Re: 'Linux 5' support in Postfix Stable Release 3.4.1 ?
ArchLinux is the answer (to everything ;) ) https://www.archlinux.org/download/ On 2019-03-09 16:37, Wietse Venema wrote: I jhave a concrete question: does anyone have an URL for an installable image (ISO, memory stick, etc.) that installs an OS with kernel5 and enough user-land tools to build Postfix? My expectation is to fire up an empty VM, install the OS on the empty disk, and start building Postfix 15 minutes later. Wietse
RE : Re: Is it time for 2.x.y - x.y?
Actually moved to Exim. Exim just works and highly configurable. Envoyé depuis un mobile Samsung Message d'origine De : Ove Evensen o...@outlook.com Date : 01/06/2013 21:42 (GMT+08:00) A : Cc : postfix-us...@cloud9.net Objet : Re: Is it time for 2.x.y - x.y? I would say keep it as normal. 2.9 and then 2.10. If you can not see the difference between 2.1 and 2.10 you should not use postfix. Period! Regards Ove Jk. Evensen Original message From: Linux Addict linuxaddi...@gmail.com Date: 01/06/2013 14:02 (GMT+00:00) To: Len Conrad lcon...@go2france.com Cc: postfix-us...@cloud9.net Subject: Re: Is it time for 2.x.y - x.y? After 2.9, it should have been 3, not 2.10 ;) Sent from my iPhone On Jun 1, 2013, at 8:33 AM, Len Conrad lcon...@go2france.com wrote: At 07:18 AM 6/1/2013, you wrote: Am 31.05.2013 22:56, schrieb Wietse Venema: After the confusion that Postfix 2.10 is not Postfix 2.1, maybe it is time to change the release numbering scheme. don't dumb postfix down. keep the current numbering style. Len
Re: SMTPS 465
Le 15/04/2013 10:24, Charles Marcus a écrit : On 2013-04-14 6:30 PM, Joan Moreau j...@grosjo.net wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Roll back to the previous kernel. Seriously. If you updated the kernel but didn't keep the last known good/working one, then hopefully you have learned why doing this is such a good idea and will do so in the future. Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where does the inconsistency reside ? 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:
Re: SMTPS 465
Le 13/04/2013 16:27, Viktor Dukhovni a écrit : On Sat, Apr 13, 2013 at 03:40:59PM +0200, mouss wrote: 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. The only versions of OpenSSL I could find in which s3_enc.c has SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); on line 423, are the unreleased OpenSSL 1.0.2 branch and the master development branch. The OP has upgraded to a bleeding-edge OpenSSL, which may have unresolved bugs, or may be incompatible with the installed libcrypto due to an incomplete upgrade, ... The solution is to use stable OpenSSL releases if you're not an OpenSSL developer. When running development versions of your O/S distribution you need to be willing to find and solve problems independently. [ I've been ignoring this thread, because the OP replied to an unrelated message to postfix-devel instead of starting a new message, and I don't like to untangle messed up threads. When composing a new message, don't hit Reply. ] Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix 2 - to reboot on an old kernel 3 - to use postfix 2.9, 2.10 or 2.11-devel 4 - to move from SSL (465) to STARTTLS (25) 5 - put the ciphers req to medium In all cases, I get to something similar to: 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Thanks a million in advance Joan
Re: SMTPS 465
Le 14/04/2013 15:25, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: [ You're using a mail client, whose plain-text response does not properly quote material you're replying to. When posting to this list please use a non-HTML client that gets the plain-text message right. ] Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' 2 - to reboot on an old kernel 3 - to use postfix 2.9, 2.10 or 2.11-devel 4 - to move from SSL (465) to STARTTLS (25) 5 - put the ciphers req to medium None of these matter. but I don't recall seeing a postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no dovecot_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/smtp_header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 1d message_size_limit = 20480 mydestination = localhost, localhost.$mydomain mydomain = grosjo.net myhostname = grosjo.net mynetworks = 127.0.0.0/8 204.93.196.46/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop slow_destination_concurrency_limit = 2 slow_destination_recipient_limit = 1 smtp_header_checks = pcre:/etc/postfix/smtp_header_checks smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/certs/postfix.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1002 virtual_mailbox_base = /data/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10001 virtual_transport = dovecot virtual_uid_maps = static:10001 In all cases, I get to something similar to: 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL
Re: SMTPS 465
Le 14/04/2013 17:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 03:57:07PM +, Joan Moreau wrote: Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' This looks OK, but perhaps you're running into DLL hell. As a sanitty check, what version of OpenSSL provides the header files? $ grep OPENSSL_VERSION /usr/include/openssl/opensslv.h # grep OPENSSL_VERSION /usr/include/openssl/opensslv.h #define OPENSSL_VERSION_NUMBER 0x1000105fL #define OPENSSL_VERSION_TEXTOpenSSL 1.0.1e-fips 11 Feb 2013 #define OPENSSL_VERSION_TEXTOpenSSL 1.0.1e 11 Feb 2013 #define OPENSSL_VERSION_PTEXTpart of OPENSSL_VERSION_TEXT None of these matter. but I don't recall seeing a postconf -n smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/certs/postfix.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom Nothing exciting here, provided this is the correct main.cf, you don't have anything there that would break TLS ciphers. 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Your libcrypto does not support the algorithms that libssl expects, report the output of: unset LD_LIBRARY_PATH unset LD_PRELOAD ldd $(postconf -h daemon_directory)/smtpd # ldd $(postconf -h daemon_directory)/smtpd linux-vdso.so.1 libmysqlclient.so.18 = /usr/lib/mysql/libmysqlclient.so.18 libssl.so.1.0.0 = /usr/lib/libssl.so.1.0.0 libcrypto.so.1.0.0 = /usr/lib/libcrypto.so.1.0.0 libz.so.1 = /lib/libz.so.1 libm.so.6 = /lib/libm.so.6 libpcre.so.1 = /lib/libpcre.so.1 libsasl2.so.2 = /usr/lib/libsasl2.so.2 libdb-5.3.so = /usr/lib/libdb-5.3.so libnsl.so.1 = /lib/libnsl.so.1 libresolv.so.2 = /lib/libresolv.so.2 libc.so.6 = /lib/libc.so.6 libpthread.so.0 = /lib/libpthread.so.0 libdl.so.2 = /lib/libdl.so.2 libstdc++.so.6 = /usr/lib/libstdc++.so.6 libgcc_s.so.1 = /usr/lib/libgcc_s.so.1 /lib64/ld-linux-x86-64.so.2 The only thing that comes to mind here is that perhaps libmsqlclient.so.18 is linked against a different OpenSSL runtime library than Postfix. Report the output of: readelf -d /usr/lib/postfix/smtpd readelf -d /usr/lib/mysql/libmysqlclient.so.18 server:~ # readelf -d /usr/lib/postfix/smtpd Dynamic section at offset 0x75480 contains 34 entries: TagType Name/Value 0x0001 (NEEDED) Shared library: [libmysqlclient.so.18] 0x0001 (NEEDED) Shared library: [libssl.so.1.0.0] 0x0001 (NEEDED) Shared library: [libcrypto.so.1.0.0] 0x0001 (NEEDED) Shared library: [libz.so.1] 0x0001 (NEEDED) Shared library: [libm.so.6] 0x0001 (NEEDED) Shared library: [libpcre.so.1] 0x0001 (NEEDED) Shared library: [libsasl2.so.2] 0x0001 (NEEDED) Shared library: [libdb-5.3.so] 0x0001 (NEEDED) Shared library: [libnsl.so.1] 0x0001 (NEEDED) Shared library: [libresolv.so.2] 0x0001 (NEEDED) Shared library: [libc.so.6] 0x000c (INIT) 0x405770 0x000d (FINI) 0x451034 0x0019 (INIT_ARRAY) 0x675468 0x001b (INIT_ARRAYSZ) 8 (bytes) 0x001a (FINI_ARRAY) 0x675470 0x001c (FINI_ARRAYSZ) 8 (bytes) 0x0004 (HASH) 0x400258 0x0005 (STRTAB) 0x402810 0x0006 (SYMTAB) 0x400b48 0x000a (STRSZ) 4123 (bytes) 0x000b (SYMENT) 24 (bytes) 0x0015 (DEBUG) 0x0 0x0003 (PLTGOT) 0x675710 0x0002 (PLTRELSZ) 6936 (bytes) 0x0014 (PLTREL) RELA 0x0017 (JMPREL) 0x403c58 0x0007 (RELA) 0x403b68 0x0008 (RELASZ) 240 (bytes) 0x0009 (RELAENT)24 (bytes
Re: SMTPS 465
Le 14/04/2013 17:45, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 07:33:21PM +0200, Reindl Harald wrote: Am 14.04.2013 19:24, schrieb Viktor Dukhovni: On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' i am missing here the path to openssl below the ARGS from my fedora-rpm-SPEC -DUSE_TLS -I/usr/include/openssl This is not a good idea. The OpenSSL header files are accessed by Postfix via: #include openssl/mumble.h Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this Fedora has (i guess openssl/opennssl was a typo) No, I meant what I wrote. [root@buildserver:~]$ rpm -q --file /usr/include/openssl/ssl.h openssl-devel-1.0.0k-1.fc17.20130221.rh.x86_64 For this Postfix needs -I/usr/include (the default), and does NOT need -I/usr/include/openssl. Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:44.951208+02:00 server postfix/smtpd[12926]: setting up TLS connection from unknown[41.137.65.121] 2013-04-14T20:29:44.951227+02:00 server postfix/smtpd[12926]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-14T20:29:44.951422+02:00 server postfix/smtpd[12926]: SSL_accept:before/accept initialization 2013-04-14T20:29:44.951502+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 read client hello A 2013-04-14T20:29:44.951510+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write server hello A 2013-04-14T20:29:44.951520+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write certificate A 2013-04-14T20:29:44.954011+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write key exchange A 2013-04-14T20:29:44.954021+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write server done A 2013-04-14T20:29:44.954025+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 flush data 2013-04-14T20:29:45.074066+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 read client key exchange A 2013-04-14T20:29:45.074085+02:00 server postfix/smtpd[12926]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-14T20:29:45.074091+02:00 server postfix/smtpd[12926]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server postfix/smtpd[12926]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall I do to fix this ? Thank you in advance Joan
Re: SMTPS 465
Le 14/04/2013 19:46, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 06:31:48PM +, Joan Moreau wrote: Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server postfix/smtpd[12926]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall I do to fix this ? Use a different O/S that ships working libraries. You test with: If Postfix is 2.10 or later, test via: $ openssl s_server -key $(postconf -xh smtpd_tls_key_file) -cert $(postconf -xh smtpd_tls_cert_file) -accept 12345 server.out 21 $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out (otherwise type the correct paths for -key and -cert). Do openssl's s_client and s_server manage to complete an SSH handshake? Post the output of openssl version -a as well as server.out and client.out. Ok, here it is below client.out : # openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A CONNECTED(0003) --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1 OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM /zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6 Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A 6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 1911 bytes and written 457 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4161F3711191453349D083CBAF8AD804161865478A36D4C60C260E5E5DDCF543 Session-ID-ctx: Master-Key: 0F72DD0AEDBDCBCBB5DA9AE7B30E95D19896A4DAB03883416AA8F9B41708B43CDBD485BF323009979426AB58DF3AA2C2 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 20 1e 4e 9e 57 0e 13 f7-b1 c9 50
Re: SMTPS 465
Le 14/04/2013 21:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 08:49:11PM +, Joan Moreau wrote: $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out Ok, here it is below Please also report openssl version -a. Here : OpenSSL 1.0.1e 11 Feb 2013 built on: Sun Apr 14 17:43:32 CEST 2013 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: /etc/ssl client.out : New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out # (sleep 2; printf %s\r\n QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read server session ticket A SSL_connect:error in SSLv3 read server session ticket A write:errno=104 CONNECTED(0003) --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1 OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM /zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6 Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A 6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 4015 bytes and written 134 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 06931224B1AC2DCC58EB31033B3B9C3D25D3F11472B6B314DA4C02ED5D0D999398534D06D66C0FFEE6393071E3B14BB1
Re: SMTPS 465
Le 14/04/2013 22:02, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which openssl/ssl.h header file does Postfix include and how it define OpenSSL_add_ssl_algorithms? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see crypto/sha but no sha-2 anywhere. Is that correct ?
Re: SMTPS 465
Le 14/04/2013 22:08, Joan Moreau a écrit : Le 14/04/2013 22:02, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which openssl/ssl.h header file does Postfix include and how it define OpenSSL_add_ssl_algorithms? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see crypto/sha but no sha-2 anywhere. Is that correct ? SHA256 is correctly setup in openssl : openssl x509 -sha256 -noout -fingerprint -in /etc/ssl/certs/gjnet.crt SHA256 Fingerprint=4C:F3:9C:6C:EA:47:04:12:60:60:D5:B5:18:5D:BD:D4:DA:03:03:44:22:2F:01:C6:F7:A3:76:D6:45:15:3F:89 However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ?
Re: SMTPS 465
Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Thanks a million
Re: SMTPS 465
yes, I kind of agree with you, however, would it be with SSL or STARTTLS, I get the same error (which did not appear before I upgraded my kernel) What could be the solution ? Le 12/04/2013 22:50, b...@bitrate.net a écrit : On Apr 12, 2013, at 15.25, Joan Moreau j...@grosjo.net wrote: Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. others have helped with the specifics of your question, so i'll address the philosophical aspect of it :) . while it may take some coordination to do so if you have an existing user base using smtps, you should be using submission+starttls instead. smtps is a long since deprecated, never standardized protocol, which now misappropriates a port which has been formally assigned by iana to another protocol, for quite some time. -ben
Re: SMTPS 465
This lead to a error 404. Maybe can you rather explain how toppost would solve the SSL problem ? Thank in advance joan Le 12/04/2013 22:14, Quanah Gibson-Mount a écrit : --On Friday, April 12, 2013 9:05 PM + Joan Moreau j...@grosjo.net wrote: Please don't top-post. I do not understand http://www.idallen.com/topposting.html [1] --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration Links: -- [1] http://www.idallen.com/topposting.html
Re: SMTPS 465
Le 13/04/2013 13:40, mouss a écrit : Le 12/04/2013 23:05, Joan Moreau a écrit : Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. you said that your upgraded the kernel. did this cause an upgrade of openssl? if so, try rebuilding postfix. Is your openssl library striped to only include selected algorithms? if so, you need to make sure that this mtaches the algos configured in postfix: $ postconf |grep medium lmtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH you can try: openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH' (single quotees to avoid the shell barfing because of the '!' char). With those parameters, I get : 2013-04-13T17:41:48.562917+02:00 server postfix/smtpd[16148]: initializing the server-side TLS engine 2013-04-13T17:41:48.582261+02:00 server postfix/smtpd[16148]: connect from unknown[41.137.65.121] 2013-04-13T17:41:48.582275+02:00 server postfix/smtpd[16148]: setting up TLS connection from unknown[41.137.65.121] 2013-04-13T17:41:48.582290+02:00 server postfix/smtpd[16148]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4STRENGTH 2013-04-13T17:41:48.582492+02:00 server postfix/smtpd[16148]: SSL_accept:before/accept initialization 2013-04-13T17:41:48.582586+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 read client hello A 2013-04-13T17:41:48.582594+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write server hello A 2013-04-13T17:41:48.582701+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write certificate A 2013-04-13T17:41:48.584639+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write key exchange A 2013-04-13T17:41:48.584647+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write server done A 2013-04-13T17:41:48.584650+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 flush data 2013-04-13T17:41:48.670134+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 read client key exchange A 2013-04-13T17:41:48.670144+02:00 server postfix/smtpd[16148]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-13T17:41:48.670147+02:00 server postfix/smtpd[16148]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-13T17:41:48.670156+02:00 server postfix/smtpd[16148]: warning: TLS library problem: 16148:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-13T17:41:48.670167+02:00 server postfix/smtpd[16148]: warning: TLS library problem: 16148:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621:
SMTPS 465
Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( Here my postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no dovecot_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/smtp_header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 1d message_size_limit = 20480 mydestination = $myhostname, localhost.$mydomain mydomain = grosjo.net myhostname = grosjo.net mynetworks = 127.0.0.0/8 204.93.196.46/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop slow_destination_concurrency_limit = 2 slow_destination_recipient_limit = 1 smtp_header_checks = pcre:/etc/postfix/smtp_header_checks smtp_sasl_auth_enable = no smtp_tls_CAfile = /etc/ssl/ca-bundle.crt smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt smtp_tls_key_file = /etc/ssl/certs/gjnet.key smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt smtpd_tls_key_file = /etc/ssl/certs/gjnet.key smtpd_tls_loglevel = 3 strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1002 virtual_mailbox_base = /data/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10001 virtual_transport = dovecot virtual_uid_maps = static:10001 my master.cf mtp inet n - n - - smtpd # -o content_filter=spamassassin #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes submission inet n - n - - smtpd -o smtpd_enforce_tls=yes pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush tlsmgr unix - - n 1000? 1 tlsmgr proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # spamassassin unix - n n - - pipe flags=DRhu
SMTPS 465
Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( Here my postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no dovecot_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/smtp_header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 1d message_size_limit = 20480 mydestination = $myhostname, localhost.$mydomain mydomain = grosjo.net myhostname = grosjo.net mynetworks = 127.0.0.0/8 204.93.196.46/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop slow_destination_concurrency_limit = 2 slow_destination_recipient_limit = 1 smtp_header_checks = pcre:/etc/postfix/smtp_header_checks smtp_sasl_auth_enable = no smtp_tls_CAfile = /etc/ssl/ca-bundle.crt smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt smtp_tls_key_file = /etc/ssl/certs/gjnet.key smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt smtpd_tls_key_file = /etc/ssl/certs/gjnet.key smtpd_tls_loglevel = 3 strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1002 virtual_mailbox_base = /data/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10001 virtual_transport = dovecot virtual_uid_maps = static:10001 my master.cf mtp inet n - n - - smtpd # -o content_filter=spamassassin #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes submission inet n - n - - smtpd -o smtpd_enforce_tls=yes pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush tlsmgr unix - - n 1000? 1 tlsmgr proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # spamassassin unix - n n - - pipe flags=DRhu
Re: SMTPS 465
Hi, I need to type server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 to get a OK at the end. Is the the cause of the problem ? if yes, how to fix it in 'main.cf ? CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify return:1 write:errno=104 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw ... aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4017 bytes and written 135 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Compression: 1 (zlib compression) Start Time: 1365795552 Timeout : 300 (sec) VERIFY RETURN CODE: 0 (OK) ---
Re: SMTPS 465
Actually, if type openssl s_client -CAPATH BKQSDQSD -connect 127.0.0.1:465 (Ie. whatever in the CApath field), the connection works fine but if not, I get an error. Putting log level at 3 in postfix, I get : 2013-04-12T21:49:03.25+02:00 server postfix/smtpd[12238]: initializing the server-side TLS engine 2013-04-12T21:49:03.068492+02:00 server postfix/smtpd[12238]: connect from unknown[41.137.65.121] 2013-04-12T21:49:03.068514+02:00 server postfix/smtpd[12238]: setting up TLS connection from unknown[41.137.65.121] 2013-04-12T21:49:03.068639+02:00 server postfix/smtpd[12238]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-12T21:49:03.068872+02:00 server postfix/smtpd[12238]: SSL_accept:before/accept initialization 2013-04-12T21:49:03.068964+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client hello A 2013-04-12T21:49:03.068973+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server hello A 2013-04-12T21:49:03.069102+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write certificate A 2013-04-12T21:49:03.071683+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write key exchange A 2013-04-12T21:49:03.071693+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server done A 2013-04-12T21:49:03.071697+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 flush data 2013-04-12T21:49:03.160413+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client key exchange A 2013-04-12T21:49:03.160429+02:00 server postfix/smtpd[12238]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-12T21:49:03.160431+02:00 server postfix/smtpd[12238]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: 2013-04-12T21:49:03.165268+02:00 server postfix/smtpd[12238]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-12T21:49:03.165281+02:00 server postfix/smtpd[12238]: disconnect from unknown[41.137.65.121] Le 12/04/2013 19:41, Joan Moreau a écrit : Hi, I need to type server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 to get a OK at the end. Is the the cause of the problem ? if yes, how to fix it in 'main.cf ? CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify return:1 write:errno=104 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw ... aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4017 bytes and written 135 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Compression: 1 (zlib compression) Start Time: 1365795552 Timeout : 300 (sec) VERIFY RETURN CODE: 0 (OK) ---
Re: SMTPS 465
Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? Thank you in advance Joan
unused parameter: maildrop_destination_recipient_limit=1
Hi, I upgraded to 2.9 and I get some few parameters unused anymore, but this one troubles me: usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: maildrop_destination_recipient_limit=1 WHat is now the default value for this parameter, if we can not set it up anymore ? Thanks JM
Re: unexpected attribute rewrite_context from smtp socket (expecting: log_ident)
You are SO impolite. I am kind enough to take the time to notify you a bug, and you are replying that I am incimpetente. Your tone was exactly the same with my question on MYSQL integration. Would you please avoid talking to me and let polite and kind people reply ot my email ? On Mon, 17 Jan 2011 08:55:15 -0500 (EST), Wietse Venema wrote: Joan Moreau: Yes, well, that is what I do. THe bug does not disappear anyway ... How to fix that ? The problem is clear: you are still running the Postfix 2.7 queue manager daemon, after you replaced the smtp client etc. programs with those from Postfix 2.8. The reason for this is one of the following: 1) You installed Postfix properly. YOU CANNOT COPY OVER THE FILES. Many UNIX systems will refuse to overwrite the queue manager daemon while that process is running (and the same for the master daemon). To properly upgrade Postfix, use make upgrade if installing from source, or whatever package manager if installing a binary package. 2) You have more than one Postfix instance running, and one is still running the old queue manager daemon. 3) You are unable to execute simple commands correctly when asked on the mailing list/ Wietse
unexpected attribute rewrite_context from smtp socket (expecting: log_ident)
I have the following error using postfix 2.8.0-RC1 Jan 17 01:38:36 server postfix/smtp[5807]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5807]: warning: deliver_request_get: error receiving common attributes Jan 17 01:38:36 server postfix/smtp[5805]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5805]: warning: deliver_request_get: error receiving common attributes I was using 2,7,2 before without this bug
Re: unexpected attribute rewrite_context from smtp socket (expecting: log_ident)
How to get this queue stopped ? (I killed the processes 'postfix' to be sure, but the bug stays) On Sun, 16 Jan 2011 19:47:10 -0500 (EST), Wietse Venema wrote: Joan Moreau: I have the following error using postfix 2.8.0-RC1 Jan 17 01:38:36 server postfix/smtp[5807]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5807]: warning: deliver_request_get: error receiving common attributes Jan 17 01:38:36 server postfix/smtp[5805]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5805]: warning: deliver_request_get: error receiving common attributes I was using 2,7,2 before without this bug You are still running the 2.7.2 queue manager, after installing the 2.8 delivery agents. You can't mix different Postfix versions. Wietse
Re: unexpected attribute rewrite_context from smtp socket (expecting: log_ident)
Yes, well, that is what I do. THe bug does not disappear anyway ... How to fix that ? On Sun, 16 Jan 2011 20:42:23 -0500 (EST), Wietse Venema wrote: Joan Moreau: How to get this queue stopped ? (I killed the processes 'postfix' to be sure, but the bug stays) # postfix stop Wietse On Sun, 16 Jan 2011 19:47:10 -0500 (EST), Wietse Venema wrote: Joan Moreau: I have the following error using postfix 2.8.0-RC1 Jan 17 01:38:36 server postfix/smtp[5807]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5807]: warning: deliver_request_get: error receiving common attributes Jan 17 01:38:36 server postfix/smtp[5805]: warning: unexpected attribute rewrite_context from smtp socket (expecting: log_ident) Jan 17 01:38:36 server postfix/smtp[5805]: warning: deliver_request_get: error receiving common attributes I was using 2,7,2 before without this bug You are still running the 2.7.2 queue manager, after installing the 2.8 delivery agents. You can't mix different Postfix versions. Wietse
Re: Postfix queue in Mysql ?
But I have no car to fix . What is that story about ? Now, I did not rule out anything in any email. Can you just tell me how to put the mailing queue in a DB (mysql database in my case) ? On Wed, 29 Dec 2010 18:04:45 +1100, James Gray wrote: On 29/12/2010, at 4:02 PM, Joan Moreau wrote: Well, I am surprised by the tone of those emails. Why? Do you tell you mechanic how to fix your car before he's even been informed what vehicle you drive? I am just asking if it exists a back-end that would replace the storage and management of the queue into mysql (i.e. put /var/spool/postfix into mysql tables). As you've bene told - no. Not unless you replace your backend with a dedicated DB system which you ruled out in your initial post. Cheers, James
Postfix queue in Mysql ?
Hi, the postfix queue manager (qmgr) is taking far too much resources when the number of email pending is growing. Is there a wait to move /var/spool/postfix in a MySQL database ? (dont tell me dbmail, I want to keep my dovecot imap/pop sever) Thanks Joan
Re: Postfix queue in Mysql ?
Well, more clearly, my question is : How can I plug Mysql as a backend of postfix to handle the mailq ? On Tue, 28 Dec 2010 12:00:04 -0500 (EST), Wietse Venema wrote: Joan Moreau: Hi, the postfix queue manager (qmgr) is taking far too much resources when the number of email pending is growing. Sorry, you are jumping to conclusions. There are many reasons why mail can pile up in the queue, and you have not given a shred of information that allows people here to help you. For more support, please see the mailing list welcome message, repeated below. Wietse TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail [1] TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html [2] Thank you for using Postfix. Links: -- [1] http://www.postfix.org/DEBUG_README.html#mail [2] http://www.postfix.org/lists.html
Re: Postfix queue in Mysql ?
Well, no need to get angry. I am just looking for a MySQL bakcend to replace the hard-disk storage of the postfix mailqueue. This is not a problem, this is something I am looking for. Best, Joan On Tue, 28 Dec 2010 12:28:57 -0500 (EST), Wietse Venema wrote: Joan Moreau: Well, more clearly, my question is : How can I plug Mysql as a backend of postfix to handle the mailq ? Please state the PROBLEM instead of the SOLUTION. Wietse
Re: Postfix queue in Mysql ?
Well, I am surprised by the tone of those emails. I am just asking if it exists a back-end that would replace the storage and management of the queue into mysql (i.e. put /var/spool/postfix into mysql tables). (yes, a file system is made for storing files, but it is not at all made to execute queries on teh file tree (hey, it is a tree! not a rdbms ) On Wed, 29 Dec 2010 09:29:12 +1100, James Gray wrote: On Tue, 28 Dec 2010 12:28:57 -0500 (EST), Wietse Venema wrote: Joan Moreau: Well, more clearly, my question is : How can I plug Mysql as a backend of postfix to handle the mailq ? Please state the PROBLEM instead of the SOLUTION. Wietse On 29/12/2010, at 8:29 AM, Joan Moreau wrote: I am just looking for a MySQL bakcend to replace the hard-disk storage of the postfix mailqueue. This is not a problem, this is something I am looking for. (Top posting fixed...quoting might not be - curse you Apple Mail!) So where exactly will the MySQL backend live if not on disk?? If your qmgr is choking on I/O, then throwing a DB at it wont help, in fact I can think of a number of ways this will make an I/O-challenged systems WORSE. I guess you could find some tool (or write one) that abstracts a MySQL database out to a file system, heck, I've seen all manner of weird things abstracted to file systems. At the end of the day, a file system is essentially an extremely specialised DB...for storing, accessing and manipulating files. So far the list has asked for specifics about the problem. You keep demanding a specific solution. Without knowing anything about your setup, what testing you've done, heck, even the version of Postfix you're on, how do you expect us to help you? Without being rude, have a read of http://www.catb.org/~esr/faqs/smart-questions.html [1] - specifically about half way down titled: Be precise and informative about your problem. Good luck, James Links: -- [1] http://www.catb.org/~esr/faqs/smart-questions.html