[lug] Postfix SSL config

George S. georges at mhsoftware.com
Thu Apr 4 08:42:43 MDT 2013


Also note that alot of ISPs just flat block port 25 outbound, and even 
if it was working, it can stop overnight.

I was running Nagios against external hosts to check port 25, when 
Comcast changed the rules a couple of weeks ago, and started blocking 
outbound port 25. As an anti-virus/malware measure, some ISPs are just 
blocking port 25 except to their server.

On 3/29/13 12:05 PM, Mike wrote:
> Also, to note, port 465 is sort of the "old" way of doing smtps, 
> verify with the host (indra or whoever it is) that everything is 
> correct with that, but more modern mail systems actually use port 25 
> and just pretty much use a starttls function to begin tls/ssl 
> communication.
>
> Thanks
>
> Mike
>
>
> On Fri, Mar 29, 2013 at 12:00 PM, <lug-request at lug.boulder.co.us 
> <mailto:lug-request at lug.boulder.co.us>> wrote:
>
>     . . .
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Thu, 28 Mar 2013 16:21:58 -0600
>     From: sullivan at indra.com <mailto:sullivan at indra.com>
>     Subject: [lug] Postfix SSL config
>     To: lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>
>     Message-ID: <9e5e8e4c09e9feb63995abfae352931b.squirrel at indra.com
>     <mailto:9e5e8e4c09e9feb63995abfae352931b.squirrel at indra.com>>
>     Content-Type: text/plain;charset=iso-8859-1
>
>     Hi,
>
>     I'm trying to set up a simple email relay host, with my home
>     linux box sending to smtp.indra.com <http://smtp.indra.com>.
>     I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
>     and I need to use SSL to talk to indra.
>
>     I think SSL works on port 465 because I can use openssl to connect:
>
>     openssl s_client -crlf -connect smtp.indra.com:465
>     <http://smtp.indra.com:465>
>     AUTH LOGIN
>     334 VXNlcm5hbWU6     # base64 prompt for "Userid:"
>     (send my base64 userid)
>     334 UGFzc3dvcmQ6     # base64 prompt for "Password:"
>     (send my base64 password)
>     235 2.0.0 OK Authenticated
>
>
>     I tried to do this in postfix, by using
>     main.cf <http://main.cf>:
>         relayhost = smtp.indra.com:465 <http://smtp.indra.com:465>
>         smtp_sasl_auth_enable = yes
>         smtp_sasl_mechanism_filter = login
>         smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
>       sasl/passwd:
>         [smtp.indra.com <http://smtp.indra.com>]:465 myUserName:myPasswd
>       postmap sasl/passwd
>       service postfix restart
>
>     I get:
>       Mar 28 14:22:02 helix postfix/smtp[10392]: CLIENT wrappermode (port
>     smtps/465) is unimplemented
>       Mar 28 14:22:02 helix postfix/smtp[10392]: instead, send to (port
>     submission/587) with STARTTLS
>
>     When I change to the port from 465 to 587 in the above 2 files
>     and restart postfix, I get:
>
>     Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
>     to=<someone at indra.com <mailto:someone at indra.com>>,
>     relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
>     delay=7.1,
>     delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
>     smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
>     5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
>     denied (in reply to RCPT TO command))
>
>
>     Any thoughts?
>
>     Many thanks,
>
>     Steve
>
>
>
>     ------------------------------
>
>     Message: 2
>     Date: Thu, 28 Mar 2013 18:04:12 -0600
>     From: Christopher Robinson <chrobione at gmail.com
>     <mailto:chrobione at gmail.com>>
>     Subject: Re: [lug] Postfix SSL config
>     To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>             <lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>>
>     Message-ID:
>            
>     <CAD9p2Vk0DfKaWUOJQ4nFXUwjyHSMf8P=LQVDZxXwXuVesrmqNw at mail.gmail.com <mailto:LQVDZxXwXuVesrmqNw at mail.gmail.com>>
>     Content-Type: text/plain; charset=ISO-8859-1
>
>     Hey Steve,
>
>     I am not a email admin at all, but I did see this out in the world of
>     googling. I think the issue is not that you changed the port or that
>     SSL , but its not actually starting TLS correctly and that is why your
>     having the (Soft Bounce).  I might be totally off base on this but  I
>     would take a look at this site.
>     http://qmail.jms1.net/starttls.shtml
>     I think it will give you some helpful information.
>     .
>     HTH,
>     --chrobione
>
>     On Thu, Mar 28, 2013 at 4:21 PM,  <sullivan at indra.com
>     <mailto:sullivan at indra.com>> wrote:
>     > Hi,
>     >
>     > I'm trying to set up a simple email relay host, with my home
>     > linux box sending to smtp.indra.com <http://smtp.indra.com>.
>     > I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
>     > and I need to use SSL to talk to indra.
>     >
>     > I think SSL works on port 465 because I can use openssl to connect:
>     >
>     > openssl s_client -crlf -connect smtp.indra.com:465
>     <http://smtp.indra.com:465>
>     > AUTH LOGIN
>     > 334 VXNlcm5hbWU6     # base64 prompt for "Userid:"
>     > (send my base64 userid)
>     > 334 UGFzc3dvcmQ6     # base64 prompt for "Password:"
>     > (send my base64 password)
>     > 235 2.0.0 OK Authenticated
>     >
>     >
>     > I tried to do this in postfix, by using
>     > main.cf <http://main.cf>:
>     >     relayhost = smtp.indra.com:465 <http://smtp.indra.com:465>
>     >     smtp_sasl_auth_enable = yes
>     >     smtp_sasl_mechanism_filter = login
>     >     smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
>     >   sasl/passwd:
>     >     [smtp.indra.com <http://smtp.indra.com>]:465 myUserName:myPasswd
>     >   postmap sasl/passwd
>     >   service postfix restart
>     >
>     > I get:
>     >   Mar 28 14:22:02 helix postfix/smtp[10392]: CLIENT wrappermode
>     (port
>     > smtps/465) is unimplemented
>     >   Mar 28 14:22:02 helix postfix/smtp[10392]: instead, send to (port
>     > submission/587) with STARTTLS
>     >
>     > When I change to the port from 465 to 587 in the above 2 files
>     > and restart postfix, I get:
>     >
>     > Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
>     > to=<someone at indra.com <mailto:someone at indra.com>>,
>     relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
>     delay=7.1,
>     > delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
>     > smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
>     5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
>     > denied (in reply to RCPT TO command))
>     >
>     >
>     > Any thoughts?
>     >
>     > Many thanks,
>     >
>     > Steve
>     >
>     > _______________________________________________
>     > Web Page: http://lug.boulder.co.us
>     > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>     > Join us on IRC: irc.hackingsociety.org
>     <http://irc.hackingsociety.org> port=6667 channel=#hackingsociety
>
>
>     ------------------------------
>
>     Message: 3
>     Date: Thu, 28 Mar 2013 20:42:35 -0600
>     From: Lee Woodworth <blug-mail at duboulder.com
>     <mailto:blug-mail at duboulder.com>>
>     Subject: Re: [lug] Postfix SSL config
>     To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>             <lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>>
>     Message-ID: <5154FF9B.1050304 at duboulder.com
>     <mailto:5154FF9B.1050304 at duboulder.com>>
>     Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>     The postfix mailing list at www.postfix.org
>     <http://www.postfix.org> is where I see many knowledgeable
>     people post. Make sure to follow the instructions in the welcome
>     message on
>     what to include in your post. You may find useful information
>     about the failed
>     delivery by doing (as a privileged user):
>
>          postqueue -p
>
>     Include this information as well.
>
>     On 03/28/2013 04:21 PM, sullivan at indra.com
>     <mailto:sullivan at indra.com> wrote:
>     > Hi,
>     >
>     > I'm trying to set up a simple email relay host, with my home
>     > linux box sending to smtp.indra.com <http://smtp.indra.com>.
>     > I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
>     > and I need to use SSL to talk to indra.
>     >
>     ....
>
>     > Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
>     > to=<someone at indra.com <mailto:someone at indra.com>>,
>     relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
>     delay=7.1,
>     > delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
>     > smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
>     5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
>     > denied (in reply to RCPT TO command))
>
>     The message indicates a rejection by Indra's server. Ask the
>     experts at
>     postfix.org <http://postfix.org> for help on determining if your
>     postfix successfully authenticated
>     (your prior test was for a different port, doesn't tell you about
>     port 587).
>
>
>
>
>     ------------------------------
>
>     _______________________________________________
>     LUG mailing list
>     LUG at lug.boulder.co.us <mailto:LUG at lug.boulder.co.us>
>     http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
>     End of LUG Digest, Vol 113, Issue 14
>     ************************************
>
>
>
>
> -- 
> Mike Harris
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

-- 
George Sexton
MH Software, Inc.
303 438-9585
http://www.mhsoftware.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20130404/d52de8a3/attachment.html>


More information about the LUG mailing list