| View previous topic :: View next topic |
| Author |
Message |
CoderMan
Apprentice
Joined: 10 Aug 2009
Posts: 173
|
 Posted: Wed Sep 22, 2010 5:17 am Post subject: First Postfix Install: Certificate Troubles |
 |
|
Hi. I'm trying to set up my first e-mail server, using postfix. I have been trying to follow the Gentoo documentation I found for postfix, but things are not going as smoothly as in the tutorial. 
The document I found is here:
http://www.gentoo.org/doc/en/virt-mail-howto.xml
First of all, I followed the "Postfix Basics" section fairly closely, except I hard-coded in the domain name instead of using the variable.
Where I started having trouble was in section 5, "SSL Certs for Postfix and Apache". When running the commands to create the Postfix certificates, everything seemed to be going fine; but at the end of the "./CA.pl -sign" program, instead of creating the final, signed server certificate, the program died with "could not update database".
Since I could not figure out how to get the CA.pl program to work correctly, I instead created my own certificates using the instructions that I found here:
http://www.tc.umn.edu/~brams006/selfsign.html
I copied them in, and adjust postfix's main.cf to use them instead.
However, when I run the telnet test, I get
| Code: | EHLO <my domain here>
250-<my hostname>.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN |
(I replaced my actual domain/host names in the above text for security reasons.) As you can see, the text
| Code: | 250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN |
is missing, which is what the tutorial says I am looking for specifically.
So, anyway, I don't want to finish the rest of the tutorial instructions until I have some idea here of what is going wrong. Could anyone provide me with any helpful insight into this whole situation?
| Code: |
Portage 2.1.8.3 (default/linux/x86/10.0/server, gcc-4.4.3, glibc-2.11.2-r0, 2.6.34-gentoo-r6 i686)
=================================================================
System uname: Linux-2.6.34-gentoo-r6-i686-Intel-R-_Celeron-R-_CPU_2.40GHz-with-gentoo-1.12.13
Timestamp of tree: Tue, 14 Sep 2010 04:30:01 +0000
app-shells/bash: 4.1_p7
dev-lang/python: 2.6.5-r3, 3.1.2-r4
dev-util/cmake: 2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox: 1.6-r2
sys-devel/autoconf: 2.65-r1
sys-devel/automake: 1.11.1
sys-devel/binutils: 2.20.1-r1
sys-devel/gcc: 4.4.3-r2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.2.6b
sys-devel/make: 3.81-r2
virtual/os-headers: 2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://mirrors.tera-byte.com/pub/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="acl apache2 berkdb bzip2 cli cracklib crypt cups cxx dri emacs fortran gdbm gpm iconv ipv6 ldap mmx modules mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session snmp sse sse2 ssl sysfs tcpd truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
|
_________________
Like computers but don't like programming? Then you missed the whole point.
frigidcode.com |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Wed Sep 22, 2010 5:28 am Post subject: |
|
|
the missing auth lines == correct behaviour
they should only appear if you connect via ssl
try this:
| Code: |
openssl s_client -connect x.x.x.x:25 -starttls smtp
|
replacing x.x.x.x with your IP obviously
see if the auth banners appear
those auth mechanisms are cleartext, and as such should not be sent over an unencrypted connection
simply connecting via telnet isn't giving you an encrypted connection
telnet:
| Code: |
telnet renee.whitehathouston.com 25
Trying 75.148.243.92...
Connected to renee.whitehathouston.com.
Escape character is '^]'.
220 renee.whitehathouston.com ESMTP Postfix (2.6.5)
ehlo mate
250-renee.whitehathouston.com
250-PIPELINING
250-SIZE 100000000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
|
openssl s_client
| Code: |
# openssl s_client -connect renee.whitehathouston.com:25 -starttls smtp
CONNECTED(00000003)
<snip>
SSL handshake has read 5278 bytes and written 378 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
<snip>
---
250 DSN
ehlo mate
250-renee.whitehathouston.com
250-PIPELINING
250-SIZE 100000000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
|
The other possibility is auth isn't enabled in your main.cf
Two secs and ill post again with the relevant snippets from my main.cf
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Last edited by cach0rr0 on Wed Sep 22, 2010 6:00 am; edited 1 time in total |
|
| Back to top |
|
|
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Wed Sep 22, 2010 5:32 am Post subject: |
|
|
relevant sections from my main.cf
| Code: |
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_CAfile = /etc/ssl/postfix/root.crt
smtpd_tls_ask_ccert = no
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destinationsmtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_auth_only = yes
tls_random_source = dev:/dev/urandom
smtp_tls_note_starttls_offer = yes
|
if you want to allow cleartext logins over unencrypted connections, we can do that, but i dont recommend it.
Whether or not you allow such logins is dictated by smtpd_tls_auth_only
| http://www.postfix.org/TLS_README.html wrote: |
Supporting AUTH over TLS only
Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer encryption is required ("smtpd_tls_security_level = encrypt" or the obsolete "smtpd_enforce_tls = yes"), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer encryption is optional ("smtpd_tls_security_level = may" or the obsolete "smtpd_enforce_tls = no"), it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior, set "smtpd_tls_auth_only = yes".
Example:
/etc/postfix/main.cf:
smtpd_tls_auth_only = no
|
The default for this is no, but if you have set this to yes then the auth banner will not be shown unless you've first negotiated ssl/tls
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
CoderMan
Apprentice
Joined: 10 Aug 2009
Posts: 173
|
| Posted: Thu Sep 23, 2010 5:48 am Post subject: |
|
|
| cach0rr0 wrote: | the missing auth lines == correct behaviour
they should only appear if you connect via ssl
try this:
| Code: |
openssl s_client -connect x.x.x.x:25 -starttls smtp
|
replacing x.x.x.x with your IP obviously
|
At this point I keep getting
| Code: | CONNECTED(00000003)
24033:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607: |
Google searching indicated that this error would show up if I was using a pass-phrase-protected secret key. I think I do remember giving the secret key a pass-phrase.
_________________
Like computers but don't like programming? Then you missed the whole point.
frigidcode.com |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
