Postfix not starting STARTTLS automatically

Subject: Postfix not starting STARTTLS automatically
From: Jeff Dunnett <email@hidden>
Date: Thu, 29 Mar 2007 11:08:43 -0400
Delivered-to: email@hidden
Delivered-to: email@hidden

Hello,

I had a problem a little earlier regarding a Postfix configuration problem regarding securing SMTP services. I have done a little work since then and believe I have the problem nailed down. It seems as though STARTTLS isn't automatically being ran.

For example if I just try using openssl to connect to port 465 on my machine:

cemcmac02:~ jdunnett$ openssl s_client -connect cemc.math.uwaterloo.ca:465 CONNECTED(00000003) 3810:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

cemcmac02:~ jdunnett$ openssl s_client -starttls smtp -connect cemc.math.uwaterloo.ca:465 CONNECTED(00000003) depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/ OU=Certification Services Division/CN=Thawte Premium Server CA/ emailAddress=email@hidden verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Waterloo Region/O=The University of Waterloo/ CN=cemc.math.uwaterloo.ca i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/ OU=Certification Services Division/CN=Thawte Premium Server CA/ emailAddress=email@hidden 1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/ OU=Certification Services Division/CN=Thawte Premium Server CA/ emailAddress=email@hidden i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/ OU=Certification Services Division/CN=Thawte Premium Server CA/ emailAddress=email@hidden --- Server certificate -----BEGIN CERTIFICATE----- MIIDejCCAuOgAwIBAgIQDC/YQjKakljlfKQc+HurBjANBgkqhkiG9w0BAQUFADCB zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl cnZlckB0aGF3dGUuY29tMB4XDTA3MDEzMTIwMDg1NFoXDTA4MDIyMTE1MTMyMlow fzELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xGDAWBgNVBAcTD1dhdGVy bG9vIFJlZ2lvbjEjMCEGA1UEChMaVGhlIFVuaXZlcnNpdHkgb2YgV2F0ZXJsb28x HzAdBgNVBAMTFmNlbWMubWF0aC51d2F0ZXJsb28uY2EwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBANz+KYzPIvNpmqJZ+l6xvDi5vVBTt5aRYCvjEWImM0SIl4Wy H1Fo+zprg7KQ+kVUSfeJvO7Ghmukn6vouRosOIHW28P1NRw/2dH1/gWEvD2z5E4X iJGU7ow2aLxjTrIl+p5tg3afwwJ1l2351qEteMNT4TLCssKSXqNfW/b+2p5fAgMB AAGjgaYwgaMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEAGA1UdHwQ5 MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQcmVtaXVtU2Vy dmVyQ0EuY3JsMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29j c3AudGhhd3RlLmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBABmZ BQgOGLcyco68XgOOI9blF+aqbtvQxgct5v1xlFMA+C5uMtVpZbSbbnCMD4bBBGn5 Lc90bUTj9JW/X3bH3AOfch+eRmNZndoBLXuXAr6gwO5Xs/ojjCH8itXh2RsQKJ4d rW7JPJGSf/fHjd4fOFJ9LYIexKLLSvUraj4WaUo0 -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Waterloo Region/O=The University of Waterloo/CN=cemc.math.uwaterloo.ca issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/ OU=Certification Services Division/CN=Thawte Premium Server CA/ emailAddress=email@hidden --- No client certificate CA names sent --- SSL handshake has read 2346 bytes and written 332 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: BF897797677F7AFF942BA23ED89BF0156E397724BA9CAE6F57C081EB58187EE7 Session-ID-ctx: Master-Key: 251AF373A7FB99918C79965BA09CA1704ACDAE2944D1162E1C9C62076B3299401DBCE0A5 E7C1BE6D5DC9008079185752 Key-Arg : None Start Time: 1175179428 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 220 cemc.math.uwaterloo.ca ESMTP Postfix (2.1.5)

The configuration file looks like this:

smtpd_tls_key_file = /etc/certificates/cemc.math.uwaterloo.ca.key myhostname = cemc.math.uwaterloo.ca mailbox_transport = cyrus local_recipient_maps = proxy:unix:passwd.byname $alias_maps luser_relay = enable_server_options = yes smtpd_tls_common_name = cemc.math.uwaterloo.ca smtpd_enforce_tls = yes smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_sasl_auth_enable = yes smtpd_use_pw_server = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,pe rmit smtpd_pw_server_security_options = cram-md5 smtpd_tls_cert_file = /etc/certificates/cemc.math.uwaterloo.ca.crt message_size_limit = 20971520 mydomain = math.uwaterloo.ca content_filter = smtp-amavis:[127.0.0.1]:10024 mynetworks = 127.0.0.1/32,129.97.140.1/24 mydestination = $myhostname,localhost. $mydomain,localhost,cemc.math.uwaterloo.ca,cemc.uwaterloo.ca smtpd_tls_CAfile = /etc/certificates/cemc.math.uwaterloo.ca.chcrt smtpd_client_restrictions = hash:/etc/postfix/smtpdreject smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom virus_db_last_update = 2005-03-20 18:28:14 -0600 server_enabled = 1

I can't see where my configuration might be wrong. Can anyone see anything?

Regards,
Jeff

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


Follow-Ups:

Re: Postfix not starting STARTTLS automatically
From: Ansgar -59cobalt- Wiechers <email@hidden>


Prev by Date:
Re: Handling errors from legacy cgi links

Next by Date:
Re: Handling errors from legacy cgi links

Previous by thread:
OD got crazy?

Next by thread:
Re: Postfix not starting STARTTLS automatically

Index(es):

Date
Thread













  
   Home
   Archives
   Terms/Conditions
   Contact
   RSS
   Lists
   About
 






Visit the Apple Store online or at retail locations.

1-800-MY-APPLE
Contact Apple | Terms of Use | Privacy Policy
Copyright © 2011 Apple Inc. All rights reserved.