Postfix - smtps port 465

no-no
2013-02-19
2013-02-19
  • no-no

    no-no - 2013-02-19

    Hello,

    I've just setup my first postfix server on ubuntu 8.04. I have a web applications that'll be sending mail through it, the web app seems to only send using ssl or tls.

    So, I've edited the master.cf file and postfix is open on 465. I can telnet into postfix and send ok from the box the app is running on.The web apps ip address is in the MyNetworks list in main.cf.

    However when I run the app and try to send I get the following in maillog :

    Feb 18 17:48:10 green postfix/smtpd[31483]: connect from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: lost connection after UNKNOWN from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: disconnect from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: connect from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: lost connection after UNKNOWN from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: disconnect from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: connect from unknown[192.168.1.80]
    Feb 18 17:48:10 green postfix/smtpd[31483]: lost connection after UNKNOWN from unknown[192.168.1.80]

    My guess is that the app isn't adhering to smtp and the connection is being dropped.

    Are there any other log files where I can see the smtp exchange between the server and app?
    I noticed that when I telnet in on port 465 I don't need to authenticate, I haven't setup and certificates either so perhaps I haven't setup smtps correctly in the first place. I'm surprised I can send at all tbh.

    here's my main.cf :
    See /usr/share/postfix/main.cf.dist for a commented, more complete version
    Debian specific: Specifying a file name will cause the first
    line of that file to be used as the name. The Debian default
    is /etc/mailname.
    myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    appending .domain is the MUA's job.

    append_dot_mydomain = no
    Uncomment the next line to generate "delayed mail" warnings
    delay_warning_time = 4h

    readme_directory = no
    TLS parameters

    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    information on enabling SSL in the smtp client.

    myhostname = green
    mydomain = mail.hgluk.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = green, localhost.localdomain, localhost
    mynetworks = 192.168.1.99,192.168.1.80
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +

    and my master.cf :
    Postfix master process configuration file. For details on the format
    of the file, see the master(5) manual page (command: "man 5 master").
    Do not forget to execute "postfix reload" after editing this file.
    ==========================================================================
    service type private unpriv chroot wakeup maxproc command + args
    (yes) (yes) (yes) (never) (100)
    ==========================================================================
    smtp inet n - - - - smtpd
    submission inet n - - - - smtpd
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING

    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
    628 inet n - - - - qmqpd

    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    qmgr fifo n - - 300 1 oqmgr

    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp
    When relaying mail as backup MX, disable fallback_relay to avoid MX loops

    relay unix - - - - - smtp
    -o smtp_fallback_relay=
    -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

    showq unix n - - - - showq
    error unix - - - - - error
    retry unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache
    ====================================================================
    Interfaces to non-Postfix software. Be sure to examine the manual
    pages of the non-Postfix software to find out what options it wants.
    Many of the following services use the Postfix pipe(8) delivery
    agent. See the pipe(8) man page for information about ${recipient}
    and other message envelope options.
    ====================================================================
    maildrop. See the Postfix MAILDROP_README file for details.
    Also specify in main.cf: maildrop_destination_recipient_limit=1

    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    See the Postfix UUCP_README file for configuration details.

    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    Other external delivery methods.

    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}

     
    Last edit: no-no 2013-02-19
    • Simon Hobson

      Simon Hobson - 2013-02-19

      For debugging a connection, see the debug_peer_level and debug_peer_list options for main.cf. The higher the debug level, the more detail you'll get.

       
    • Charles

      Charles - 2013-02-19

      Hello,

      1. Please do NOT send HTML garbage to the list, it makes it HARDER to
        help you, not easier.

      2. Send only postconf -n output

      3. Send master.cf contents (if needed) without comments

      4. None of your questions have anything whatsoever to do with
        postfixadmin, they only have to do with postfix.

      There are certainly people here who can and are willing to help you with
      postfix questions, but the best place to get help with postfix is the
      postfix list... BUT... you will not get any help there unless/until you
      learn how to pose questions on email lists, and copy/paste required
      information for troubleshooting problems. They are very strict about how
      you ask your questions, and are not very forgiving when you fail.

      No offense, but your email was a total mess, and impossible to utilize
      for troubleshooting purposes...

      Now...

      On 2013-02-19 5:28 AM, no-no no-no@users.sf.net wrote:

      I've just setup my first postfix server on ubuntu 8.04. I have a web
      applications that'll be sending mail through it, the web app seems to
      only send using ssl or tls.

      It will use what you (or whoever is responsible for configuring it) tell
      it to use.

      So, I've edited the master.cf file and postfix is open on 465.

      Why port 465? It is long since deprecated. Use the submission port (587)
      unless you absolutely must support legacy clients that can't use port
      465 (are there still any in use?)...

      I noticed that when I telnet in on port 465 I don't need to
      authenticate, I haven't setup and certificates either so perhaps I
      haven't setup smtps correctly in the first place.

      You need to go back to square one. Yes, encrypted connections require a
      working SSL and properly prepared certs.

      But you can use any port to do anything, so, it is very easy to shoot
      yourself in the foot.

      Like I said, go back to square one.

      here's my main.cf :

      Like I said above, only output of postconf -n has any meaning.

      and my master.cf :

      More totally broken/meaningless copy/paste.

      The comments are not showing as comments (where are the hashes?), and
      everything is jumbled. How is anyone supposed to read this?

      Sorry, I don't mean to be harsh, but you have a lot to learn before you
      are even going to be able to ask for help and get meaningful responses.

       
  • Simon Hobson

    Simon Hobson - 2013-02-19

    Charles, while what you say is correct, I think you are being unnecessarily harsh.

    It would be more productive if, instead of just shouting about what's wrong, you also gave hints as to how the issues can be addressed. If no-no is new here, he probably hasn't figured out just how much these forums mangle text - and how to avoid that. It took me a while - and I see it's completely changed now (and not for the better IMO).

    no-no, the trick is to wrap your configs in the right incantations to avoid it getting interpreted. See the Formatting Help button above the text entry box - and look for the entries on Preformatted Text or Code.

     
    • Charles

      Charles - 2013-02-19

      On 2013-02-19 10:09 AM, Simon Hobson simonhobson@users.sf.net wrote:

      Charles, while what you say is correct, I think you are being
      unnecessarily harsh.

      It would be more productive if, instead of just shouting about what's
      wrong, you also gave hints as to how the issues can be addressed. If
      no-no is new here, he probably hasn't figured out just how much these
      forums mangle text - and how to avoid that. It took me a while - and I
      see it's completely changed now (and not for the better IMO).

      Sorry... I didn't even realize that the forums had switched to an email
      capable based list (it used to always have a link at the top to 'where
      to go to read/respond'...

      no-no, the trick is to wrap your configs in the right incantations to
      avoid it getting interpreted. See the Formatting Help button above the
      text entry box - and look for the entries on Preformatted Text or Code.

      But he would still have all of the other serious problems... failure to
      use postconf -n output, failure to understand that he needs certs with
      encrypted connections, etc, all suggest someone who is in way over his
      head and has needs far beyond the scope of a support forum like this one...

       

Log in to post a comment.