-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 22/07/2014 16:49, Noel Jones wrote:
> The logs suggest there's an encryption mismatch between the client
> and postfix. Make sure you're looking at the "outgoing server SMTP"
> settings in thunderbird, not the IMAP settings.
It's SMTP !
i tried connecting by ssl/tls, STARTTLS and clear and the result stays
the same.
> Perhaps your authentication test failed because of a
> misconfiguration in the postfix sasl parameters, or perhaps your
> test method is flawed. Either way, that's something else that
> needs to be fixed and tested.
>
> This also has nothing to do with the "lost connection after
> UNKNOWN" log entry, which is caused by sending garbage on the
> connection.
>
>> NOQUEUE: reject: RCPT from myclient.laptop[11.22.33.44]: 454
>> 4.7.1 <mailto@adress>: Relay access denied; from=<root>
>> to=<mailto@adress> proto=ESMTP helo=<my.server.hostname>
>
> I think telnet-ssl will fall back to plaintext if the SSL
> wrappermode handshake fails. Better to test with either regular
> telnet or openssl s_client so you know for sure what protocol is
> being used.
I show you openssl client output:
:~$ openssl s_client -connect my.smtpd.domain:25 -starttls smtp
CONNECTED(00000003)
depth=1 CN = MyOwn Root Certificate Authority, ST = NC, C = US,
emailAddress = r...@tradeshowhell.com, O = Trade Show Hell, OU = IT
Department
verify error:num=19:self signed certificate in certificate chain
verify return:0
- ---
Certificate chain
0
s:/CN=frozenstar.no-ip.org/ST=BE/C=DE/emailAddress=root@my.smtpd.domain/O=My
Organization Name/OU=Subunit of My Large Organization
i:/CN=MyOwn Root Certificate
Authority/ST=NC/C=US/emailAddress=r...@tradeshowhell.com/O=Trade Show
Hell/OU=IT Department
1 s:/CN=MyOwn Root Certificate
Authority/ST=NC/C=US/emailAddress=r...@tradeshowhell.com/O=Trade Show
Hell/OU=IT Department
i:/CN=MyOwn Root Certificate
Authority/ST=NC/C=US/emailAddress=r...@tradeshowhell.com/O=Trade Show
Hell/OU=IT Department
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBnjEpMCcGA1UEAxMgTXlP
d24gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAgTAk5DMQswCQYD
VQQGEwJVUzElMCMGCSqGSIb3DQEJARYWcm9vdEB0cmFkZXNob3doZWxsLmNvbTEY
v6MukGbrREugsYoQd4vm2GswLcw76WsT7qydCNoeABNLeV7ugCs38sJ/BdUdPAxZ
sw==
- -----END CERTIFICATE-----
subject=/CN=my.smtpd.domain/ST=BE/C=DE/emailAddress=root@my.smtpd.domain/O=My
Organization Name/OU=Subunit of My Large Organization
issuer=/CN=MyOwn Root Certificate
Authority/ST=NC/C=US/emailAddress=r...@tradeshowhell.com/O=Trade Show
Hell/OU=IT Department
- ---
No client certificate CA names sent
- ---
SSL handshake has read 3457 bytes and written 478 bytes
- ---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
0D61CC32550E196E08A8ABF79144A116ABDD2876445C670F27B324CE54A4372A
Session-ID-ctx:
Master-Key:
0D49116FF117864F042DDE02A64BC9E996B07257E7DEAC5335EC43DBB1806E9F33D43E87BB96B6B6B37A697ECD06BE35
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - dd b8 39 c7 7b 4a 40 dd-2e 18 b8 1e 85 aa 25 6a
..9.{J@.......%j
0010 - 9f f9 b4 05 d5 e6 af a3-8e 1a c6 00 87 f6 de f0
................
0020 - c8 35 f9 cb ed 4c 1c 56-03 a1 75 48 89 aa 36 1a
.5...L.V..uH..6.
0030 - ed 62 6f 29 4a 64 03 6c-81 66 8f 9c 3e 1e 11 58
.bo)Jd.l.f..>..X
0040 - 34 c4 02 77 0d bd 4a 17-a0 8e 48 b3 13 e4 04 15
4..w..J...H.....
0050 - 94 db c5 2b d4 31 c4 22-38 9a ae 41 7c f8 53 76
...+.1."8..A|.Sv
0060 - 21 70 ba 43 f0 27 18 c8-ed b8 11 7b a8 9a 90 3d
!p.C.'.....{...=
0070 - e1 cd bd 49 3e 8a 14 85-ad 75 a5 60 8a 0d 08 1a
...I>....u.`....
0080 - 73 44 26 13 76 23 0d 7a-62 31 9d d2 98 23 7f 92
sD&.v#.zb1...#..
0090 - d2 59 23 67 50 ff 13 ec-0a 9a df b1 38 39 23 a6
.Y#gP.......89#.
Start Time: 1406059945
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
- ---
250 DSN
Test by telnet on port 25:
:~$ telnet frozenstar.no-ip.org 25
Trying 88.198.107.18...
Connected to frozenstar.no-ip.org.
Escape character is '^]'.
220 frozenstar.no-ip.org ESMTP Postfix (Hell/Awaits)
ehlo frozenstar.no-ip.org
250-frozenstar.no-ip.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN dvFgbafsdRRTUUooIKKKjhhhshshsYYYx
435 4.7.8 Error: authentication failed: bad protocol / cancel
I hope this outputs are more helpfull to help me ,
i post again my postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
debug_peer_level = 3
disable_dns_lookups = yes
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
# Both $mydomain and $myhostname have the same dynamic ip value.
# The server is hosted and has a static ip
mydomain = my.smtpd.domain
myhostname = my.smtpd.domain
mynetworks = 127.0.0.0/8
myorigin = $mydomain
readme_directory = no
recipient_delimiter = +
relayhost = [smtp.autistici.org]:25
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/ssl/ca.crt
smtp_tls_cert_file = /etc/postfix/ssl/cert.pem
smtp_tls_key_file = /etc/postfix/ssl/smtpd.key
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated ,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options =
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/cert.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
It must be a server side misconfiguration ,unless i use an outdated
client (eudora or outlook) i don't understand what misconfigurations i
can have on client side.
Thanks
Best regards
Gab
- --
Key fingerprint = D8E8 7374 49EA 8017 EC52 AD73 0294 F341 FF66 9495
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREKAAYFAlPO1JAACgkQApTzQf9mlJUaVgD+LFj6dzydMqf/BE/c54L4BQRL
SHJUVhF0fassU+0aC8gA/A3l1UPe/fW/86sutWy1KTs+PVL6/5nbAjcomcRpV7kz
=nnlg
-----END PGP SIGNATURE-----
