Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Patrick 29. Jan 2015 19:37 by p...@sys4.de: The problem is probaly in the lines above in your log. Have you tried to reload postfix (to get a clear offset in the log) Yes many times. and then telnet to 127.0.0.1? Before I am complaining some more times I will first explore with telnet. I was only sending mails. telnet I think will make some things clear Send postconf -n and we will be able to help you. Okay I will get there. For what instance do you think? the 'in' or 'out'? Or both of them? *S*
Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
With the testing by both telnet and openssl s_client I can see the TLS as the available option but I see too the None cipher. I am suspecting this though confusing. I will first read more on the testing with these tools and understanding the meaning of the logging reply for them. I also see the idea from Wietse to look in to other location for logs reply. I did that once or more alredy but will see to that again right now. telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://mx.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-mx.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN telnet 127.0.0.1 10026 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://srchsvr.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-srchsvr.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN openssl s_client -crlf -connect 127.0.0.1:25 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 139892197459600:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 312 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561244 Timeout : 7200 (sec) Verify return code: 0 (ok) --- openssl s_client -crlf -connect 127.0.0.1:10026 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 140014293526160:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 246 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561276 Timeout : 7200 (sec) Verify return code: 0 (ok) --- And then I will look at my 'postconf -n' myself first too. Better to do it myself first. I must find this since I did it to myself. When I can not then I will have to be begging. Bleh again! *S*
Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse 29. Jan 2015 20:49 by wie...@porcupine.org: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay That is a good advise to be reminded! For while I am doing the debugging like this and may be always too I am adding this idea to many services I clone and use. *S*
Re: Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse: 29. Jan 2015 21:02 by wie...@porcupine.org: Postfix could do this automatically, but it is too late for the upcoming stable release to make such a change. Only knowing the info is good for now! If it is some day done automatically then that I think would be usefull. For that possibility I will ask one more question. When this is created in the config relay unix - - n - - smtp -o syslog_name=postfix/relay or -o syslog_name=postfix/relay2 In the logs it says ... postfix/relay/smtp ... ... postfix/relay2/smtp ... Is that all the needed infos? May be it is enough only to say ... postfix/relay ... ... postfix/relay2 ... I do not know the best for all cases but for just my debugging now it is enough infos. *S*
Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
srach: I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name.? It was some misdirection for me.? May be You could use the same trick as the submission and smtpd examples in master.cf: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay Wietse
Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
srach: Hello Wietse 29. Jan 2015 20:49 by wie...@porcupine.org: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay That is a good advise to be reminded!? For while I am doing the debugging like this and may be always too I am adding this idea to many services I clone and use. Postfix could do this automatically, but it is too late for the upcoming stable release to make such a change. Wietse
Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
It is like I said that I did this to myself. I was looking under the wrong cup in the Shell Game! Yesterday I had a change to trasnport from 'pf-out' not over the open internet only over my private internet with a VPN. I did this with reading a posting from another person. I changed the http://main.cf for 'pf-out' - relay_transport = relay:[XX.XX.XX.XX]:25 + relay_transport = relay2:[192.168.1.66]:25 In the http://master.cf config for 'pf-out' there is relay unix - - n - - smtp -o smtp_bind_address=YY.YY.YY.YY relay2 unix - - n - - smtp -o smtp_bind_address=192.168.0.15 Returning the change - relay_transport = relay2:[192.168.1.66]:25 + relay_transport = relay:[XX.XX.XX.XX]:25 it is sending again with no TLS errors. I think it is some more firewall rules I need on the server so that TLS negotiation may be okay in bi-direction. But I do not yet see any DROP infos in the logs I am looking into. I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name. It was some misdirection for me. May be it can be done to add some more labels. Thanks for the advise to look with telnet and very much watch in detail the step-by-step sending through each IP and port. Now I must understand the missing rules in the firewall. *S*
