[lug] Postfix SSL config
George S.
georges at mhsoftware.com
Thu Apr 4 08:42:43 MDT 2013
Also note that alot of ISPs just flat block port 25 outbound, and even
if it was working, it can stop overnight.
I was running Nagios against external hosts to check port 25, when
Comcast changed the rules a couple of weeks ago, and started blocking
outbound port 25. As an anti-virus/malware measure, some ISPs are just
blocking port 25 except to their server.
On 3/29/13 12:05 PM, Mike wrote:
> Also, to note, port 465 is sort of the "old" way of doing smtps,
> verify with the host (indra or whoever it is) that everything is
> correct with that, but more modern mail systems actually use port 25
> and just pretty much use a starttls function to begin tls/ssl
> communication.
>
> Thanks
>
> Mike
>
>
> On Fri, Mar 29, 2013 at 12:00 PM, <lug-request at lug.boulder.co.us
> <mailto:lug-request at lug.boulder.co.us>> wrote:
>
> . . .
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 28 Mar 2013 16:21:58 -0600
> From: sullivan at indra.com <mailto:sullivan at indra.com>
> Subject: [lug] Postfix SSL config
> To: lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>
> Message-ID: <9e5e8e4c09e9feb63995abfae352931b.squirrel at indra.com
> <mailto:9e5e8e4c09e9feb63995abfae352931b.squirrel at indra.com>>
> Content-Type: text/plain;charset=iso-8859-1
>
> Hi,
>
> I'm trying to set up a simple email relay host, with my home
> linux box sending to smtp.indra.com <http://smtp.indra.com>.
> I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
> and I need to use SSL to talk to indra.
>
> I think SSL works on port 465 because I can use openssl to connect:
>
> openssl s_client -crlf -connect smtp.indra.com:465
> <http://smtp.indra.com:465>
> AUTH LOGIN
> 334 VXNlcm5hbWU6 # base64 prompt for "Userid:"
> (send my base64 userid)
> 334 UGFzc3dvcmQ6 # base64 prompt for "Password:"
> (send my base64 password)
> 235 2.0.0 OK Authenticated
>
>
> I tried to do this in postfix, by using
> main.cf <http://main.cf>:
> relayhost = smtp.indra.com:465 <http://smtp.indra.com:465>
> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = login
> smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
> sasl/passwd:
> [smtp.indra.com <http://smtp.indra.com>]:465 myUserName:myPasswd
> postmap sasl/passwd
> service postfix restart
>
> I get:
> Mar 28 14:22:02 helix postfix/smtp[10392]: CLIENT wrappermode (port
> smtps/465) is unimplemented
> Mar 28 14:22:02 helix postfix/smtp[10392]: instead, send to (port
> submission/587) with STARTTLS
>
> When I change to the port from 465 to 587 in the above 2 files
> and restart postfix, I get:
>
> Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
> to=<someone at indra.com <mailto:someone at indra.com>>,
> relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
> delay=7.1,
> delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
> smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
> 5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
> denied (in reply to RCPT TO command))
>
>
> Any thoughts?
>
> Many thanks,
>
> Steve
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 28 Mar 2013 18:04:12 -0600
> From: Christopher Robinson <chrobione at gmail.com
> <mailto:chrobione at gmail.com>>
> Subject: Re: [lug] Postfix SSL config
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
> <lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>>
> Message-ID:
>
> <CAD9p2Vk0DfKaWUOJQ4nFXUwjyHSMf8P=LQVDZxXwXuVesrmqNw at mail.gmail.com <mailto:LQVDZxXwXuVesrmqNw at mail.gmail.com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hey Steve,
>
> I am not a email admin at all, but I did see this out in the world of
> googling. I think the issue is not that you changed the port or that
> SSL , but its not actually starting TLS correctly and that is why your
> having the (Soft Bounce). I might be totally off base on this but I
> would take a look at this site.
> http://qmail.jms1.net/starttls.shtml
> I think it will give you some helpful information.
> .
> HTH,
> --chrobione
>
> On Thu, Mar 28, 2013 at 4:21 PM, <sullivan at indra.com
> <mailto:sullivan at indra.com>> wrote:
> > Hi,
> >
> > I'm trying to set up a simple email relay host, with my home
> > linux box sending to smtp.indra.com <http://smtp.indra.com>.
> > I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
> > and I need to use SSL to talk to indra.
> >
> > I think SSL works on port 465 because I can use openssl to connect:
> >
> > openssl s_client -crlf -connect smtp.indra.com:465
> <http://smtp.indra.com:465>
> > AUTH LOGIN
> > 334 VXNlcm5hbWU6 # base64 prompt for "Userid:"
> > (send my base64 userid)
> > 334 UGFzc3dvcmQ6 # base64 prompt for "Password:"
> > (send my base64 password)
> > 235 2.0.0 OK Authenticated
> >
> >
> > I tried to do this in postfix, by using
> > main.cf <http://main.cf>:
> > relayhost = smtp.indra.com:465 <http://smtp.indra.com:465>
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_mechanism_filter = login
> > smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
> > sasl/passwd:
> > [smtp.indra.com <http://smtp.indra.com>]:465 myUserName:myPasswd
> > postmap sasl/passwd
> > service postfix restart
> >
> > I get:
> > Mar 28 14:22:02 helix postfix/smtp[10392]: CLIENT wrappermode
> (port
> > smtps/465) is unimplemented
> > Mar 28 14:22:02 helix postfix/smtp[10392]: instead, send to (port
> > submission/587) with STARTTLS
> >
> > When I change to the port from 465 to 587 in the above 2 files
> > and restart postfix, I get:
> >
> > Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
> > to=<someone at indra.com <mailto:someone at indra.com>>,
> relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
> delay=7.1,
> > delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
> > smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
> 5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
> > denied (in reply to RCPT TO command))
> >
> >
> > Any thoughts?
> >
> > Many thanks,
> >
> > Steve
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org
> <http://irc.hackingsociety.org> port=6667 channel=#hackingsociety
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 28 Mar 2013 20:42:35 -0600
> From: Lee Woodworth <blug-mail at duboulder.com
> <mailto:blug-mail at duboulder.com>>
> Subject: Re: [lug] Postfix SSL config
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
> <lug at lug.boulder.co.us <mailto:lug at lug.boulder.co.us>>
> Message-ID: <5154FF9B.1050304 at duboulder.com
> <mailto:5154FF9B.1050304 at duboulder.com>>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> The postfix mailing list at www.postfix.org
> <http://www.postfix.org> is where I see many knowledgeable
> people post. Make sure to follow the instructions in the welcome
> message on
> what to include in your post. You may find useful information
> about the failed
> delivery by doing (as a privileged user):
>
> postqueue -p
>
> Include this information as well.
>
> On 03/28/2013 04:21 PM, sullivan at indra.com
> <mailto:sullivan at indra.com> wrote:
> > Hi,
> >
> > I'm trying to set up a simple email relay host, with my home
> > linux box sending to smtp.indra.com <http://smtp.indra.com>.
> > I'm running Postfix 2.9.6-1~12.1 on Xubuntu 3.5.0.26,
> > and I need to use SSL to talk to indra.
> >
> ....
>
> > Mar 28 14:25:47 helix postfix/smtp[10568]: C539F1822CD:
> > to=<someone at indra.com <mailto:someone at indra.com>>,
> relay=smtp.indra.com <http://smtp.indra.com>[209.169.0.20]:587,
> delay=7.1,
> > delays=0.09/0/6.8/0.15, dsn=4.7.1, status=SOFTBOUNCE (host
> > smtp.indra.com <http://smtp.indra.com>[209.169.0.20] said: 550
> 5.7.1 <someone at indra.com <mailto:someone at indra.com>>... Access
> > denied (in reply to RCPT TO command))
>
> The message indicates a rejection by Indra's server. Ask the
> experts at
> postfix.org <http://postfix.org> for help on determining if your
> postfix successfully authenticated
> (your prior test was for a different port, doesn't tell you about
> port 587).
>
>
>
>
> ------------------------------
>
> _______________________________________________
> LUG mailing list
> LUG at lug.boulder.co.us <mailto:LUG at lug.boulder.co.us>
> http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
> End of LUG Digest, Vol 113, Issue 14
> ************************************
>
>
>
>
> --
> Mike Harris
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
--
George Sexton
MH Software, Inc.
303 438-9585
http://www.mhsoftware.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20130404/d52de8a3/attachment.html>
More information about the LUG
mailing list