[opensuse] Can't make postfix to atutenficate to my ISP.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I can't make postfix to authenticate to my ISP. See the debug log:
Apr 10 12:06:31 nimrodel postfix/qmgr[21346]: 7337CB6FC5: from=
Carlos E. R. escribió:
Hi,
I can't make postfix to authenticate to my ISP. See the debug log:
But what?
The other nuisance is that every time I try the email is bounced, instead of retrying later.
I have this very same issue, although I have not really checked what Im missing, as Im very lazy on this matter, I just configured it with Yast, but didnt get it to work at all. I'll try again one of these days..
Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: smtp_sasl_authenticate: smtp.my.isp[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: AUTH DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 334 cmVhbG09ImN0c210cG91... Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: decoded challenge: realm="ctsmtpout1.frontal.correo",nonce="3947F000ECF7BB....",algorithm=md5-sess,qop="auth" Apr 10 12:06:32 nimrodel postfix/smtp[21659]: SASL authentication debug: DIGEST-MD5 client step 2 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_passwd: mypassword Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: uncoded client response I think you are using cyrus sasl. I'm not sure, but I think you should check /etc/sasl2/smtpd.conf. Mine has: jmorris:/home/joe # cat /etc/sasl2/smtpd.conf
Carlos E. R. wrote: pwcheck_method: saslauthd mech_list: plain login
The reason it says for failing is " postfix/smtp[21659]: send attr reason = SASL authentication failed; server smtp.my.isp[213.4.149.66] said: 535 invalid user ID or password". But with that same Id and pass thunderbird sends correctly (the same email, in fact), so it has to be something in postfix.
But what? The username and password should be entered in /etc/postfix/sasl_passwd (then either run SuSEconfig or postmap to update the db file.)
The other nuisance is that every time I try the email is bounced, instead of retrying later.
I think that is determined by the response code from your ISPs server. I do know my postfix authentication is working great. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 18:52 +0800, Joe Morris (NTM) wrote:
Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: uncoded client response I think you are using cyrus sasl. I'm not sure, but I think you should check /etc/sasl2/smtpd.conf. Mine has: jmorris:/home/joe # cat /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login
Mine has the same: pwcheck_method: saslauthd mech_list: plain login I don't think I have touched that file.
The reason it says for failing is " postfix/smtp[21659]: send attr reason = SASL authentication failed; server smtp.my.isp[213.4.149.66] said: 535 invalid user ID or password". But with that same Id and pass thunderbird sends correctly (the same email, in fact), so it has to be something in postfix.
But what? The username and password should be entered in /etc/postfix/sasl_passwd (then either run SuSEconfig or postmap to update the db file.)
That's what I did.
The other nuisance is that every time I try the email is bounced, instead of retrying later.
I think that is determined by the response code from your ISPs server. I do know my postfix authentication is working great.
Mine works with a different account (diferent mail provider), but not that one. The one that fails offers "SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5", and uses "AUTH DIGEST-MD5". The one that works offers "SASL mechanisms LOGIN PLAIN" instead, and uses "AUTH LOGIN". Perhaps if I could force change the mechanism for that isp... :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJLkVtTMYHG2NR9URAgggAJ4lClQeTWR5r9O+lWW9SzxMLn1YWACfbjDw Q9GyHTGD0MEw3svxeHp8MFc= =lFiD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Tuesday 2007-04-17 at 18:52 +0800, Joe Morris (NTM) wrote:
Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: uncoded client response I think you are using cyrus sasl. I'm not sure, but I think you should check /etc/sasl2/smtpd.conf. Mine has: jmorris:/home/joe # cat /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login
Mine has the same:
pwcheck_method: saslauthd mech_list: plain login
I don't think I have touched that file.
That configuration does not matter for the sending part of Postfix, it is only relevant for the receiving server part of Postfix. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 15:10 +0200, Sandy Drobic wrote:
Mine has the same:
pwcheck_method: saslauthd mech_list: plain login
I don't think I have touched that file.
That configuration does not matter for the sending part of Postfix, it is only relevant for the receiving server part of Postfix.
Ah, ok, good. I don't intent to receive, so no problem. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJNmbtTMYHG2NR9URAuB+AKCXTzLoMbl5DFfQ1xnHdLHwsy4K+ACaA/wY I/++M/CdHBrxT89i89U/6/Q= =hUpn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
Hi,
I can't make postfix to authenticate to my ISP. See the debug log:
Apr 10 12:06:31 nimrodel postfix/qmgr[21346]: 7337CB6FC5: from=
, size=5210, nrcpt=1 (queue active) Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 220 ctsmtpout1.frontal.correo ESMTP Service (7.2.056.6) ready Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.telefonica.net[213.4.149.66]: EHLO nimrodel.valinor Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-ctsmtpout1.frontal.correo Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-DSN Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-8BITMIME Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-PIPELINING Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-AUTH=LOGIN Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-X-CP-DELIVER-AFTER Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250-DELIVERBY 300 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.telefonica.net[213.4.149.66]: 250 SIZE 52428800 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: server features: 0x902f size 52428800 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: Using ESMTP PIPELINING, TCP send buffer size is 4096 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: maps_find: smtp_sasl_passwd: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix): smtp.my.isp = mylogin:mypassword Apr 10 12:06:32 nimrodel postfix/smtp[21659]: smtp_sasl_passwd_lookup: host `smtp.my.isp' user `mylogin' pass `mypassword' Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: smtp_sasl_authenticate: smtp.my.isp[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: AUTH DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 334 cmVhbG09ImN0c210cG91... Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: decoded challenge: realm="ctsmtpout1.frontal.correo",nonce="3947F000ECF7BB....",algorithm=md5-sess,qop="auth" Apr 10 12:06:32 nimrodel postfix/smtp[21659]: SASL authentication debug: DIGEST-MD5 client step 2 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_passwd: mypassword Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: uncoded client response username="mylogin",realm="ctsmtpout1.frontal.correo",nonce="3947F000ECF7BBDB5FA...",cnonce="ooSxxt9m...=",nc=00000001,qop=auth,digest-uri="smtp/smtp.my.isp",response=5dd... Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: dXNlcm5hbWU9ImNlcm9iaW4uam9icyIscmVhbG09ImN0... Apr 10 12:06:37 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 535 invalid user ID or password Apr 10 12:06:37 nimrodel postfix/smtp[21659]: connect to subsystem private/bounce Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr nrequest = 0 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr flags = 0 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr queue_id = 7337CB6FC5 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr original_recipient = someone@destination Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr recipient = someone@destination Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr offset = 527 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr dsn_orig_rcpt = rfc822;someone@destination Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr notify_flags = 0 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr status = 5.0.0 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr diag_type = smtp Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr diag_text = 535 invalid user ID or password Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr mta_type = dns Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr mta_mname = smtp.my.isp Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr action = failed Apr 10 12:06:37 nimrodel postfix/smtp[21659]: send attr reason = SASL authentication failed; server smtp.my.isp[213.4.149.66] said: 535 invalid user ID or password Apr 10 12:06:37 nimrodel postfix/smtp[21659]: private/bounce socket: wanted attribute: status Apr 10 12:06:37 nimrodel postfix/smtp[21659]: input attribute name: status Apr 10 12:06:37 nimrodel postfix/smtp[21659]: input attribute value: 0 Apr 10 12:06:37 nimrodel postfix/smtp[21659]: private/bounce socket: wanted attribute: (list terminator) Apr 10 12:06:37 nimrodel postfix/smtp[21659]: input attribute name: (end) Apr 10 12:06:37 nimrodel postfix/smtp[21659]: 7337CB6FC5: to= , relay=smtp.my.isp[213.4.149.66]:25, delay=6.4, delays=0.26/0.23/5.9/0, dsn=5.0.0, status=bounced (SASL authentication failed; server smtp.my.isp[213.4.149.66] said: 535 invalid user ID or password) Apr 10 12:06:37 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: QUIT Apr 10 12:06:37 nimrodel postfix/smtp[21659]: name_mask: resource Apr 10 12:06:37 nimrodel postfix/smtp[21659]: name_mask: software Apr 10 12:06:37 nimrodel postfix/smtp[21659]: disposing SASL state information Apr 10 12:06:37 nimrodel postfix/cleanup[21620]: E34EEB6FCD: message-id=<20070410100637.E34EEB6FCD@nimrodel.valinor> Apr 10 12:06:38 nimrodel postfix/bounce[21660]: 7337CB6FC5: sender non-delivery notification: E34EEB6FCD Apr 10 12:06:38 nimrodel postfix/qmgr[21346]: 7337CB6FC5: removed Apr 10 12:06:38 nimrodel postfix/qmgr[21346]: E34EEB6FCD: from=<>, size=3001, nrcpt=1 (queue active) The reason it says for failing is " postfix/smtp[21659]: send attr reason = SASL authentication failed; server smtp.my.isp[213.4.149.66] said: 535 invalid user ID or password". But with that same Id and pass thunderbird sends correctly (the same email, in fact), so it has to be something in postfix.
But what?
The other nuisance is that every time I try the email is bounced, instead of retrying later.
This means you have setup Postfix for SMTP authentication.... The following two line enable smtp authentication... you need enter password details in the sasl_password file...The sasl_passwd file syntax is described in the /usr/share/doc/packages/postfix readmes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 12:00 +0100, G.T.Smith wrote:
This means you have setup Postfix for SMTP authentication....
The following two line enable smtp authentication... you need enter password details in the sasl_password file...The sasl_passwd file syntax is described in the /usr/share/doc/packages/postfix readmes
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
I did that already, years ago. It works with a different provider, but not this one. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJLmOtTMYHG2NR9URAsuOAJ0Ulju5XPS1E6Bcuk+j8CXeXJF9qwCdEwUw uJxdstvH5Zhsr/QxV0lCH28= =j2BV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
Apr 10 12:06:32 nimrodel postfix/smtp[21659]: maps_find: smtp_sasl_passwd: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix): smtp.my.isp = mylogin:mypassword Apr 10 12:06:32 nimrodel postfix/smtp[21659]: smtp_sasl_passwd_lookup: host `smtp.my.isp' user `mylogin' pass `mypassword' Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: starting new SASL client Apr 10 12:06:32 nimrodel postfix/smtp[21659]: smtp_sasl_authenticate: smtp.my.isp[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: AUTH DIGEST-MD5 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 334 cmVhbG09ImN0c210cG91... Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: decoded challenge: realm="ctsmtpout1.frontal.correo",nonce="3947F000ECF7BB....",algorithm=md5-sess,qop="auth" Apr 10 12:06:32 nimrodel postfix/smtp[21659]: SASL authentication debug: DIGEST-MD5 client step 2 Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_user: mylogin Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_get_passwd: mypassword Apr 10 12:06:32 nimrodel postfix/smtp[21659]: xsasl_cyrus_client_next: uncoded client response username="mylogin",realm="ctsmtpout1.frontal.correo",nonce="3947F000ECF7BBDB5FA...",cnonce="ooSxxt9m...=",nc=00000001,qop=auth,digest-uri="smtp/smtp.my.isp",response=5dd... Apr 10 12:06:32 nimrodel postfix/smtp[21659]: > smtp.my.isp[213.4.149.66]: dXNlcm5hbWU9ImNlcm9iaW4uam9icyIscmVhbG09ImN0... Apr 10 12:06:37 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 535 invalid user ID or password
Your Postfix obviously tries to authenticate using your user:pass in /etc/postfix/sasl_passwd, but the password OR user is not accepted. If you are sure that user:pass is correct, you could try to force Postfix to use another auth mech. Usually Postfix will use the most secure auth mech available, in this case Digest-md5. If there is some problem, you might try the other mechs. smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words /etc/postfix/ehlo_discard_words: 213.4.149.66 digest-md5 That should disable digest-md5 for the isp server. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 13:58 +0200, Sandy Drobic wrote:
Apr 10 12:06:37 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 535 invalid user ID or password
Your Postfix obviously tries to authenticate using your user:pass in /etc/postfix/sasl_passwd, but the password OR user is not accepted.
If you are sure that user:pass is correct, you could try to force Postfix to use another auth mech. Usually Postfix will use the most secure auth mech available, in this case Digest-md5.
If there is some problem, you might try the other mechs.
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words
/etc/postfix/ehlo_discard_words: 213.4.149.66 digest-md5
That should disable digest-md5 for the isp server.
Interesting! I didn't know that existed. But, first try, doesn't work. I created the "ehlo_discard_words" file using the isp name instead of the IP, but it is still using AUTH DIGEST-MD5. I try another time, with the IP. No good, that feature is ignored. nimrodel:/etc/postfix # postconf | grep ehlo_discard_words smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words nimrodel:/etc/postfix # l ehlo_discard_words* - -rw-r--r-- 1 root root 92 Apr 17 14:29 ehlo_discard_words - -rw-r--r-- 1 root root 12288 Apr 17 14:29 ehlo_discard_words.db - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJL/DtTMYHG2NR9URAiVyAJ9Y1+AJg0KS+9k1H2npOYlCZyaqMwCfeCt0 Mqhvf4QT6i4bCfJIizj1UBE= =efoK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Tuesday 2007-04-17 at 13:58 +0200, Sandy Drobic wrote:
Apr 10 12:06:37 nimrodel postfix/smtp[21659]: < smtp.my.isp[213.4.149.66]: 535 invalid user ID or password Your Postfix obviously tries to authenticate using your user:pass in /etc/postfix/sasl_passwd, but the password OR user is not accepted.
If you are sure that user:pass is correct, you could try to force Postfix to use another auth mech. Usually Postfix will use the most secure auth mech available, in this case Digest-md5.
If there is some problem, you might try the other mechs.
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words
/etc/postfix/ehlo_discard_words: 213.4.149.66 digest-md5
That should disable digest-md5 for the isp server.
Interesting! I didn't know that existed.
But, first try, doesn't work. I created the "ehlo_discard_words" file using the isp name instead of the IP, but it is still using AUTH DIGEST-MD5.
I try another time, with the IP. No good, that feature is ignored.
nimrodel:/etc/postfix # postconf | grep ehlo_discard_words smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words
nimrodel:/etc/postfix # l ehlo_discard_words* -rw-r--r-- 1 root root 92 Apr 17 14:29 ehlo_discard_words -rw-r--r-- 1 root root 12288 Apr 17 14:29 ehlo_discard_words.db
There is the following smtp_sasl_security_options = setting this to CRAM-MD5 may work but this seems to a a global setting ..... see Cyrus saslauthd documentation in /usr/share/doc/packages/cyrus-sasl/doc.... a further possibility is that the site has multiple MX hosts and you need a servername password entry in sasl_passwd for all of hem....
Carlos E. R. wrote:
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words
/etc/postfix/ehlo_discard_words: 213.4.149.66 digest-md5
That should disable digest-md5 for the isp server.
Interesting! I didn't know that existed.
It exists since Postfix 2.2 and newer versions. What is your version (postconf mail_version)?
But, first try, doesn't work. I created the "ehlo_discard_words" file using the isp name instead of the IP, but it is still using AUTH DIGEST-MD5.
Sorry, no joy, you have to use the ip address. :-(( -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 15:14 +0200, Sandy Drobic wrote:
Carlos E. R. wrote:
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/ehlo_discard_words
/etc/postfix/ehlo_discard_words: 213.4.149.66 digest-md5
That should disable digest-md5 for the isp server.
Interesting! I didn't know that existed.
It exists since Postfix 2.2 and newer versions.
:-)
What is your version (postconf mail_version)?
nimrodel:/etc/postfix # postconf mail_version mail_version = 2.3.2 The one that comes with suse 10.2.
But, first try, doesn't work. I created the "ehlo_discard_words" file using the isp name instead of the IP, but it is still using AUTH DIGEST-MD5.
Sorry, no joy, you have to use the ip address. :-((
Good grief! My ISp can choose to change it's IP any time. Ffff... ok, I'll leave it as: 213.4.149.66 digest-md5 (only line in the file) but it is ignored: : maps_find: smtpd_discard_ehlo_keyword_address_maps: hash:/etc/postfix/ehlo_discard_words(0,lock): 213.4.149.66 = digest-md5 ... : smtp_sasl_authenticate: smtp.telefonica.net[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5 : > smtp.telefonica.net[213.4.149.66]: AUTH DIGEST-MD5 That feature certainly doesn't work. It is detected, it matches, but doesn't work, insisting in using DIGEST-MD5. Yes, I have tried both lower and upper case. Per G.T.Smith sugestion, I tried: smtp_sasl_security_options = cram-md5 smtp_sasl_tls_security_options = $smtp_sasl_security_options now I get: postfix/smtp[12774]: starting new SASL client postfix/smtp[12774]: warning: unknown SASL security options value "cram-md5" in "cram-md5" stfix/smtp[12774]: warning: bad per-session SASL security properties postfix/smtp[12774]: fatal: SASL per-connection initialization failed postfix/qmgr[12769]: warning: premature end-of-input on private/smtp socket while reading input attribute name postfix/qmgr[12769]: warning: private/smtp socket: malformed response postfix/qmgr[12769]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description postfix/master[4783]: warning: process /usr/lib/postfix/smtp pid 12774 exit status 1 postfix/master[4783]: warning: /usr/lib/postfix/smtp: bad command startup -- throttling so that doesn't work, either. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJN9otTMYHG2NR9URAk5DAJ0Z2NzztSRv041CTzcdjvN7p95PVgCfZ1FN qCPsZtJOMau8jbkG9EwUXh8= =BNu6 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
What is your version (postconf mail_version)?
nimrodel:/etc/postfix # postconf mail_version mail_version = 2.3.2
The one that comes with suse 10.2.
But, first try, doesn't work. I created the "ehlo_discard_words" file using the isp name instead of the IP, but it is still using AUTH DIGEST-MD5. Sorry, no joy, you have to use the ip address. :-((
Good grief! My ISp can choose to change it's IP any time.
Ffff... ok, I'll leave it as:
213.4.149.66 digest-md5
(only line in the file)
but it is ignored:
: maps_find: smtpd_discard_ehlo_keyword_address_maps: hash:/etc/postfix/ehlo_discard_words(0,lock): 213.4.149.66 = digest-md5 ... : smtp_sasl_authenticate: smtp.telefonica.net[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 DIGEST-MD5 : > smtp.telefonica.net[213.4.149.66]: AUTH DIGEST-MD5
That feature certainly doesn't work. It is detected, it matches, but doesn't work, insisting in using DIGEST-MD5. Yes, I have tried both lower and upper case.
Per G.T.Smith sugestion, I tried:
smtp_sasl_security_options = cram-md5 smtp_sasl_tls_security_options = $smtp_sasl_security_options
No, you should only set smtp_sasl_security_option = noanonymous If possible, you could add "noplaintext" This would demand, that only digest-md5 or cram-md5 will be used. In the meantime, I had a closer look at the conversation. digest-md5 is not a keyword in the capabilities, so we can't use it to discard that option. Please try: smtp_sasl_mechanism_filter = cram-md5, login
now I get:
postfix/smtp[12774]: starting new SASL client postfix/smtp[12774]: warning: unknown SASL security options value "cram-md5" in "cram-md5"
Yepp, that isn't an allowed option. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 17:27 +0200, Sandy Drobic wrote:
Per G.T.Smith sugestion, I tried:
smtp_sasl_security_options = cram-md5 smtp_sasl_tls_security_options = $smtp_sasl_security_options
No, you should only set smtp_sasl_security_option = noanonymous
Eum... :-? No, I don't think I need going that far - I just read that one up :-)
If possible, you could add "noplaintext" This would demand, that only digest-md5 or cram-md5 will be used.
In the meantime, I had a closer look at the conversation. digest-md5 is not a keyword in the capabilities, so we can't use it to discard that option.
Please try: smtp_sasl_mechanism_filter = cram-md5, login
Ok, I tried that one and it worked! Which proves what I said that login/password was correctly entered but not accepted. Either there is something wrong in the postfix implementation of digest-md5, or my ISP, or between both. Or something in my configuration impedes it. Meanwhile, it works. :-)) :38:24 : < smtp.telefonica.net[213.4.149.66]: 220 ctsmtpout4.frontal.correo ESMTP Service (7.2.056.6) ready :38:24 : > smtp.telefonica.net[213.4.149.66]: EHLO nimrodel.valinor :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-ctsmtpout4.frontal.correo :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-DSN :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-8BITMIME :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-PIPELINING :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-HELP :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-AUTH=LOGIN :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-X-CP-DELIVER-AFTER :38:24 : < smtp.telefonica.net[213.4.149.66]: 250-DELIVERBY 300 :38:24 : < smtp.telefonica.net[213.4.149.66]: 250 SIZE 52428800 :38:24 : maps_find: smtpd_discard_ehlo_keyword_address_maps: hash:/etc/postfix/ehlo_discard_words(0,lock): 213.4.149.66 = DIGEST-MD5 :38:24 : match_string: LOGIN ~? cram-md5 :38:24 : match_string: LOGIN ~? login :38:24 : match_string: LOGIN ~? cram-md5 :38:24 : match_string: LOGIN ~? login :38:24 : match_string: CRAM-MD5 ~? cram-md5 :38:24 : match_string: DIGEST-MD5 ~? cram-md5 :38:24 : match_string: DIGEST-MD5 ~? login :38:24 : match_list_match: DIGEST-MD5: no match :38:24 : server features: 0x902f size 52428800 :38:24 : Using ESMTP PIPELINING, TCP send buffer size is 4096 :38:24 : maps_find: smtp_sasl_passwd: hash:/etc/postfix/sasl_passwd(0,lock|fold_fix): smtp.telefonica.net = MyLogin:MyPasswd :38:24 : smtp_sasl_passwd_lookup: host `smtp.telefonica.net' user `MyLogin' pass `MyPasswd' :38:24 : starting new SASL client :38:24 : starting new SASL client :38:24 : smtp_sasl_authenticate: smtp.telefonica.net[213.4.149.66]: SASL mechanisms LOGIN LOGIN CRAM-MD5 :38:24 : > smtp.telefonica.net[213.4.149.66]: AUTH LOGIN :38:24 : < smtp.telefonica.net[213.4.149.66]: 334 VXNlcm5hbWU6 :38:24 : xsasl_cyrus_client_next: decoded challenge: Username: :38:24 : xsasl_cyrus_get_user: MyLogin :38:24 : xsasl_cyrus_get_passwd: MyPasswd :38:24 : xsasl_cyrus_client_next: uncoded client response MyLogin :38:24 : > smtp.telefonica.net[213.4.149.66]: Y2Vyb2Jpbi5qb2Jz :38:24 : < smtp.telefonica.net[213.4.149.66]: 334 UGFzc3dvcmQ6 :38:24 : xsasl_cyrus_client_next: decoded challenge: Password: :38:24 : xsasl_cyrus_client_next: uncoded client response MyPasswd :38:24 : > smtp.telefonica.net[213.4.149.66]: ZW04YmEzbGE= :38:25 : < smtp.telefonica.net[213.4.149.66]: 235 LOGIN authentication successful ... :38:25 : < smtp.telefonica.net[213.4.149.66]: 250 <4623E95A000392AF> Mail accepted
now I get:
postfix/smtp[12774]: starting new SASL client postfix/smtp[12774]: warning: unknown SASL security options value "cram-md5" in "cram-md5"
Yepp, that isn't an allowed option.
It was a wild try, anyway. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJQ0ItTMYHG2NR9URArW/AJ4yjsB24JFJTVcYLiQxl3N0B2YuDwCgiIEX d6n6vnf98tdi93FPiUx/y2M= =svGU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2007-04-17 at 20:07 +0200, I wrote:
The Tuesday 2007-04-17 at 17:27 +0200, Sandy Drobic wrote:
Please try: smtp_sasl_mechanism_filter = cram-md5, login
Ok, I tried that one and it worked!
I enabled TLS: smtp_use_tls = yes but that doesn't work: Apr 18 01:01:38 nimrodel postfix/qmgr[15755]: ADFEBB6EAD: removed Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: no entropy for TLS key generation: disabling TLS support I understand that using tsl for server is more complicated, defining keys, etc. But as a client, I thought it was easier. I must be missing something. Ok... my config is thus (postconf | grep smtp_tls): smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_dcert_file = smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_enforce_peername = yes smtp_tls_exclude_ciphers = smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_loglevel = 0 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = smtp_tls_mandatory_protocols = SSLv3, TLSv1 smtp_tls_note_starttls_offer = no smtp_tls_per_site = smtp_tls_policy_maps = smtp_tls_scert_verifydepth = 5 smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = smtp_tls_session_cache_database = smtp_tls_session_cache_timeout = 3600s smtp_tls_verify_cert_match = hostname smtp_use_tls (default: no) ... This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead. smtp_tls_security_level (default: empty) The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. I set instead: smtp_tls_security_level = may but the error is the same. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJV1MtTMYHG2NR9URAnxYAJ9OgTXYAbv94EZjvvwaMfeSvFFR3gCfYdz/ zXIHxB4jr31c9fHPgkqjZ6o= =RQeV -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
I enabled TLS:
smtp_use_tls = yes
but that doesn't work:
Apr 18 01:01:38 nimrodel postfix/qmgr[15755]: ADFEBB6EAD: removed Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: no entropy for TLS key generation: disabling TLS support I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default. Try out the etc/sysconfig Editor, fill out the relevant ssl entries, and that will generate the necessary files and certificate. HTH. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-18 at 08:19 +0800, Joe Morris (NTM) wrote:
I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default. Try out the etc/sysconfig Editor, fill out the relevant ssl entries, and that will generate the necessary files and certificate. HTH.
A certificate for client side? Other programs running in client mode do not use it (thunderbird, fetchmail, etc). However, those definitions you talk about in sysconfig have been there for ages, defined, but are ignored: as soon as I edited main.cf on my own (years ago), sysconfig doesn't act for postfix. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJYP3tTMYHG2NR9URAk6jAJ9KAamq3V0b2q37Jt4XTbrBTvZssQCfQMJi vqgwrX5oghiG1HKboEMBH2Y= =C74W -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 08:19 +0800, Joe Morris (NTM) wrote:
I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default. Try out the etc/sysconfig Editor, fill out the relevant ssl entries, and that will generate the necessary files and certificate. HTH.
A certificate for client side? Other programs running in client mode do not use it (thunderbird, fetchmail, etc). However, those definitions you talk about in sysconfig have been there for ages, defined, but are ignored: as soon as I edited main.cf on my own (years ago), sysconfig doesn't act for postfix.
Some time ago dis some experimentation with certificate based security and IMAP and various mail clients. The norm was for the server to supply the client with the relevant certificate.
On Tuesday 17 April 2007, G.T.Smith wrote:
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 08:19 +0800, Joe Morris (NTM) wrote:
I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default.
A certificate for client side? Other programs running in client mode do not use it (thunderbird, fetchmail, etc). However, those definitions you talk about in sysconfig have been there for ages, defined, but are ignored: as soon as I edited main.cf on my own (years ago), sysconfig doesn't act for postfix.
Some time ago dis some experimentation with certificate based security and IMAP and various mail clients. The norm was for the server to supply the client with the relevant certificate.
I think what Moe Morris was trying to say is there are two certificate needs. One for Postfix/Sendmail, (the MTA) and another for Imap (MDA). Both need a certificate, and historically it was easier to generate two or put copies of the certificate in two places because postfix and Cyrus (or what ever) live in different directory structures, and often run under different user/group ids. Once you chroot either it becomes almost mandatory to replicate your cert. (And, I'm not suggesting chroot is useful, just that Suse seems to suggest it at install time.) -- _____________________________________ John Andersen
John Andersen wrote:
On Tuesday 17 April 2007, G.T.Smith wrote:
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 08:19 +0800, Joe Morris (NTM) wrote:
I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default.
A certificate for client side? Other programs running in client mode do not use it (thunderbird, fetchmail, etc). However, those definitions you talk about in sysconfig have been there for ages, defined, but are ignored: as soon as I edited main.cf on my own (years ago), sysconfig doesn't act for postfix.
Some time ago dis some experimentation with certificate based security and IMAP and various mail clients. The norm was for the server to supply the client with the relevant certificate.
I think what Moe Morris was trying to say is there are two certificate needs. One for Postfix/Sendmail, (the MTA) and another for Imap (MDA).
Both need a certificate, and historically it was easier to generate two or put copies of the certificate in two places because postfix and Cyrus (or what ever) live in different directory structures, and often run under different user/group ids.
Once you chroot either it becomes almost mandatory to replicate your cert. (And, I'm not suggesting chroot is useful, just that Suse seems to suggest it at install time.)
Cyrus is a special case.... a heavy duty black box within the box ... really only of use if you have a lot of users and a powerful machine. UW and courier-IMAP use the same mail structures as Postfix (or EXIM) and integrate well with tools such as procmail.... Accept the requirement for seperate certificates for transmission and reading of mail. However, not sure what the implications are for server to server communication for former.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-18 at 09:35 +0100, G.T.Smith wrote:
Cyrus is a special case.... a heavy duty black box within the box ... really only of use if you have a lot of users and a powerful machine.
UW and courier-IMAP use the same mail structures as Postfix (or EXIM) and integrate well with tools such as procmail....
I'll try to remember this. I do have UW pop/imap installed locally, it's very simple: no configuration except the key.
Accept the requirement for seperate certificates for transmission and reading of mail. However, not sure what the implications are for server to server communication for former.
It wasn't necessary for the client side of postfix, it's working now without one, as I thought. Sandy D. nailed that one for me :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJhNttTMYHG2NR9URAiGrAJ90T85Puo3dg4YZrS/czGZuwFtEMgCfcOKZ Mtf4pcpJaIqY4HeubmDlct4= =xaME -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
I enabled TLS:
smtp_use_tls = yes
but that doesn't work:
Apr 18 01:01:38 nimrodel postfix/qmgr[15755]: ADFEBB6EAD: removed Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:38 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: connect to private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: problem talking to server private/tlsmgr: Connection refused Apr 18 01:01:39 nimrodel postfix/smtp[18419]: warning: no entropy for TLS key generation: disabling TLS support
You have a problem with the tlsmgr. Please check that you indeed have an entry for tlsmgr: /etc/postfix/master.cf: tlsmgr unix - - n 1000? 1 tlsmgr Also run: postfix upgrade-configuration postfix set-permissions postfix check This applies escpecially if you have upgraded your system from earlier versions of Suse. You might also want to check if AppArmor is interfering.
I understand that using tsl for server is more complicated, defining keys, etc. But as a client, I thought it was easier. I must be missing something.
Ok... my config is thus (postconf | grep smtp_tls):
No certs are neccessary for Postfix to use TLS as a client.
smtp_use_tls (default: no) ... This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead.
Yes, the setting is deprecated, for Postfix 2.3 upwards the parameter below should be used.
smtp_tls_security_level (default: empty)
-- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-18 at 11:03 +0200, Sandy Drobic wrote:
You have a problem with the tlsmgr. Please check that you indeed have an entry for tlsmgr:
/etc/postfix/master.cf: tlsmgr unix - - n 1000? 1 tlsmgr
Yep! It works now. At least, it doesn't complain of that, now I get new complaints: Apr 18 14:09:21 nimrodel postfix/smtp[23556]: certificate verification failed for mx1.suse.de: num=19:self signed certificate in certificate chain This is a never ending tale! :-) I guess I would have to import their certificate somehow.
Also run: postfix upgrade-configuration postfix set-permissions postfix check
This applies escpecially if you have upgraded your system from earlier versions of Suse.
Ah... ok. First I stop postfix and fetchmail... (oops, I stopped fetchmail while it was fetching)... make a backup... run that... nimrodel:/etc/postfix # postfix upgrade-configuration Editing /etc/postfix/master.cf, adding missing entry for discard service Note: the following files or directories still exist but are no longer part of Postfix: /etc/postfix/pcre_table /etc/postfix/regexp_table nimrodel:/etc/postfix # postfix set-permissions nimrodel:/etc/postfix # postfix check nimrodel:/etc/postfix # Done! Sort by date, find what was modified... prng_exch - what's this? A binary, not new, but new to me. master.cf tls_random_exchange_name (default: ${config_directory}/prng_exch) Name of the pseudo random number generator (PRNG) state file that is maintained by tlsmgr(8). The file is created when it does not exist, and its length is fixed at 1024 bytes. Since this file is modified by Postfix, it should probably be kept in the / var file system, instead of under $config_directory. The location should not be inside the chroot jail. This feature is available in Postfix 2.2 and later. Curious! But it is kept in /etc/postfix. nimrodel:/etc/postfix # diff master.cf master.cf.old 150d149 < discard unix - - n - - discard nimrodel:/etc/postfix # A new entry! I wonder why Yast didn't do this while updating my system two months ago. Send a test email... worked fine. Good! :-)
You might also want to check if AppArmor is interfering.
Ah, yes, I tend to forget that one [...] no, nothing there.
I understand that using tsl for server is more complicated, defining keys, etc. But as a client, I thought it was easier. I must be missing something.
Ok... my config is thus (postconf | grep smtp_tls):
No certs are neccessary for Postfix to use TLS as a client.
I thought so.
smtp_use_tls (default: no) ... This feature is available in Postfix 2.2 and later. With Postfix 2.3 and later use smtp_tls_security_level instead.
Yes, the setting is deprecated, for Postfix 2.3 upwards the parameter below should be used.
smtp_tls_security_level (default: empty)
I set it to "may", ie, oportunistic. It appears my provider doesn't allow tls, anyway. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJhGktTMYHG2NR9URAl5YAJ9ZtBXgiyEopXrNinpI79ikxffpQwCfYTC7 btzWM2jX1SdY24nmUHqf7n4= =6T1+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 11:03 +0200, Sandy Drobic wrote:
You have a problem with the tlsmgr. Please check that you indeed have an entry for tlsmgr:
/etc/postfix/master.cf: tlsmgr unix - - n 1000? 1 tlsmgr
Yep! It works now. At least, it doesn't complain of that, now I get new complaints:
Apr 18 14:09:21 nimrodel postfix/smtp[23556]: certificate verification failed for mx1.suse.de: num=19:self signed certificate in certificate chain
This is a never ending tale! :-)
This is just an informational warning, not a functional.
I guess I would have to import their certificate somehow.
What you have to import is their root ca certificate, it belongs into smtp_tls_CAfile = /etc/postfix/smtp_cacerts smtp_tls_CApath = /etc/postfix/certs (choose one of these) Because the root ca is not known to Postfix at the moment, Postfix can not verify, that the certificate which mx1.suse.de presents to your server, has indeed been signed by Thawte. This is what you see, when you have stored the Thawte root ca: Apr 18 11:02:31 katgar postfix/smtp[32554]: setting up TLS connection to mx1.suse.de Apr 18 11:02:31 katgar postfix/smtp[32554]: Verified: subject_CN=mx1.suse.de, issuer=Thawte Premium Server CA Apr 18 11:02:31 katgar postfix/smtp[32554]: TLS connection established to mx1.suse.de: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Again. This is informational only, it does not say that the TLS connection is invalid.
Also run: postfix upgrade-configuration postfix set-permissions postfix check
This applies escpecially if you have upgraded your system from earlier versions of Suse.
Ah... ok. First I stop postfix and fetchmail... (oops, I stopped fetchmail while it was fetching)... make a backup... run that...
nimrodel:/etc/postfix # postfix upgrade-configuration Editing /etc/postfix/master.cf, adding missing entry for discard service
No one is perfect, and apparently the package manager that provided the suse rpm isn't either. (^-^) -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-18 at 16:17 +0200, Sandy Drobic wrote:
This is just an informational warning, not a functional.
Ah, ok.
I guess I would have to import their certificate somehow.
What you have to import is their root ca certificate, it belongs into smtp_tls_CAfile = /etc/postfix/smtp_cacerts smtp_tls_CApath = /etc/postfix/certs
(choose one of these)
Because the root ca is not known to Postfix at the moment, Postfix can not verify, that the certificate which mx1.suse.de presents to your server, has indeed been signed by Thawte.
Yes... I have been reading the "TLS_README", but the next question then would be how to obtain those root certificates. I wonder if I could copy over those in /etc/ssl/certs, there is a 'thawteCb.pem' and a 'thawteCp.pem'. I'll try. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJl3atTMYHG2NR9URAqAuAJkBMV6KZF2gRMGaA0hnPVrYHvphMwCfSPGi n8CXb8b+pPlCNYboOYrhgWY= =+Bpz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-04-18 at 20:05 +0200, I wrote:
Yes... I have been reading the "TLS_README", but the next question then would be how to obtain those root certificates. I wonder if I could copy over those in /etc/ssl/certs, there is a 'thawteCb.pem' and a 'thawteCp.pem'. I'll try.
Yes, that seems to work: Apr 18 20:05:16 nimrodel postfix/smtp[28214]: setting up TLS connection to mx2.suse.de Apr 18 20:05:16 nimrodel postfix/smtp[28214]: Verified: subject_CN=mx2.suse.de, issuer=Thawte Premium Server CA Apr 18 20:05:16 nimrodel postfix/smtp[28214]: TLS connection established to mx2.suse.de: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGJl/3tTMYHG2NR9URAnXzAJ9hy0tQtj4XuPbnJvQuBFpQzzi5MACff4KN rZBjwBD922XCya5HzlptowQ= =o9ao -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 20:05 +0200, I wrote:
Yes... I have been reading the "TLS_README", but the next question then would be how to obtain those root certificates. I wonder if I could copy over those in /etc/ssl/certs, there is a 'thawteCb.pem' and a 'thawteCp.pem'. I'll try.
Yes, that seems to work:
Apr 18 20:05:16 nimrodel postfix/smtp[28214]: setting up TLS connection to mx2.suse.de Apr 18 20:05:16 nimrodel postfix/smtp[28214]: Verified: subject_CN=mx2.suse.de, issuer=Thawte Premium Server CA Apr 18 20:05:16 nimrodel postfix/smtp[28214]: TLS connection established to mx2.suse.de: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Congratulation again. (^-^) -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R.
-
Cristian Rodriguez R.
-
G.T.Smith
-
Joe Morris (NTM)
-
John Andersen
-
Sandy Drobic