Like dovecot, sentora does not enable ssl for postfix by default, either. How do you know if ssl is enabled? You can use the command “netstat -antp|grep master”. master is the daemon of postfix. You’ll see postfix uses the port 25, which transports data in non-ciphered way. I followed this guide to set up postfix to support ssl.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
#smtp_use_tls = no #smtpd_use_tls = no # Things Philip Changed for SSL # Raise log level as default doesn't give much information smtpd_tls_loglevel = 1 # path to the certificate file, should be root:root and 0444 smtpd_tls_cert_file=/path/to/fullchain.pem # path to the private key file, should be root:root and 0400 smtpd_tls_key_file=/path/to/privkey.pem # Allow use of TLS but make it optional smtpd_use_tls=yes # Cache sessions for speed improvement smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # Disable SSLv2/3 as they are vulnerable smtpd_tls_protocols = !SSLv2, !SSLv3 # Insist on stronger ciphers smtpd_tls_ciphers = high # SASL parameters # Don't forget permit_sasl_authenticated in smtpd_relay_restrictions smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes |
The above configuration parameters are appended to /etc/postfix/main.cf. However, the above settings are not enough for my outlook express client. I’d like to use SMTPS for outlook express, which uses port 587 to submit emails. After using the above configurations, the master daemon still listens on port 25. In fact, you need to change the configuration file(/etc/postfix/master.cf) for the master daemon.
1 2 |
smtp inet n - n - - smtpd submission inet n - n - - smtpd |
The second line is the newly added configure code, which makes the daemon listen on port 587. You can refer to this post. Unfortunately, even with the modification of the two postfix configuration files, my outlook express still can not send emails using the server. Outlook Express reports the error: 0x800CCC0B when sending email. To debug the problem, you must know where the postfix log is. The location of postfix log can be found in neither /etc/postfix/main.cf nor /postfix/master.cf. In fact, the postfix log file is /var/log/maillog. And the error messages in /var/log/maillog are:
1 2 3 4 5 6 7 8 9 10 |
Dec 20 09:59:20 panel postfix/smtpd[4875]: warning: valid_hostname: misplaced delimiter: . Dec 20 09:59:20 panel postfix/smtpd[4875]: connect from unknown[xx.xx.xx.xx] Dec 20 09:59:21 panel postfix/smtpd[4875]: SSL_accept error from unknown[xx.xx.xx.xx]: -1 Dec 20 09:59:21 panel postfix/smtpd[4875]: warning: TLS library problem: 4875:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1435: Dec 20 09:59:21 panel postfix/smtpd[4875]: lost connection after STARTTLS from unknown[xx.xx.xx.xx] Dec 20 09:59:21 panel postfix/smtpd[4875]: disconnect from unknown[xx.xx.xx.xx] Dec 20 09:59:22 panel postfix/smtpd[4875]: warning: valid_hostname: misplaced delimiter: . Dec 20 09:59:22 panel postfix/smtpd[4875]: connect from unknown[xx.xx.xx.xx] Dec 20 09:59:23 panel postfix/smtpd[4875]: lost connection after MAIL from unknown[xx.xx.xx.xx] Dec 20 09:59:23 panel postfix/smtpd[4875]: disconnect from unknown[xx.xx.xx.xx] |
It seems a SSL related issue. I commented out the line “smtpd_tls_protocols = !SSLv2, !SSLv3″ in /etc/postfix/main.cf, but got the same result. Then I commented the line “smtpd_tls_ciphers = high”, this time, it sent the email successfully. It turns out my outlook express uses sslv2 to communicate with the postfix server while postfix has determined sslv2 and sslv3 are not safe, and if you set smtpd_tls_ciphers to high, it will reject the connection(even without “smtpd_tls_protocols = !SSLv2, !SSLv3″). If you comment out the line “smtpd_tls_ciphers = high”, it will fall back to sslv2, even with “smtpd_tls_protocols = !SSLv2, !SSLv3″. Let us see what a successful transaction looks like.
1 2 3 4 5 6 7 8 9 |
Dec 20 09:31:47 panel postfix/smtpd[1767]: warning: valid_hostname: misplaced delimiter: . Dec 20 09:31:47 panel postfix/smtpd[1767]: connect from unknown[xx.xx.xx.xx] Dec 20 09:31:48 panel postfix/smtpd[1767]: Anonymous TLS connection established from unknown[xx.xx.xx.xx]: TLSv1 with cipher RC4-MD5 (112/128 bits) Dec 20 09:31:50 panel postfix/smtpd[1767]: 1F9205748: client=unknown[xx.xx.xx.xx], sasl_method=LOGIN, sasl_username=admin@xx.com Dec 20 09:31:50 panel postfix/cleanup[1890]: 1F9205748: message-id=<DA633FE114D145FC47E9BA9411D001E@ABCD4932886261D> Dec 20 09:31:50 panel postfix/qmgr[1646]: 1F9205748: from=<admin@xx.com>, size=1464, nrcpt=1 (queue active) Dec 20 09:31:51 panel postfix/smtpd[1767]: disconnect from unknown[xx.xx.xx.xx] Dec 20 09:31:56 panel postfix/smtp[1893]: 1F9205748: to=<admin@yy.com>, relay=yy.com[yy.yy.yy.yy]:25, delay=7, delays=1.1/0.01/5.6/0.27, dsn=2.0.0, status=sent (250 OK id=1yya-002mNw-Uw) Dec 20 09:31:56 panel postfix/qmgr[1646]: 1F9205748: removed |
Note that the authentication is done by SASL LOGIN method, so you need to set up the SMTP user/password in outlook express. If you try to send email anonymously, your email will be rejected with the server code 454, and outlook express will report the error code 0x800ccc79. The following is what is logged for postfix in such case.
1 2 3 4 5 |
Dec 20 10:28:38 panel postfix/smtpd[8219]: warning: valid_hostname: misplaced delimiter: . Dec 20 10:28:38 panel postfix/smtpd[8219]: connect from unknown[xx.xx.xx.xx] Dec 20 10:28:39 panel postfix/smtpd[8219]: Anonymous TLS connection established from unknown[xx.xx.xx.xx]: TLSv1 with cipher RC4-MD5 (112/128 bits) Dec 20 10:28:39 panel postfix/smtpd[8219]: NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 454 4.7.1 <admin@yy.com>: Relay access denied; from=<admin@xx.com> to=<admin@yy.com> proto=ESMTP helo=<ABCD499888261D> Dec 20 10:28:40 panel postfix/smtpd[8219]: disconnect from unknown[xx.xx.xx.xx] |