Certificate on port 25 when trying to secure SMTP with POSTFIX

postfix smtp tls
7,595

Solution 1

Well, looks like you are confusing SMTPD with SMTP. These two beast has different purpose in postfix terms. smtpd was SMTP server used for receiving email, it bind to specific port (for example 25, 587, 465). smtp was SMTP client used for sending email, it connect to SMTP server port.

Another confusion here is about STARTTLS, SMTPS and unencryption email. By default postfix will send and receive email without encryption. For encryption method, SMTP has two schema: STARTTLS and SMTPS. With STARTTLS, client will initiate connection with unencrypted form and upgrade it to encrypted one later. Now SMTPS for SMTP was like HTTPS for HTTP. Unlike STARTTLS, client will initiate connection by TLS negotiation and then start SMTP chit-chat on top TLS. Usually smtpd with STARTTLS capability listen in port 587, and STMPS in port 465. For another reference, see this SO question: What is the difference between ports 465 and 587?

Now, we will talk about postfix. By default, each process in postfix will get configuration from main.cf (you can view the changes via postconf -n like above). Of course you can override per postfix service via master.cf like you do for three smtpd processes for different port. In this case you want to override the option so

  • port 25 (smtp) shouldn't gives you certificate warning and shouldn't offer STARTTLS
  • port 587 (submission) should offer STARTTLS and gives you certificate warning
  • port 465 (smtps) should talk with SMTPS and gives you certificate warning

To turn off certificate warning in port 25, just specify smtpd_tls_security_level = none like 

smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_tls_auth_only=yes
  -o smtpd_sasl_auth_enable=no
  -o smtpd_tls_security_level=none

You can notice that I replace smtp_ parameter with smtpd_. See official documentation about smtpd_tls_security_level.

To enable SMTPS for port 465, use parameter smtpd_tls_wrappermode = yes. Your config above looks OK.

Now, because we need STARTTLS (not SMTPS) in port 587, you doesn't need to specify smtpd_tls_wrappermode = yes in submission service. Remove it.

The error that you get when connect to port 587 was caused by this smtpd_tls_wrappermode parameter. Postfix expects you to talk with encrypted traffic and you specify command in plain text.

Solution 2

The parameter -o smtpd_tls_wrappermode=yes was causing the mail server to not respond to the sumission protocol. As soon as I removed that parameter in master.cf the EHLO got a response to the telnet on port 587 and Thunderbird mail client successfully sent the mail on port 587 instead of 25. So here now is my master.cf snippet for the submission (TLS) protocol:

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
  -o smtpd_sasl_security_options=noanonymous,noplaintext
#  -o smtpd_tls_wrappermode=yes # This one was the issue*****

I'm wondering if I'm just blind in seeing where this causes an issue. I didn't see any reference in the postfix documentation or in any search through serverfault.com, Google, etc.

Hopefully this helps some poor unfortunate sole in the future. :-)

Share:
7,595

Related videos on Youtube

mminnie
Author by

mminnie

Updated on September 18, 2022

Comments

  • mminnie
    mminnie over 1 year

    Background

    I think I am close to getting my POSTFIX setup to my liking. I've run some SMTP online checks and my SMTP passes all the basic security tests.

    I get a certificate warning in Thunderbird. I am using a temporary self-signed certificate, so I know why the certificate exception comes up. That isn't my issue.

    Goal

    I want to disable any unencrypted and unauthenticated mail sending on the SMTP server. I want to use only TLS.

    Issue

    I am not sure I have a problem, but when I connect with Thunderbird I get a warning about the certificate on port 25. I get this warning regardless of which connection security or port I use. I've tried SSL/TLS on port 465, STARTTLS on 587, and none on port 25. I would expect the certificate to be on port 465 or 587.

    Another puzzler for me is why I can still set Thunderbird to use port 25 with no security and this security exception still shows up upon sending.

    Is sending of this email still encrypted?
    Do I have a problem I don't know about? How can I get my server to respond on port 465 instead?

    postfix/master.cf

    smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_tls_auth_only=yes
  -o smtp_sasl_auth_enable=no
  -o smtp_tls_security_level=none

# SMTP with TLS on port 587. Currently commented.
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_tls_security_options=noanonymous
  -o smtpd_sasl_security_options=noanonymous,noplaintext

# SMTP over SSL on port 465.
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

    postconf -n

    append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
mydestination =
myhostname = localbark.info
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style = host
myorigin = /etc/hostname
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
smtp_helo_timeout = 60s
smtp_sasl_security_options = noplaintext, noanonymous
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 16
smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_relay_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /rootCA.pem
smtpd_tls_cert_file = /device.crt
smtpd_tls_key_file = /device.key
smtpd_tls_loglevel = 3
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/mysql_virtual_alias_domainaliases_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/mysql_virtual_mailbox_domainaliases_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:150

    Update Jan 27, 2015

    My mail server is using STARTTLS but only on port 25. And mail is sent successfully on port 25. When I try to use STARTTLS on 587, my mail client (Thunderbird) times out. Here is what is in the mail.log file

    Jan 27 11:55:21 mail2 postfix/submission/smtpd[2229]: initializing the server-side TLS engine
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: warning: hostname XXXXXXX.com does not resolve to address XX.XX.XX.XX: Name or service not known
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: connect from unknown[XX.XXX.XX.XX]
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: setting up TLS connection from unknown[XX.XXX.XX.XX]
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: unknown[XX.XXX.XX.XX]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: SSL_accept:before/accept initialization
Jan 27 11:55:22 mail2 postfix/submission/smtpd[2229]: read from 7F3F40B73C60 [7F3F40B86E70] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Jan 27 11:57:11 mail2 postfix/submission/smtpd[2229]: read from 7F3F40B73C60 [7F3F40B86E70] (11 bytes => 0 (0x0))
Jan 27 11:57:11 mail2 postfix/submission/smtpd[2229]: SSL_accept error from unknown[XX.XXX.XX.XX]: lost connection
Jan 27 11:57:11 mail2 postfix/submission/smtpd[2229]: lost connection after CONNECT from unknown[XX.XXX.XX.XX]
Jan 27 11:57:11 mail2 postfix/submission/smtpd[2229]: disconnect from unknown[XX.XXX.XX.XX]

    And here is what a remote computer gets for telnet to 587

    telnet mail.example.com 587
Trying xxx.xxx.xxx.xx...
Connected to mail.example.com.
Escape character is '^]'.
ehlo testing
Connection closed by foreign host.
    • masegaloeh
      masegaloeh over 9 years
      What do you mean with this question How can I get my server to respond on port 465 instead?? Also, it would be helpful if you provide output of postconf -n
    • mminnie
      mminnie over 9 years
      I updated my post to include postconf -n output. What I mean by my question about port 465 is....other mailservers I have used with a certificate problem give me the same prompt, but they ask for the certificate on port 465. Mine is asking on port 25 even though I specified STARTTLS on port 465 in the mail client. Is this bad? I would think the mail client switches to port 25 in the prompt for a reason. I makes me feel like the mail server is not set up correctly.
  • mminnie
    mminnie over 9 years
    I marked this as the answer, because although I stumbled upon the answer by....well 10% skill and 90% luck, this explanation was great. Thanks for the great detail and explanation. I understand the prolem a lot better now.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Postfix & Gmail: Authentication Required error
Postfix & TLS is configured correctly, but Thunderbird throws cryptic errors when trying to send email via SMTP & STARTTLS?
"lost connection after UNKNOWN" (OpenDKIM + postfix receiving emails)
Postfix STARTTLS only on port 25
In postfix, how to enforce tls + auth over 587 while leaving tls optional for 25
Postfix TLS over SMTP - RCPT TO prompts renegotiation then 554 5.5.1 Error: no valid recipients
NOQUEUE: reject: Relay access denied
Gmail smtp SASL authentication
How does postfix send mail without smtp settings?
Procmail with Postfix and virtual mailboxes