I'm trying to enable TLS on Postfix here, and I can't get it to work. I'm using
Ralf's "Book" and "Linux Email" as well as the web.
postconf -n:
> root@smbox:/etc/postfix# postconf -n
> alias_database = hash:/etc/postfix/aliases.db
> alias_maps = hash:/etc/postfix/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> disable_vrfy_command = yes
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> mydestination = log, localhost.slsware.lan, localhost
> myhostname = smbox.slsware.dmz
> mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname
> readme_directory = no
> recipient_delimiter = +
> relayhost = smtp.slsware.dmz
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/saslPasswordMaps
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_discard_ehlo_keywords = silent-discard, dsn
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
> permit_inet_interfaces reject_unknown_reverse_client_hostname
> permit_sasl_authenticated
> smtpd_sasl_auth_enable = yes
> smtpd_tls_CAfile = /usr/share/ssl-cert/ca-bundle.crt
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> tls_random_source = dev:dev/random
> virtual_alias_maps = hash:/etc/postfix/virtual
And the telnet EHLO says STARTTLS is available.
The Book suggests I do 'openssl s_client -starttls smtp -CApath
/usr/share/ssl-cert -connect localhost:25' It returns:
> CONNECTED(00000003)
> depth=0 CN = smbox.slsware.lan
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 CN = smbox.slsware.lan
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=smbox.slsware.lan
> i:/CN=smbox.slsware.lan
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICyDCCAbCgAwIBAgIJAMHaF0LeWiFhMA0GCSqGSIb3DQEBBQUAMBwxGjAYBgNV
> BAMTEXNtYm94LnNsc3dhcmUubGFuMB4XDTEzMTAwNzIxMzg1MFoXDTIzMTAwNTIx
> Mzg1MFowHDEaMBgGA1UEAxMRc21ib3guc2xzd2FyZS5sYW4wggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQC5BbZtZQEUL+DcCcx1ucOdtjZfXO7EI/ULq423
> GDeZhnRElsyRF1opCDbZjTJlr1Mx0wd7xoNJLYSEUf2cwq8+AMBJJMXtOH++sPTx
> 3T+JsveKcALb9bN2ZWih7j6S3vmBqWBVrzTMfwKGxWSq0yYZWh1RBhuBysNZdFVh
> IJ2i27CDjoCTurDO0GVRI+PXXKj208UbYULdSpdIUFKY14RY2UmJG9+s06Tw4uX3
> Cpnh8yw4tf0C5J6wEEkoUEGuudg8qsrMa/ciSFmaZrYoeimuxZCavDDo330FFlNz
> AQTar8RmerlleIBon6dfytg05p6/3NHF0jPZAZORNVeLgJgBAgMBAAGjDTALMAkG
> A1UdEwQCMAAwDQYJKoZIhvcNAQEFBQADggEBAFx23Xf9+1yl/WRPsraoR8JMzHmB
> AEXO6xotsRpBSxkF7lN57Z4jJFv+/ykhCPQdrQtGc8I8c1V/aIMV3J6SOVFH2jsE
> haoqJWZ+tFBxWuBt5x/KKIdToyXyu5nQxqhVLxiuV9GJKNAkkri9zHbtru83Msfv
> BVKnhgCUDceLUNQCRWcrx33dBViVWNygKHwvG99Np0fOCR6zkcrHqCTXRQ01RGI/
> g7gE8cr1P79PfSlpu67jywM5oiezcdzS3b6KnKzXWlb7bcMsLDFMXuwHKNrMH4c3
> 8ypTG7ydvqlw/bpRape+Xr1R3bXNIkelACoDXpYClgZskhDX0Y+Frxmkj70=
> -----END CERTIFICATE-----
> subject=/CN=smbox.slsware.lan
> issuer=/CN=smbox.slsware.lan
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1648 bytes and written 490 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: zlib compression
> Expansion: zlib compression
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 47F27BE8002BCD87C371FE0C49BA14C8A573C42A53F473C015DB53B96E0FD461
> Session-ID-ctx:
> Master-Key:
> 918A8CFD341EBDCD5DDF1219DF71C7DAE4DAEA932DA182BE251ED7BB9D0F71D9B8CB1B079D54BD3336C09F279BC61F6E
> >>> Key-Arg : None <<<
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 3600 (seconds)
> TLS session ticket:
> 0000 - e6 b9 7f a3 5a 8e 4f 4b-57 5b 4c 67 01 42 65 c4 ....Z.OKW[Lg.Be.
> 0010 - b6 3f 7e 78 04 2d 79 57-eb 54 03 54 ca 31 d6 cd .?~x.-yW.T.T.1..
> 0020 - d0 49 89 a2 2c 9e 6a 2b-10 eb 3a 23 33 98 bd 5b .I..,.j+..:#3..[
> 0030 - f0 e4 9f e0 4c 1c d0 fb-0a 62 ad 7a 85 01 66 8f ....L....b.z..f.
> 0040 - 47 3e 55 67 15 a1 fc f3-f7 1a f4 12 93 62 31 f0 G>Ug.........b1.
> 0050 - 6f 06 99 21 0e 78 b1 bb-c9 cc b8 5a 9f ef 4c 2d o..!.x.....Z..L-
> 0060 - c0 9e 85 39 84 ca a4 48-3e 25 42 87 c5 3d 6a c2 ...9...H>%B..=j.
> 0070 - 7e 5f 0d a0 c7 9c 57 9f-da 02 f2 36 72 c9 00 12 ~_....W....6r...
> 0080 - ab 2c a4 1d be 47 aa f2-a8 b5 94 6b 63 28 d0 c7 .,...G.....kc(..
> 0090 - 3c ef dd 56 2f 36 ba f2-6b dc 1b d6 99 61 8a b1 <..V/6..k....a..
> 00a0 - 21 e4 4b d5 2f e5 f5 f6-5e 41 27 4d 27 51 14 40 !.K./...^A'M'Q.@
>
> Compression: 1 (zlib compression)
> Start Time: 1394235915
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
> ---
> 250 8BITMIME
That seems fairly reasonable until the line "Key-Arg : None" (labeled with
>>> <<< above). After that it's completely different, and it freezes at
"8BITMINE". ^C...
At first it was freezing saying "DSN", so I turned off DSN in main.cf.
There are certs where I told Postfix there are some. A while back, Postfix
complained about a missing file:
> Mar 7 15:37:18 smbox postfix/smtp[28845]: fatal: specify a password table
> via the `smtp_sasl_password_maps' configuration parameter
That has nothing to do with TLS, but I built one anyway, containing a phony
user/pw. The dox on the web say it doesn't need to be there, and the Debian
installer didn't put it in the dist config, but the log quieted down.
The latest info from the log after running the openssl... command:
> Mar 7 16:21:46 smbox postfix/smtpd[19039]: connect from
> ip6-localhost[127.0.0.1]
> Mar 7 16:21:48 smbox postfix/smtpd[19039]: lost connection after STARTTLS
> from ip6-localhost[127.0.0.1]
> Mar 7 16:21:48 smbox postfix/smtpd[19039]: disconnect from
> ip6-localhost[127.0.0.1]
Please, what have I done wrong?
--
Glenn English
