[opensuse] I'm stuck - SSL Certs / email server
Hi Guys, I really could use some help here, I'm kind of stuck. Trying to get my SSL certs to work right with postfix/cyrus imap. I think I'm very close, but something is still not quite right. I've got a signed SSL cert, but my email client does not recognize it as being signed by a trusted authority. There is a CA cert in my mail client from StartSSL so it should recognized the signed one on my server. Also, I'm getting ssl errors saying the ssl rx record too long. I've googled all over and find references to that, but nothing that helped my case. I'm starting to think SSL is not set up or working properly here. Sending email via TLS works ok (except for not recognizing the cert as signed by trusted authority), but chekcing email via SSL does not work properly, and presents both errors as described above. I've mainly been using Trhunderbird, but tried setting up Kmail to try another program. It auto-detected TLS as being offered by the server, but did not detect SSL as being offered. (Specifically, no security and TLS, with plain text passwords, but not SSL). Perhaps I don't need SSL and can use TLS?? This defaults to port 143. Previously I used my firewall to limit plain text access to port 143, but I suppose I can force TLS on both smtp and imap? I'd be happy to supply any setup info you might need, but I've done so much I don't want to clog up this email with everything. I did question the StartSSL guys who advised to combine 2 files, there main CA and a Sub-Ca into one file. I did that but it didn't resolve anything. The CA and Sub-CA certs are in the same dir as my signed cert and private key. Private key is set to chmod 400 and everything else is 644. Localhost is reporting as follows: user@jimmee:~> telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 jjfiii.com ESMTP Postfix ehlo localhost 250-jjfiii.com 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN As I said I think I'm very close to having this set up right. Something I'm missing. Not sure what. Thanks for any help. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/22/2011 04:09 AM, Jim Flanagan wrote:
Hi Guys,
I really could use some help here, I'm kind of stuck. Trying to get my SSL certs to work right with postfix/cyrus imap. I think I'm very close, but something is still not quite right.
I've got a signed SSL cert, but my email client does not recognize it as being signed by a trusted authority. There is a CA cert in my mail client from StartSSL so it should recognized the signed one on my server. Also, I'm getting ssl errors saying the ssl rx record too long. I've googled all over and find references to that, but nothing that helped my case.
I'm starting to think SSL is not set up or working properly here. Sending email via TLS works ok (except for not recognizing the cert as signed by trusted authority), but chekcing email via SSL does not work properly, and presents both errors as described above. I've mainly been using Trhunderbird, but tried setting up Kmail to try another program. It auto-detected TLS as being offered by the server, but did not detect SSL as being offered. (Specifically, no security and TLS, with plain text passwords, but not SSL).
Perhaps I don't need SSL and can use TLS?? This defaults to port 143. Previously I used my firewall to limit plain text access to port 143, but I suppose I can force TLS on both smtp and imap?
I'd be happy to supply any setup info you might need, but I've done so much I don't want to clog up this email with everything.
I did question the StartSSL guys who advised to combine 2 files, there main CA and a Sub-Ca into one file. I did that but it didn't resolve anything. The CA and Sub-CA certs are in the same dir as my signed cert and private key. Private key is set to chmod 400 and everything else is 644.
Localhost is reporting as follows: user@jimmee:~> telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 jjfiii.com ESMTP Postfix ehlo localhost 250-jjfiii.com 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
As I said I think I'm very close to having this set up right. Something I'm missing. Not sure what.
Thanks for any help.
Jim F Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Also port 143 is standard non SSL IMAP port. Port 993 is the SSL port for IMAP. This is configured in your cyrus IMAP so check the settings there.
Regards, Mihira -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote:
Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf.
Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection.
Also port 143 is standard non SSL IMAP port. Port 993 is the SSL port for IMAP. This is configured in your cyrus IMAP so check the settings there.
This is the real problem. When sending mail the client is connecting to Postfix. When receiving mails your client talks with Cyrus Imap. It seems that the problem is Cyrus Imap, not Postfix. Sandy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote: Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection. True but so far the defacto standard is that port 25 is used not non encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to cause your server to loose mail as MTA - MTA mail delivery is still largely non encrypted.
Mihira -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2011-04-22 at 18:26 +0530, Mihira Fernando wrote:
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote: Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection. True but so far the defacto standard is that port 25 is used not non encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to cause your server to loose mail as MTA - MTA mail delivery is still largely non encrypted.
This is incorrect: tcp/25 can be TLS encrypted. TLS OPTIONAL of course, if your server needs to receive mail from other servers (so if your SMTP is a receiving Server). There is hardly ANY Server out there still using SSL directly. The usual thing for TLS OPTIONAL is to issue an ehlo, check for a starttls command and issue it, changing to TLS. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/26/2011 12:24 AM, Dimstar / Dominique Leuenberger wrote:
On Fri, 2011-04-22 at 18:26 +0530, Mihira Fernando wrote:
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote: Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection. True but so far the defacto standard is that port 25 is used not non encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to cause your server to loose mail as MTA - MTA mail delivery is still largely non encrypted. This is incorrect: tcp/25 can be TLS encrypted. TLS OPTIONAL of course, if your server needs to receive mail from other servers (so if your SMTP is a receiving Server).
There is hardly ANY Server out there still using SSL directly.
The usual thing for TLS OPTIONAL is to issue an ehlo, check for a starttls command and issue it, changing to TLS.
Dominique
So exactly what in my statement earlier is incorrect ? Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 26.04.2011 04:47, Mihira Fernando wrote:
On 04/26/2011 12:24 AM, Dimstar / Dominique Leuenberger wrote:
On Fri, 2011-04-22 at 18:26 +0530, Mihira Fernando wrote:
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote: Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL connection. Port 465 is the SSL port for SMTP. This should be opened from postfix master.cf. Your information is outdated, port 465 is the deprecated SSL-Port. If the client sends the EHLO command instead of the HELO, then the server can offer STARTTLS in its capabilities to the client. That initiates a TLS encrypted connection. True but so far the defacto standard is that port 25 is used not non encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to cause your server to loose mail as MTA - MTA mail delivery is still largely non encrypted. This is incorrect: tcp/25 can be TLS encrypted. TLS OPTIONAL of course, if your server needs to receive mail from other servers (so if your SMTP is a receiving Server).
There is hardly ANY Server out there still using SSL directly.
The usual thing for TLS OPTIONAL is to issue an ehlo, check for a starttls command and issue it, changing to TLS.
Dominique
So exactly what in my statement earlier is incorrect ?
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted. This is not the case with STARTTLS. STARTTLS is an OPTION for the client. The reason for this is downwards compatibility. A client may use HELO and deliver mails without encryption, a client may use EHLO and MAY use STARTTLS to encrypt the connection. On the other side you may apply policies on your server like - only allow mails from certain domains when the connection is encrypted - only allow SMTP AUTH when the connection is encrypted ... Port 465 is only useful for internal servers when the mails are sent from an internal backend and the transport is set manually including the port. For some strange reasons Domino does check port 465 when attempting to deliver mails, though it could be a configuration upgrade problem since our system is rather old and has seen quite a lot of version upgrades. Sandy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/26/2011 01:57 PM, Sandy Drobic wrote:
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted.
This is where you went off track, or where my sentence was not clear enough (most likely its the latter). What I wrote : Running SSL or TLS only on port 25 is likely to cause your server to loose mail What I meant : Enforcing SSL or TLS on port 25 so that encryption is made to be the mandatory default is likely to cause the server to loose mail. Agree completely with everything else you've explained there. Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 26.04.2011 10:35, Mihira Fernando wrote:
On 04/26/2011 01:57 PM, Sandy Drobic wrote:
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted.
This is where you went off track, or where my sentence was not clear enough (most likely its the latter).
What I wrote :
Running SSL or TLS only on port 25 is likely to cause your server to loose mail
What I meant : Enforcing SSL or TLS on port 25 so that encryption is made to be the mandatory default is likely to cause the server to loose mail.
Yes, that is what I thought. I was irritated by the phrase "cause the server to loose mail". You can't loose mail that you haven't accepted. (^-^) It is more like a self-inflicted denial-of-service. ;-) Sandy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/26/2011 06:44 AM, Sandy Drobic wrote:
On 26.04.2011 10:35, Mihira Fernando wrote:
On 04/26/2011 01:57 PM, Sandy Drobic wrote:
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted. This is where you went off track, or where my sentence was not clear enough (most likely its the latter).
What I wrote :
Running SSL or TLS only on port 25 is likely to cause your server to loose mail
What I meant : Enforcing SSL or TLS on port 25 so that encryption is made to be the mandatory default is likely to cause the server to loose mail. Yes, that is what I thought. I was irritated by the phrase "cause the server to loose mail". You can't loose mail that you haven't accepted. (^-^)
It is more like a self-inflicted denial-of-service. ;-)
Sandy
OK, thanks everyone for the good info and help. I've made some progress and have my certs set so that I can send out email, and the certs are recognized as being signed. Finally. The only error on sending as of now is that the cert is not for this site. This is understandable as I'm using "localhost" instead of my domain right now. This should resolve itself once I take this server online and use my domain name on it. (What I had to do was to cat my signed cert with the StartSSL intermediate CA and their CA into one file. I read that section of the postfix.org config page about 14 times before that sunk in. I stopped to set up Apache2 and had a few problems getting the certs right there too, but that got me going to work on combining the cert and CAs). Still having problems receiving, or rather reading received mails via imaps. And this is getting pretty weird. Thunderbird does not like setting imap security to SSL/TLS (port 9930, and still gives the error that ssl rx record is too long. Setting it to STARTTLS is worse (on port 143), all sorts of errors fly up saying that the server is not available or has disconnected. Here's the weird part. Kmail seems to work just fine. Using the feature in setting up an email account to check what the server provides for security, it offers None and Use TLS (over port 143) and defaults to Use TLS. Works fine and does not mention any problem with my certs (now that I have them combined into one cert file). What also seems weird to me is that Kmail does not show that SSL is being offered by my mail server. I do not understand that. But if its happy with TLS I can work with that. But I prefer to have Thunderbird working properly also as most clients are non-linux and TBird is multi platform. I’m starting to think TBird does not like my 256 bit cert, although I find that hard to believe. Firefox seems happy with this same 256 bit cert on Apache2. Do I need a 128 bit cert for TBird? I'm not familiar with TBird logs, but trying to access imaps email with TBrid, /var/log/mail shows: Apr 28 19:34:30 jimmee postfix/smtpd[6823]: connect from localhost[::1] Apr 28 19:34:30 jimmee postfix/smtpd[6823]: setting up TLS connection from localhost[::1] Apr 28 19:34:30 jimmee postfix/smtpd[6823]: Anonymous TLS connection established from localhost[::1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 28 19:35:00 jimmee postfix/smtpd[6823]: warning: Illegal address syntax from localhost[::1] in RCPT command: <jim@192.168.1.117> Apr 28 19:35:05 jimmee postfix/smtpd[6823]: lost connection after RSET from localhost[::1] Apr 28 19:35:05 jimmee postfix/smtpd[6823]: disconnect from localhost[::1] Accessing imaps with KMail, /var/log/mail shows: Apr 28 19:53:25 jimmee postfix/smtpd[7419]: connect from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/smtpd[7419]: setting up TLS connection from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/smtpd[7419]: Anonymous TLS connection established from unknown[192.168.1.117]: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits) Apr 28 19:53:25 jimmee postfix/smtpd[7419]: 9CD174044E: client=unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/cleanup[7429]: 9CD174044E: message-id=<4DBA0C04.20702@jjfiii.com> Apr 28 19:53:25 jimmee postfix/qmgr[5634]: 9CD174044E: from=<jim@jjfiii.com>, size=1313, nrcpt=1 (queue active) Apr 28 19:53:25 jimmee postfix/smtpd[7419]: disconnect from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/lmtp[7431]: 9CD174044E: to=<mimi@[192.168.1.118]>, relay=jjfiii.com[/var/lib/imap/socket/lmtp], delay=0.29, delays=0.08/0.01/0.02/0.18, dsn=2.1.5, status=sent (250 2.1.5 Ok) Apr 28 19:53:25 jimmee postfix/qmgr[5634]: 9CD174044E: removed The TBird conneciton fails, the KMail one doesn't. ?????????? Any more thoughts on this? I sure appreciate all your help and patience. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Still having problems receiving, or rather reading received mails via imaps. And this is getting pretty weird. Thunderbird does not like setting imap security to SSL/TLS (port 9930, and still gives the error that ssl rx record is too long. Setting it to STARTTLS is worse (on port 143), all sorts of errors fly up saying that the server is not available or has disconnected.
I'm using plain IMAP + STARTTLS with thunderbird and dovecot, no problems.
Apr 28 19:34:30 jimmee postfix/smtpd[6823]: connect from localhost[::1] Apr 28 19:34:30 jimmee postfix/smtpd[6823]: setting up TLS connection from localhost[::1] Apr 28 19:34:30 jimmee postfix/smtpd[6823]: Anonymous TLS connection established from localhost[::1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 28 19:35:00 jimmee postfix/smtpd[6823]: warning: Illegal address syntax from localhost[::1] in RCPT command: <jim@192.168.1.117> Apr 28 19:35:05 jimmee postfix/smtpd[6823]: lost connection after RSET from localhost[::1] Apr 28 19:35:05 jimmee postfix/smtpd[6823]: disconnect from localhost[::1]
If you really want to see what's going on here, add localhost to debug_peer_list in your postfix config.
Accessing imaps with KMail, /var/log/mail shows:
Apr 28 19:53:25 jimmee postfix/smtpd[7419]: connect from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/smtpd[7419]: setting up TLS connection from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/smtpd[7419]: Anonymous TLS connection established from unknown[192.168.1.117]: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits) Apr 28 19:53:25 jimmee postfix/smtpd[7419]: 9CD174044E: client=unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/cleanup[7429]: 9CD174044E: message-id=<4DBA0C04.20702@jjfiii.com> Apr 28 19:53:25 jimmee postfix/qmgr[5634]: 9CD174044E: from=<jim@jjfiii.com>, size=1313, nrcpt=1 (queue active) Apr 28 19:53:25 jimmee postfix/smtpd[7419]: disconnect from unknown[192.168.1.117] Apr 28 19:53:25 jimmee postfix/lmtp[7431]: 9CD174044E: to=<mimi@[192.168.1.118]>, relay=jjfiii.com[/var/lib/imap/socket/lmtp], delay=0.29, delays=0.08/0.01/0.02/0.18, dsn=2.1.5, status=sent (250 2.1.5 Ok) Apr 28 19:53:25 jimmee postfix/qmgr[5634]: 9CD174044E: removed
The TBird conneciton fails, the KMail one doesn't.
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. -- Per Jessen, Zürich (11.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'.
Uh, that should have been: Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'. -- Per Jessen, Zürich (12.1°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 12:29 PM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Can you post the result of postconf -n ? That shows the actual configuration postfix uses. Also master.cf Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 05:39 AM, Mihira Fernando wrote:
On 04/29/2011 12:29 PM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Can you post the result of postconf -n ? That shows the actual configuration postfix uses.
Also master.cf
Mihira.
OK, postconf -n reports: alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = jjfiii.com, mail.jjfiii.com, $myhostname, localhost.$mydomain mydomain = jjfiii.com myhostname = jjfiii.com mynetworks_style = subnet myorigin = jjfiii.com newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains = $mydestination, hash:/etc/postfix/relay relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = no smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CApath = /etc/ssl/servercerts/CA/ smtpd_tls_cert_file = /etc/ssl/servercerts/server.pem smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may strict_8bitmime = yes strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual Master.cf: # # Postfix master process configuration file. For details on the format # of the file, see the Postfix master(5) manual page. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #amavis unix - - n - 4 smtp # -o smtp_data_done_timeout=1200 # -o smtp_send_xforward_command=yes # -o disable_dns_lookups=yes # -o max_use=20 #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr #Foll line "uncommented" by JJF on 2011-04-10 tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil #localhost:10025 inet n - n - - smtpd # -o content_filter= # -o smtpd_delay_reject=no # -o smtpd_client_restrictions=permit_mynetworks,reject # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= # -o smtpd_recipient_restrictions=permit_mynetworks,reject # -o smtpd_data_restrictions=reject_unauth_pipelining # -o smtpd_end_of_data_restrictions= # -o smtpd_restriction_classes= # -o mynetworks=127.0.0.0/8 # -o smtpd_error_sleep_time=0 # -o smtpd_soft_error_limit=1001 # -o smtpd_hard_error_limit=1000 # -o smtpd_client_connection_count_limit=0 # -o smtpd_client_connection_rate_limit=0 # -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings # -o local_header_rewrite_clients= # -o local_recipient_maps= # -o relay_recipient_maps= scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # do not filter locally delivered mail when USE_AMAVIS=yes # (don't set content_filter=vscan in main.cf) #vscan unix - n n - 10 pipe # user=vscan argv=/usr/sbin/amavis ${sender} ${recipient} procmail unix - n n - - pipe flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient} retry unix - - n - - error proxywrite unix - - n - 1 proxymap Thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 06:35 PM, Jim Flanagan wrote:
On 04/29/2011 05:39 AM, Mihira Fernando wrote:
On 04/29/2011 12:29 PM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Can you post the result of postconf -n ? That shows the actual configuration postfix uses.
Also master.cf
Mihira.
OK, postconf -n reports: mydestination = jjfiii.com, mail.jjfiii.com, $myhostname, localhost.$mydomain mydomain = jjfiii.com myhostname = jjfiii.com mynetworks_style = subnet myorigin = jjfiii.com [snip] smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CApath = /etc/ssl/servercerts/CA/ smtpd_tls_cert_file = /etc/ssl/servercerts/server.pem smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may strict_8bitmime = yes strict_rfc821_envelopes = no
Are you using username@ip.address format for the envelope sender address or the authentication user name ? If its the sender address, then postfix doesnt care. If its the authentication user name, then you have to see if cyrus sasl is accepting this form since postfix simply passes authentication over to cyrus and if cyrus says its authentic, postfix allows relaying. On the other hand if you are trying to receive mail for username@ip.address (recipient email address ), then AFAIK, postfix will not accept mail as it only accepts for the list in the mydestination (and relay_domains,virtual_domains). BTW, Is there any particular reason why you are using cyrus sasl with dovecot imap ? Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/29/11 8:58 AM, Mihira Fernando wrote:
On 04/29/2011 06:35 PM, Jim Flanagan wrote:
On 04/29/2011 05:39 AM, Mihira Fernando wrote:
On 04/29/2011 12:29 PM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Can you post the result of postconf -n ? That shows the actual configuration postfix uses.
Also master.cf
Mihira.
OK, postconf -n reports: mydestination = jjfiii.com, mail.jjfiii.com, $myhostname, localhost.$mydomain mydomain = jjfiii.com myhostname = jjfiii.com mynetworks_style = subnet myorigin = jjfiii.com [snip] smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CApath = /etc/ssl/servercerts/CA/ smtpd_tls_cert_file = /etc/ssl/servercerts/server.pem smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may strict_8bitmime = yes strict_rfc821_envelopes = no
Are you using username@ip.address format for the envelope sender address or the authentication user name ? If its the sender address, then postfix doesnt care. If its the authentication user name, then you have to see if cyrus sasl is accepting this form since postfix simply passes authentication over to cyrus and if cyrus says its authentic, postfix allows relaying. To authenticate I'm using only user name, with no @ip.address. For sender address I have username@hostname.site (not FQDN).
On the other hand if you are trying to receive mail for username@ip.address (recipient email address ), then AFAIK, postfix will not accept mail as it only accepts for the list in the mydestination (and relay_domains,virtual_domains).
Postfix does accept emails from my old server using username@[ip.address] (again on the local lan). The problem is accessing them with either SSL or TLS enabled in the client. Accessing them with no security turned on is working fine.
BTW, Is there any particular reason why you are using cyrus sasl with dovecot imap ?
Mihira. I don't intend to be using dovecot, but rather cyrus imap. Where do you see I'm using dovecot? Now that you mention it, postconf -c returns both cyrus and dovecot. I don't see where dovecot is nor is it installed AFAIK. This perhaps is the problem.
Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
If its the sender address, then postfix doesnt care. If its the authentication user name, then you have to see if cyrus sasl is accepting this form since postfix simply passes authentication over to cyrus and if cyrus says its authentic, postfix allows relaying. Are you using username@ip.address format for the envelope sender address or the authentication user name ? To authenticate I'm using only user name, with no @ip.address. For sender address I have username@hostname.site (not FQDN). If it is getting authenticated, then postfix doesnt care about the sender address. So, if its getting rejected now, it means the session
On 04/29/2011 09:33 PM, Jim Flanagan wrote: probably does not get authenticated.
On the other hand if you are trying to receive mail for username@ip.address (recipient email address ), then AFAIK, postfix will not accept mail as it only accepts for the list in the mydestination (and relay_domains,virtual_domains).
Postfix does accept emails from my old server using username@[ip.address] (again on the local lan). The problem is accessing them with either SSL or TLS enabled in the client. Accessing them with no security turned on is working fine.
when you say accessing them with SSL or TLS, are you referring to the IMAP access ? cause thats not a postfix issue.
BTW, Is there any particular reason why you are using cyrus sasl with dovecot imap ?
Mihira. I don't intend to be using dovecot, but rather cyrus imap. Where do you see I'm using dovecot? Now that you mention it, postconf -c returns both cyrus and dovecot. I don't see where dovecot is nor is it installed AFAIK. This perhaps is the problem.
No, thats my bad. I mixed up someone else's reply with yours. Your config suggests it is using cyrus (default for postfix) for sasl. Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/29/11 11:29 AM, Mihira Fernando wrote:
If its the sender address, then postfix doesnt care. If its the authentication user name, then you have to see if cyrus sasl is accepting this form since postfix simply passes authentication over to cyrus and if cyrus says its authentic, postfix allows relaying. Are you using username@ip.address format for the envelope sender address or the authentication user name ? To authenticate I'm using only user name, with no @ip.address. For sender address I have username@hostname.site (not FQDN). If it is getting authenticated, then postfix doesnt care about the sender address. So, if its getting rejected now, it means the session
On 04/29/2011 09:33 PM, Jim Flanagan wrote: probably does not get authenticated.
Mails are not being rejected, just can't access with Thunderbird mail client using imap with security turned on.
On the other hand if you are trying to receive mail for username@ip.address (recipient email address ), then AFAIK, postfix will not accept mail as it only accepts for the list in the mydestination (and relay_domains,virtual_domains).
Postfix does accept emails from my old server using username@[ip.address] (again on the local lan). The problem is accessing them with either SSL or TLS enabled in the client. Accessing them with no security turned on is working fine.
when you say accessing them with SSL or TLS, are you referring to the IMAP access ? cause thats not a postfix issue.
Yes, this seems to be an imap issue. Can't for the life of me figure out what is wrong.
BTW, Is there any particular reason why you are using cyrus sasl with dovecot imap ?
Mihira. I don't intend to be using dovecot, but rather cyrus imap. Where do you see I'm using dovecot? Now that you mention it, postconf -c returns both cyrus and dovecot. I don't see where dovecot is nor is it installed AFAIK. This perhaps is the problem. No, thats my bad. I mixed up someone else's reply with yours. Your config suggests it is using cyrus (default for postfix) for sasl.
No problem. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 10:16 PM, Jim Flanagan wrote:
Mails are not being rejected, just can't access with Thunderbird mail client using imap with security turned on.
Yes, this seems to be an imap issue. Can't for the life of me figure out what is wrong.
oh, then no point in messing with postfix as its not related. Havent configured cyrus since 2005 so cant really remember the common pitfalls in cyrus imap now. Sorry. Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled.
Nonetheless, postfix seems to have an issue with that address-form. Did you try enabling the trace in postfix? -- Per Jessen, Zürich (15.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 08:25 AM, Per Jessen wrote:
Jim Flanagan wrote:
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled. Nonetheless, postfix seems to have an issue with that address-form. Did you try enabling the trace in postfix?
Not yet. Will do and revert. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/29/2011 08:25 AM, Per Jessen wrote:
Jim Flanagan wrote:
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled. Nonetheless, postfix seems to have an issue with that address-form. Did you try enabling the trace in postfix?
Ok, it seems imaps can't access my private key. This didn't show up in /var/log/mail, but /var/log/warn shows imaps unable to get my private key. I had its permissions set as 400 root root. Changing it temporally to 444 resolves the issue. I know I can't leave my private key open like that. What is a good secure way to give imaps, or I suppose rather imapd access to read the key? Many thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/30/2011 07:57 PM, Jim Flanagan wrote:
On 04/29/2011 08:25 AM, Per Jessen wrote:
Jim Flanagan wrote:
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled. Nonetheless, postfix seems to have an issue with that address-form. Did you try enabling the trace in postfix?
Ok, it seems imaps can't access my private key. This didn't show up in /var/log/mail, but /var/log/warn shows imaps unable to get my private key.
I had its permissions set as 400 root root. Changing it temporally to 444 resolves the issue. I know I can't leave my private key open like that. What is a good secure way to give imaps, or I suppose rather imapd access to read the key?
Many thanks,
Jim F under what user name does the imapd daemon run ? set the private key to have read access for that user name as well.
Mihira. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/30/2011 09:40 AM, Mihira Fernando wrote:
On 04/30/2011 07:57 PM, Jim Flanagan wrote:
On 04/29/2011 08:25 AM, Per Jessen wrote:
Jim Flanagan wrote:
On 04/29/2011 01:59 AM, Per Jessen wrote:
Per Jessen wrote:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@192.168.1.117'. Uh, that should have been:
Thunderbird uses 'jim@192.168.1.117', which postfix doesn't like, kmail uses 'jim@jjfiii.com'.
Actually in Thunderbird I used jim@[192.168.1.117] which gets delivered over my lan to my main server. That does not work in Kmail, so I used jim@jjfiii.com. Those messages get sent from my new server to that old server. I reply back to both (in Thunderbird at old server) and both get delivered to the new server. I can read them both in Kmail using TLS, but not in Thunderbird using SSL/TLS and STARTTLS. Thunderbird will read them with no security enabled. Nonetheless, postfix seems to have an issue with that address-form. Did you try enabling the trace in postfix?
Ok, it seems imaps can't access my private key. This didn't show up in /var/log/mail, but /var/log/warn shows imaps unable to get my private key.
I had its permissions set as 400 root root. Changing it temporally to 444 resolves the issue. I know I can't leave my private key open like that. What is a good secure way to give imaps, or I suppose rather imapd access to read the key?
Many thanks,
Jim F under what user name does the imapd daemon run ? set the private key to have read access for that user name as well.
Mihira.
imapd runs under cyrus. I wasn't sure if it was considered safe to give read access for my private key to more than one user, i.e. root. How do I set the key to read access by 2 users or owners? I suppose I could set up a system user "imapd" and put it in the "mail" or "root" group?? I want to be secure here. thanks, JIm F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/30/11 9:40 AM, Mihira Fernando wrote:
Ok, it seems imaps can't access my private key. This didn't show up in /var/log/mail, but /var/log/warn shows imaps unable to get my private key.
I had its permissions set as 400 root root. Changing it temporally to 444 resolves the issue. I know I can't leave my private key open like that. What is a good secure way to give imaps, or I suppose rather imapd access to read the key?
Many thanks,
Jim F
under what user name does the imapd daemon run ? set the private key to have read access for that user name as well.
Mihira. OK, giving cyrus read access to the private key worked. I can access my imap folders with thunderbird using either STARTTLS or SSL/TLS. Thanks so much for the persistent help.
So to recap, getting postfix/cyrus imap to work with a CA signed certificate I: 1. put the signed cert and intermediate CA and CA into one file, top to bottom in that order. Used that as my servercert.pem file. 2. granted cyrus read access to the private key (as well as root). Thanks to Mihiria, David, Per, Sandy and Dominique for the good help. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2011-04-21 at 17:39 -0500, Jim Flanagan wrote:
Hi Guys,
I really could use some help here, I'm kind of stuck. Trying to get my SSL certs to work right with postfix/cyrus imap. I think I'm very close, but something is still not quite right.
I've got a signed SSL cert, but my email client does not recognize it as being signed by a trusted authority. There is a CA cert in my mail client from StartSSL so it should recognized the signed one on my server. Also, I'm getting ssl errors saying the ssl rx record too long. I've googled all over and find references to that, but nothing that helped my case.
I'm starting to think SSL is not set up or working properly here. Sending email via TLS works ok (except for not recognizing the cert as signed by trusted authority), but chekcing email via SSL does not work properly, and presents both errors as described above. I've mainly been using Trhunderbird, but tried setting up Kmail to try another program. It auto-detected TLS as being offered by the server, but did not detect SSL as being offered. (Specifically, no security and TLS, with plain text passwords, but not SSL).
Perhaps I don't need SSL and can use TLS?? This defaults to port 143. Previously I used my firewall to limit plain text access to port 143, but I suppose I can force TLS on both smtp and imap?
I'd be happy to supply any setup info you might need, but I've done so much I don't want to clog up this email with everything.
I did question the StartSSL guys who advised to combine 2 files, there main CA and a Sub-Ca into one file. I did that but it didn't resolve anything. The CA and Sub-CA certs are in the same dir as my signed cert and private key. Private key is set to chmod 400 and everything else is 644.
Localhost is reporting as follows: user@jimmee:~> telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 jjfiii.com ESMTP Postfix ehlo localhost 250-jjfiii.com 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
The EHLO answer of your postfix looks ok with this respect. What you need to be aware of is that there are two different ways of having ssl encrypted traffic to your mail server. for SMTP (Sending mails): There is either SMTP (port 25), which is plain text and what you normally do). Then there is SMTP/TLS, still listening on port 25. The server (postfix) knows the command STARTTLS, which will then go through the cert exchange if the cient requests that. SMTP/SSL => port 465 (IIRC). The entire traffic is encrypted and key negotiation is the first thing to happen. Now, having MX records for the server more or less forces you to have port 25 open, as that is what most other SMTP Servers will try to send a mail to you. To get the config slightly easier, here what I have configured on my postfix: for 'incoming' mail to my mailbox: smtp on port 25. TLS optional (not every sending server knows about it and you probably do not want to enforce it). Relying, of course, is not allowed for me sending mail, I use the same postfix, still on port 25. In order to rely, I need to login to the SMTP Server (auth). The server OTOH refuses any kind of login, if the channel is not encrypted. Thus my mail client (evolution) is configured to use SMTP/TLS with authentication for sending mail. Ensuring, that all passwords sent to the server are encrypted. If it helps, I can try to extract the interesting bits from my postfix config (the entire auth goes against ldap). For IMAP, it's about the same: IMAP on port 143 (plain text.. password is minimally encrypted on IMAP, unlike POP3 for example..) IMAP/TLS, on port 143. Initiates a connection in plain text, but before logging in initiates a TLS handshake and starts encrypting from there on IMAP/SSL, on port 993. SSL Handshake as first action. Also, here, I use courier-imap using IMAP/TLS. The most interesting part from my imapd config is: IMAPDSTART=YES IMAPDSTARTTLS=YES TLS_STARTTLS_PROTOCOL=SSL3 TLS_CERTFILE=/usr/share/courier-imap/imapd.pem TLS_VERIFYPEER=NONE TLS_CACHEFILE=/var/run/couriersslcache TLS_CACHESIZE=524288 IMAP_TLS_REQUIRED=1 IMAP_TLS=1 Hope this gets you on the right track, Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/21/2011 05:39 PM, Jim Flanagan wrote:
As I said I think I'm very close to having this set up right. Something I'm missing. Not sure what.
Jim, If you get to the point that cyrus isn't working ... just load dovecot. It is simple to configure and setup for imaps. IIRC, the suse dovecot package contains a script to generate the ssl certs (mkcert.sh). Just edit the dovecot-openssl.cnf file in /usr/share/doc/packages/dovecot to fit your needs and run the mkcert.sh script to install the dovecot.pem certs in /etc/ssl/{certs,private} dirs and you're done. The entire dovecot.conf for imaps (dovecot-2) will look something similar to this: mail_location = mbox:~/Mail:INBOX=/var/spool/mail/%u passdb { driver = pam } protocols = imap service auth { user = root } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { driver = passwd } protocol lda { postmaster_address = postmaster@3111skyline.com } -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/25/2011 09:37 PM, David C. Rankin wrote:
On 04/21/2011 05:39 PM, Jim Flanagan wrote:
As I said I think I'm very close to having this set up right. Something I'm missing. Not sure what.
Jim,
If you get to the point that cyrus isn't working ... just load dovecot. It is simple to configure and setup for imaps. IIRC, the suse dovecot package contains a script to generate the ssl certs (mkcert.sh). Just edit the dovecot-openssl.cnf file in /usr/share/doc/packages/dovecot to fit your needs and run the mkcert.sh script to install the dovecot.pem certs in /etc/ssl/{certs,private} dirs and you're done.
The entire dovecot.conf for imaps (dovecot-2) will look something similar to this:
mail_location = mbox:~/Mail:INBOX=/var/spool/mail/%u passdb { driver = pam } protocols = imap service auth { user = root } service imap-login { inet_listener imap { port = 0 } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem userdb { driver = passwd } protocol lda { postmaster_address = postmaster@3111skyline.com }
Thanks David. This has been giving me fits, and I may switch over, but I'm not ready to do that just yet. I do have Cyrus imap running on my old server and it has been rock solid. I have a cert on that but its not even signed by me. What I'm trying to do this time is to have a cert that is signed by an authority that is recognized by most browsers so the cert errors don't flag up on new clients. And one that's free, as in beer. Which I need at this point! :) Sounds simple, but apparently not for me. Still working it. Will try to document all this if and when I get it done. Many thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
David C. Rankin -
Dimstar / Dominique Leuenberger -
Jim Flanagan -
Mihira Fernando -
Per Jessen -
Sandy Drobic