jul  4 20:29:13 www postfix/smtpd[20285]: connect from k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]

Jul  4 20:29:13 www postfix/smtpd[20285]: DF7E7412001: client=k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]

Jul  4 20:29:13 www postfix/cleanup[20289]: DF7E7412001: message-id=<2703D51A-BE39-4C17-9AEF-FEFDB236BB2E@eightounce.com>

Jul  4 20:29:14 www postfix/qmgr[6302]: DF7E7412001: from=<kris.white@eightounce.com>, size=1147, nrcpt=1 (queue active)

Jul  4 20:29:14 www postfix/smtpd[20285]: disconnect from k2smtpout01-01.prod.mesa1.secureserver.net[64.202.189.88]

Jul  4 20:29:14 www postfix/virtual[20291]: DF7E7412001: to=<kris.white@eightounce.com>, relay=virtual, delay=0.34, delays=0.26/0.01/0/0.07, dsn=2.0.0, status=sent (delivered to maildir)

Jul  4 20:29:14 www postfix/qmgr[6302]: DF7E7412001: removed

Jul  4 20:29:20 www postfix/smtpd[20285]: connect from k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]

Jul  4 20:29:20 www postfix/smtpd[20285]: 857D8412001: client=k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]

Jul  4 20:29:20 www postfix/cleanup[20289]: 857D8412001: message-id=<E9E5686B-A900-4D04-9EED-72C96F5B1184@eightounce.com>

Jul  4 20:29:20 www postfix/qmgr[6302]: 857D8412001: from=<kris.white@eightounce.com>, size=1147, nrcpt=1 (queue active)

Jul  4 20:29:20 www postfix/smtpd[20285]: disconnect from k2smtpout04-01.prod.mesa1.secureserver.net[64.202.189.166]

Jul  4 20:29:20 www postfix/virtual[20291]: 857D8412001: to=<kris.white@eightounce.com>, relay=virtual, delay=0.24, delays=0.19/0/0/0.05, dsn=2.0.0, status=sent (delivered to maildir)

Jul  4 20:29:20 www postfix/qmgr[6302]: 857D8412001: removed

Jul  4 20:30:24 www postfix/smtpd[20245]: idle timeout -- exiting

Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max connection rate 1/60s for (smtp:64.202.189.88) at Jul  4 20:29:13

Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max connection count 1 for (smtp:64.202.189.88) at Jul  4 20:29:13

Jul  4 20:32:40 www postfix/anvil[20246]: statistics: max cache size 2 at Jul  4 20:29:20

Open in new window

0
Comment
Question by:ktwdallas
  • 3
  • 2
5 Comments
 
LVL 2

Expert Comment

by:martino87r
Comment Utility
Now, first question:

Your machine have a reverse DNS record? To check open a terminal and write:

nslookup [youripaddress]

if no reverse record is found in the dns, then you have to modify the config file to accept connections from host that doesn't have an FQDN

let me know
0
 
LVL 2

Expert Comment

by:martino87r
Comment Utility
After check if you have the openssl package on your server and check if they match the same version on both machines.
There was a known problem with the Hello extension for OpenSSL during initialization of TLS channels, the suggestion is to get the latest version of OpenSSL and compile it from sources.
0
 

Author Comment

by:ktwdallas
Comment Utility
Reverse lookup is working, it shows the ISP instead of my domain but it is working (below). OpenSSL is actually newer (0.9.8g) on the machine that's not working than on the original I coped from (0.9.8b) that is working.


Server:            216.19.176.6
Address:      216.19.176.6#53

Non-authoritative answer:
53.176.19.216.in-addr.arpa      name = 216-19-176-53.stc.novuscom.net.

Authoritative answers can be found from:
176.19.216.in-addr.arpa      nameserver = ns1.novuscom.net.
176.19.216.in-addr.arpa      nameserver = ns2.novuscom.net.
ns1.novuscom.net      internet address = 216.19.176.13
ns2.novuscom.net      internet address = 216.19.176.16
0
 
LVL 2

Accepted Solution

by:
martino87r earned 500 total points
Comment Utility
Clearly seems to be a problem with the OpenSSL library, try to get it and recompile it entirely from sources.

Update to version 9.8K or try the beta 1.0.0

This is why i think so:

(Jul  4 20:28:27 www postfix/smtpd[20245]: warning: TLS library problem: 20245:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:562:)


0
 

Author Closing Comment

by:ktwdallas
Comment Utility
looks like a "yum install openssl" did an update and that worked. Thank you much.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Import PST to Exchange using Power Shell new-mailboximportrequest command, you can simply import the PST file into Exchange mailbox or archived. To know How to import PST into Exchange  2013 read the complete article.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now