What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Bleh. I think I am tired and making worse and worse mistakes. May be I need to make a step away for some time. :-( I have made some change that I cannot find and have an error now I do not see or know the cause for. I made a Postfix instance for getting mail with Postscreen and recipient verify steps, and some of the recipient restrictions for smtpd. It is named 'pf-in'. I also made a Postfix instance for simple sending out mail. It is named 'pf-out'. The TLS is turned on to the 'Opportunistic' type with '= may' for both the instances. So I think it should use the TLS when it is available and be okay if not. On my laptop I send a test email. It sends to the 'pf-in' instance sendmail -i -f root -t EOF From: s...@srchdomain.com To: srcht...@clientdomain.com Subject: test test EOF I see the mail processing with Postscreen 'pf-in' Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: CONNECT from [XX.XX.XX.XX]:43942 to [YY.YY.YY.YY]:25 Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: WHITELISTED [XX.XX.XX.XX]:43942 Then next after the Postscreen PASS the mail goes to the internal smtpd on 'pf-in' Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: connect from unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: AB1E08F422: client=unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/cleanup[11785]: AB1E08F422: message-id=20150129190108.4200d40...@srchdell.srchdomain.com Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: disconnect from unknown[XX.XX.XX.XX] And then into the queue and is send to the 'pf-out' instance Jan 29 19:01:08 srchsvr pf-in/qmgr[11632]: AB1E08F422: from=r...@srchdomain.com, size=536, nrcpt=1 (queue active) Jan 29 19:01:08 srchsvr pf-out/smtpd[11787]: connect from http://srchsvr.srchdomain.com[127.0.0.1] But now the log says Jan 29 19:01:08 srchsvr pf-in/smtp[11786]: AB1E08F422: to=srcht...@clientdomain.com, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.11/0.01/0.02/0, dsn=4.7.0, status=deferred (TLS is required, but host 127.0.0.1[127.0.0.1] refused to start TLS: 454 4.7.0 TLS not available due to local problem) I think this says the problem is in the 'pf-out' instance but it is the 'pf-in' instance that hears it and says it in the log. I have been searching on the sentences TLS is required refused to start TLS 454 4.7.0 TLS not available due to local problem But only found some suggestions that the Certificate I use is not good. I know that it is since it uses okay in other applications. What idea can I try to fix for this crazy problem I have done myself? *S*
Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
The problem is probaly in the lines above in your log. Have you tried to reload postfix (to get a clear offset in the log) and then telnet to 127.0.0.1? Send postconf -n and we will be able to help you. p@rick * srach hndls...@tutanota.de: Bleh. I think I am tired and making worse and worse mistakes. May be I need to make a step away for some time. :-( I have made some change that I cannot find and have an error now I do not see or know the cause for. I made a Postfix instance for getting mail with Postscreen and recipient verify steps, and some of the recipient restrictions for smtpd. It is named 'pf-in'. I also made a Postfix instance for simple sending out mail. It is named 'pf-out'. The TLS is turned on to the 'Opportunistic' type with '= may' for both the instances. So I think it should use the TLS when it is available and be okay if not. On my laptop I send a test email. It sends to the 'pf-in' instance sendmail -i -f root -t EOF From: s...@srchdomain.com To: srcht...@clientdomain.com Subject: test test EOF I see the mail processing with Postscreen 'pf-in' Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: CONNECT from [XX.XX.XX.XX]:43942 to [YY.YY.YY.YY]:25 Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: WHITELISTED [XX.XX.XX.XX]:43942 Then next after the Postscreen PASS the mail goes to the internal smtpd on 'pf-in' Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: connect from unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: AB1E08F422: client=unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/cleanup[11785]: AB1E08F422: message-id=20150129190108.4200d40...@srchdell.srchdomain.com Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: disconnect from unknown[XX.XX.XX.XX] And then into the queue and is send to the 'pf-out' instance Jan 29 19:01:08 srchsvr pf-in/qmgr[11632]: AB1E08F422: from=r...@srchdomain.com, size=536, nrcpt=1 (queue active) Jan 29 19:01:08 srchsvr pf-out/smtpd[11787]: connect from http://srchsvr.srchdomain.com[127.0.0.1] But now the log says Jan 29 19:01:08 srchsvr pf-in/smtp[11786]: AB1E08F422: to=srcht...@clientdomain.com, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.11/0.01/0.02/0, dsn=4.7.0, status=deferred (TLS is required, but host 127.0.0.1[127.0.0.1] refused to start TLS: 454 4.7.0 TLS not available due to local problem) I think this says the problem is in the 'pf-out' instance but it is the 'pf-in' instance that hears it and says it in the log. I have been searching on the sentences TLS is required refused to start TLS 454 4.7.0 TLS not available due to local problem But only found some suggestions that the Certificate I use is not good. I know that it is since it uses okay in other applications. What idea can I try to fix for this crazy problem I have done myself? *S* -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Patrick 29. Jan 2015 19:37 by p...@sys4.de: The problem is probaly in the lines above in your log. Have you tried to reload postfix (to get a clear offset in the log) Yes many times. and then telnet to 127.0.0.1? Before I am complaining some more times I will first explore with telnet. I was only sending mails. telnet I think will make some things clear Send postconf -n and we will be able to help you. Okay I will get there. For what instance do you think? the 'in' or 'out'? Or both of them? *S*
Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
srach: Jan 29 19:01:08 srchsvr pf-in/smtp[11786]: AB1E08F422: to=srcht...@clientdomain.com, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.11/0.01/0.02/0, dsn=4.7.0, status=deferred (TLS is required, but host 127.0.0.1[127.0.0.1] refused to start TLS: 454 4.7.0 TLS not available due to local problem) The Postfix SMTP SERVER logs TLS initialization errors while the process is started. Maybe your syslog daemon logs errors in a different logfile than non-error events. Wietse
Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
With the testing by both telnet and openssl s_client I can see the TLS as the available option but I see too the None cipher. I am suspecting this though confusing. I will first read more on the testing with these tools and understanding the meaning of the logging reply for them. I also see the idea from Wietse to look in to other location for logs reply. I did that once or more alredy but will see to that again right now. telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://mx.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-mx.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN telnet 127.0.0.1 10026 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://srchsvr.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-srchsvr.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN openssl s_client -crlf -connect 127.0.0.1:25 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 139892197459600:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 312 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561244 Timeout : 7200 (sec) Verify return code: 0 (ok) --- openssl s_client -crlf -connect 127.0.0.1:10026 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 140014293526160:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 246 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561276 Timeout : 7200 (sec) Verify return code: 0 (ok) --- And then I will look at my 'postconf -n' myself first too. Better to do it myself first. I must find this since I did it to myself. When I can not then I will have to be begging. Bleh again! *S*
Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse 29. Jan 2015 20:49 by wie...@porcupine.org: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay That is a good advise to be reminded! For while I am doing the debugging like this and may be always too I am adding this idea to many services I clone and use. *S*
Re: Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse: 29. Jan 2015 21:02 by wie...@porcupine.org: Postfix could do this automatically, but it is too late for the upcoming stable release to make such a change. Only knowing the info is good for now! If it is some day done automatically then that I think would be usefull. For that possibility I will ask one more question. When this is created in the config relay unix - - n - - smtp -o syslog_name=postfix/relay or -o syslog_name=postfix/relay2 In the logs it says ... postfix/relay/smtp ... ... postfix/relay2/smtp ... Is that all the needed infos? May be it is enough only to say ... postfix/relay ... ... postfix/relay2 ... I do not know the best for all cases but for just my debugging now it is enough infos. *S*
Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
srach: I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name.? It was some misdirection for me.? May be You could use the same trick as the submission and smtpd examples in master.cf: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay Wietse
Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
srach: Hello Wietse 29. Jan 2015 20:49 by wie...@porcupine.org: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay That is a good advise to be reminded!? For while I am doing the debugging like this and may be always too I am adding this idea to many services I clone and use. Postfix could do this automatically, but it is too late for the upcoming stable release to make such a change. Wietse
Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
It is like I said that I did this to myself. I was looking under the wrong cup in the Shell Game! Yesterday I had a change to trasnport from 'pf-out' not over the open internet only over my private internet with a VPN. I did this with reading a posting from another person. I changed the http://main.cf for 'pf-out' - relay_transport = relay:[XX.XX.XX.XX]:25 + relay_transport = relay2:[192.168.1.66]:25 In the http://master.cf config for 'pf-out' there is relay unix - - n - - smtp -o smtp_bind_address=YY.YY.YY.YY relay2 unix - - n - - smtp -o smtp_bind_address=192.168.0.15 Returning the change - relay_transport = relay2:[192.168.1.66]:25 + relay_transport = relay:[XX.XX.XX.XX]:25 it is sending again with no TLS errors. I think it is some more firewall rules I need on the server so that TLS negotiation may be okay in bi-direction. But I do not yet see any DROP infos in the logs I am looking into. I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name. It was some misdirection for me. May be it can be done to add some more labels. Thanks for the advise to look with telnet and very much watch in detail the step-by-step sending through each IP and port. Now I must understand the missing rules in the firewall. *S*