# Postfix:  sasl_auth works, TLS doesn't. [Some Progress]

## jhboricua

Hello,

I've been trying to fix this all day and have just hit a wall.  I have a Postfix server running that, until probably the last emerge update, was working fine doing SASL_AUTH and TLS.  However, that is not the case anymore, and I can't understand what is going on.  Troubleshooting I've done:

1. Re-emerged postfix, cyrus_sasl, with the right flags, according to the Postfix guide at:  https://forums.gentoo.org/viewtopic.php?t=56633&highlight=postfix

2. Re-check configs, which never changed before it stopped working.

3. Re-emerged OpenSSL, just in case, and re-did my Postfix certificates.

4. Disabled TLS and SASL_AUTH completely on the postfix main.cf file and tried to send mail thru my server from inside the network.  Didn't work.

5. Enabled SASL_AUTH only and tried again.  Works.

6. Enabled SASL_AUTH and TLS.  Didn't work.  Same error.

7. Downgraded to the previous version of Postfix, 2.1.3 to see if maybe the new 2.1.5 is having issues with TLS.  No change.

As soon as I enable TLS on the config and on my client, it gives me an error stating: "Unable to connect to smtp.<myserver>.com.  The server may be down or incorrectly configured."

I've done my certificates again, and the problem won't go away.   The logs also don't provide any useful info, only:

```

Nov 14 15:31:07 [postfix/smtpd] starting TLS engine

Nov 14 15:31:07 [postfix/smtpd] connect from casper.zerochill.com[192.168.4.101]

Nov 14 15:31:08 [postfix/smtpd] disconnect from casper.zerochill.com[192.168.4.101]

```

That's all it shows when I try and fail to use TLS.  I tried changing the "smtpd_tls_loglevel" to a higher value than the default 3, and it still doesn't output anything extra.

Any ideas on what else to look at is appreciated.  Here is my relevant configs.

```

root@smtp / # cat /etc/conf.d/saslauthd

# $Header: /var/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd-2.1.19.conf,v 1.1 2004/07/16 23:53:38 langthang Exp $

# Config file for /etc/init.d/saslauthd

SASL_AUTHMECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

```

```

root@smtp / # cat /etc/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.1 2004/05/30 09:38:32 robbat2 Exp $

pwcheck_method: saslauthd

mech_list: plain login

```

```

root@smtp / # cat /usr/lib/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.1 2004/05/30 09:38:32 robbat2 Exp $

pwcheck_method: saslauthd

mech_list: plain login

```

```

root@smtp / # cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

myorigin = $myhostname

mydestination = $myhostname, localhost.$mydomain $mydomain

unknown_local_recipient_reject_code = 450

mynetworks_style = subnet

mynetworks = 192.168.4.0/24 127.0.0.0/8

mailbox_command = /usr/bin/procmail

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = postdrop

manpage_directory = /usr/share/man

readme_directory = /usr/share/doc/postfix-2.1.3/readme

default_destination_concurrency_limit = 2

alias_database = hash:/etc/mail/aliases

local_destination_concurrency_limit = 2

alias_maps = hash:/etc/mail/aliases

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =

         permit_sasl_authenticated,

         permit_mynetworks,

         reject_unauth_destination,

         reject_rbl_client bl.spamcop.net,

         reject_rbl_client relays.ordb.org,

         reject_rbl_client sbl.spamhaus.org,

         reject_rbl_client cbl.abuseat.org

smtpd_client_restrictions =

         permit_sasl_authenticated,

         reject_unauth_destination

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/ssl/postfix/newreq.pem

smtpd_tls_cert_file = /etc/ssl/postfix/newcert.pem

smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

```

Last edited by jhboricua on Thu May 05, 2005 7:34 pm; edited 1 time in total

----------

## jhboricua

bump

----------

## Weejoker

Lets see what flags you compiled postfix with. This will be helpful, as we can see what was used as flags for compiling, telling us if SSL was there on the last compile:

```
equery uses postfix
```

Also, you may have to revoke some certs in your email client - Gentoo puts down some default postfix SSL certs pointing to localhost if I recall correctly. Your email client may not like this change in hostname and therefore think you are connecting to a different host.

John

----------

## jhboricua

 *Weejoker wrote:*   

> Lets see what flags you compiled postfix with. This will be helpful, as we can see what was used as flags for compiling, telling us if SSL was there on the last compile:
> 
> ```
> equery uses postfix
> ```
> ...

 

Ok, Here it is:

```

root@smtp jhboricua # equery uses postfix

[ Colour Code : set unset ]

[ Legend    : (U) Col 1 - Current USE flags        ]

[           : (I) Col 2 - Installed With USE flags ]

 U I [ Found these USE variables in : mail-mta/postfix-2.1.3 ]

 - - ipv6        : Adds support for IP version 6

 + + pam         : unknown

 - - ldap        : Adds LDAP support (Lightweight Directory Access Protocol)

 + - mysql       : Adds mySQL support

 - - postgres    : Adds support for the postgresql database

 + + ssl         : Adds support for Secure Socket Layer connections

 + + sasl        : Adds support for the Simple Authentication and Security Layer

 - - vda         : Adds support for virtual delivery agent quota enforcing

 - - mailwrapper : Adds mailwrapper support to allow multiple MTAs to be installed

 - - mbox        : Adds support for mbox (/var/spool/mail) style mail spools

root@smtp jhboricua #

```

 *Weejoker wrote:*   

> Also, you may have to revoke some certs in your email client - Gentoo puts down some default postfix SSL certs pointing to localhost if I recall correctly. Your email client may not like this change in hostname and therefore think you are connecting to a different host.
> 
> John

 I did that already, but the thing is that TLS is not even starting, despite what the postfix log says.  I know this because I should get a certificate prompt on my email client when I try the connection the first time since I no longer have the certificate saved, but nothing pops up.  And I know is not my thunderbird client since I did get a certificate popup when connecting to the IMAP server running on the server via SSL.

The frustrating thing is that I have no meaningful logs to work with.

----------

## Weejoker

Looks like we shall need more logging for postfix then. Stick a '-v' on the end of the smtpd line in the master.cf:

/etc/postfix/master.cf

```
smtp      inet  n       -       n       -       -       smtpd -v -o smtpd_sasl_auth_enable=yes
```

Now the logs in /var/log/mail shall be more meaningful, especially for debugging.  :Rolling Eyes: 

John

----------

## jhboricua

Cool, thanks for the tip on getting a more detailed log.  Here's the log after doing what you said and trying to email with TLS enabled:

```

Nov 17 00:12:57 [postfix/postfix-script] stopping the Postfix mail system

Nov 17 00:12:57 [postfix/master] terminating on signal 15

Nov 17 00:12:58 [postfix/postfix-script] starting the Postfix mail system

Nov 17 00:12:59 [postfix/master] daemon started -- version 2.1.3

Nov 17 00:13:37 [postfix/smtpd] match_string: mynetworks ~? debug_peer_list

Nov 17 00:13:37 [postfix/smtpd] match_string: mynetworks ~? fast_flush_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: mynetworks ~? mynetworks

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? debug_peer_list

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? fast_flush_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? mynetworks

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? permit_mx_backup_networks

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? qmqpd_authorized_clients

Nov 17 00:13:37 [postfix/smtpd] match_string: relay_domains ~? relay_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: permit_mx_backup_networks ~? debug_peer_list

Nov 17 00:13:37 [postfix/smtpd] match_string: permit_mx_backup_networks ~? fast_flush_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: permit_mx_backup_networks ~? mynetworks

Nov 17 00:13:37 [postfix/smtpd] match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

Nov 17 00:13:37 [postfix/smtpd] connect to subsystem private/proxymap

Nov 17 00:13:37 [postfix/smtpd] send attr request = open

Nov 17 00:13:37 [postfix/smtpd] send attr table = unix:passwd.byname

Nov 17 00:13:37 [postfix/smtpd] send attr flags = 64

Nov 17 00:13:37 [postfix/smtpd] private/proxymap socket: wanted attribute: status

Nov 17 00:13:37 [postfix/smtpd] input attribute name: status

Nov 17 00:13:37 [postfix/smtpd] input attribute value: 0

Nov 17 00:13:37 [postfix/smtpd] private/proxymap socket: wanted attribute: flags

Nov 17 00:13:37 [postfix/smtpd] input attribute name: flags

Nov 17 00:13:37 [postfix/smtpd] input attribute value: 80

Nov 17 00:13:37 [postfix/smtpd] private/proxymap socket: wanted attribute: (list terminator)

Nov 17 00:13:37 [postfix/smtpd] input attribute name: (end)

Nov 17 00:13:37 [postfix/smtpd] dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

Nov 17 00:13:37 [postfix/smtpd] dict_open: proxy:unix:passwd.byname

Nov 17 00:13:37 [postfix/smtpd] dict_open: hash:/etc/mail/aliases

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? debug_peer_list

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? fast_flush_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? mynetworks

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? permit_mx_backup_networks

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? qmqpd_authorized_clients

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? relay_domains

Nov 17 00:13:37 [postfix/smtpd] match_string: smtpd_access_maps ~? smtpd_access_maps

Nov 17 00:13:37 [postfix/smtpd] smtpd_sasl_initialize: SASL config file is smtpd.conf

Nov 17 00:13:37 [postfix/smtpd] match_string: fast_flush_domains ~? debug_peer_list

Nov 17 00:13:37 [postfix/smtpd] match_string: fast_flush_domains ~? fast_flush_domains

Nov 17 00:13:37 [postfix/smtpd] watchdog_create: 0x8092670 18000

Nov 17 00:13:37 [postfix/smtpd] watchdog_stop: 0x8092670

Nov 17 00:13:37 [postfix/smtpd] watchdog_start: 0x8092670

Nov 17 00:13:37 [postfix/smtpd] connection established

Nov 17 00:13:37 [postfix/smtpd] master_notify: status 0

Nov 17 00:13:37 [postfix/smtpd] name_mask: resource

Nov 17 00:13:37 [postfix/smtpd] name_mask: software

Nov 17 00:13:37 [postfix/smtpd] name_mask: noanonymous

Nov 17 00:13:37 [postfix/smtpd] connect from casper.zerochill.com[192.168.4.101]

Nov 17 00:13:37 [postfix/smtpd] match_list_match: casper.zerochill.com: no match

Nov 17 00:13:37 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 00:13:37 [postfix/smtpd] match_list_match: casper.zerochill.com: no match

Nov 17 00:13:37 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 220 smtp.zerochill.com ESMTP Postfix

Nov 17 00:13:37 [postfix/smtpd] watchdog_pat: 0x8092670

Nov 17 00:13:37 [postfix/smtpd] < casper.zerochill.com[192.168.4.101]: EHLO [127.0.0.1]

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-smtp.zerochill.com

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-PIPELINING

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-SIZE 10240000

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-VRFY

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-ETRN

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-AUTH LOGIN PLAIN

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250-AUTH=LOGIN PLAIN

Nov 17 00:13:37 [postfix/smtpd] match_list_match: casper.zerochill.com: no match

Nov 17 00:13:37 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 00:13:37 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 250 8BITMIME

Nov 17 00:13:37 [postfix/smtpd] watchdog_pat: 0x8092670

Nov 17 00:13:41 [postfix/smtpd] < casper.zerochill.com[192.168.4.101]: QUIT

Nov 17 00:13:41 [postfix/smtpd] > casper.zerochill.com[192.168.4.101]: 221 Bye

Nov 17 00:13:41 [postfix/smtpd] disconnect from casper.zerochill.com[192.168.4.101]

Nov 17 00:13:41 [postfix/smtpd] master_notify: status 1

Nov 17 00:13:41 [postfix/smtpd] connection closed

Nov 17 00:13:41 [postfix/smtpd] watchdog_stop: 0x8092670

Nov 17 00:13:41 [postfix/smtpd] watchdog_start: 0x8092670

Nov 17 00:15:17 [postfix/smtpd] proxymap stream disconnect

Nov 17 00:15:17 [postfix/smtpd] watchdog_stop: 0x8092670

Nov 17 00:15:17 [postfix/smtpd] watchdog_start: 0x8092670

Nov 17 00:15:21 [postfix/smtpd] idle timeout -- exiting

```

Also, this is what the master.cf file looks like, which btw, I never had to edit at all before.

```

root@smtp jhboricua # cat /etc/postfix/master.cf

#

# Postfix master process configuration file.  Each logical line

# describes how a Postfix daemon program should be run.

#

# A logical line starts with non-whitespace, non-comment text.

# Empty lines and whitespace-only lines are ignored, as are comment

# lines whose first non-whitespace character is a `#'.

# A line that starts with whitespace continues a logical line.

#

# The fields that make up each line are described below. A "-" field

# value requests that a default value be used for that field.

#

# Service: any name that is valid for the specified transport type

# (the next field).  With INET transports, a service is specified as

# host:port.  The host part (and colon) may be omitted. Either host

# or port may be given in symbolic form or in numeric form. Examples

# for the SMTP server:  localhost:smtp receives mail via the loopback

# interface only; 10025 receives mail on port 10025.

#

# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain

# sockets, "fifo" for named pipes.

#

# Private: whether or not access is restricted to the mail system.

# Default is private service.  Internet (inet) sockets can't be private.

#

# Unprivileged: whether the service runs with root privileges or as

# the owner of the Postfix system (the owner name is controlled by the

# mail_owner configuration variable in the main.cf file). Only the

# pipe, virtual and local delivery daemons require privileges.

#

# Chroot: whether or not the service runs chrooted to the mail queue

# directory (pathname is controlled by the queue_directory configuration

# variable in the main.cf file). Presently, all Postfix daemons can run

# chrooted, except for the pipe, virtual and local delivery daemons.

# The proxymap server can run chrooted, but doing so defeats most of

# the purpose of having that service in the first place.

# The files in the examples/chroot-setup subdirectory describe how

# to set up a Postfix chroot environment for your type of machine.

#

# Wakeup time: automatically wake up the named service after the

# specified number of seconds. A ? at the end of the wakeup time

# field requests that wake up events be sent only to services that

# are actually being used.  Specify 0 for no wakeup. Presently, only

# the pickup, queue manager and flush daemons need a wakeup timer.

#

# Max procs: the maximum number of processes that may execute this

# service simultaneously. Default is to use a globally configurable

# limit (the default_process_limit configuration parameter in main.cf).

# Specify 0 for no process count limit.

#

# Command + args: the command to be executed. The command name is

# relative to the Postfix program directory (pathname is controlled by

# the daemon_directory configuration variable). Adding one or more

# -v options turns on verbose logging for that service; adding a -D

# option enables symbolic debugging (see the debugger_command variable

# in the main.cf configuration file). See individual command man pages

# for specific command-line options, if any.

#

# General main.cf options can be overridden for specific services.

# To override one or more main.cf options, specify them as arguments

# below, preceding each option by "-o".  There must be no whitespace

# in the option itself (separate multiple values for an option by

# commas).

#

# In order to use the "uucp" message tranport below, set up entries

# in the transport table.

#

# In order to use the "cyrus" message transport below, configure it

# in main.cf as the mailbox_transport.

#

# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.

# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.

#

# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.

#

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       n       -       -       smtpd -v

#submission inet n      -       n       -       -       smtpd

#       -o smtpd_etrn_restrictions=reject

#smtps    inet  n       -       n       -       -       smtpd

#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

#submission   inet    n       -       n       -       -       smtpd

#  -o smtpd_etrn_restrictions=reject

#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes

#628      inet  n       -       n       -       -       qmqpd

pickup    fifo  n       -       n       60      1       pickup

cleanup   unix  n       -       n       -       0       cleanup

qmgr      fifo  n       -       n       300     1       qmgr

#qmgr     fifo  n       -       n       300     1       oqmgr

#tlsmgr   fifo  -       -       n       300     1       tlsmgr

rewrite   unix  -       -       n       -       -       trivial-rewrite

bounce    unix  -       -       n       -       0       bounce

defer     unix  -       -       n       -       0       bounce

trace     unix  -       -       n       -       0       bounce

verify    unix  -       -       n       -       1       verify

flush     unix  n       -       n       1000?   0       flush

proxymap  unix  -       -       n       -       -       proxymap

smtp      unix  -       -       n       -       -       smtp

relay     unix  -       -       n       -       -       smtp

#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5

showq     unix  n       -       n       -       -       showq

error     unix  -       -       n       -       -       error

local     unix  -       n       n       -       -       local

virtual   unix  -       n       n       -       -       virtual

lmtp      unix  -       -       n       -       -       lmtp

anvil     unix  -       -       n       -       1       anvil

#

# Interfaces to non-Postfix software. Be sure to examine the manual

# pages of the non-Postfix software to find out what options it wants.

#

# maildrop. See the Postfix MAILDROP_README file for details.

#

maildrop  unix  -       n       n       -       -       pipe

  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

#

# The Cyrus deliver program has changed incompatibly, multiple times.

#

old-cyrus unix  -       n       n       -       -       pipe

  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}

# Cyrus 2.1.5 (Amos Gouaux)

# Also specify in main.cf: cyrus_destination_recipient_limit=1

cyrus     unix  -       n       n       -       -       pipe

  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

uucp      unix  -       n       n       -       -       pipe

  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe

  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp     unix  -       n       n       -       -       pipe

  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

root@smtp jhboricua #

```

----------

## Weejoker

This looks like the issue:

```
Nov 17 00:13:37 [postfix/smtpd] match_list_match: casper.zerochill.com: no match

Nov 17 00:13:37 [postfix/smtpd] match_list_match: 192.168.4.101: no match 
```

The lack of $mydomain in /etc/postfix/main.cf may be the probable cause or you haven't defined your domains correctly in the likes of /etc/networks, /etc/resolv.conf, etc. I also set masquerade_domains and relay_domains in main.cf, FYI. 

John

----------

## jhboricua

But $mydomain IS in the main.cf file (check the first post).  Remember, if this wasn't correctly defined, it wouldn't work with or without TLS.  The problem is that as soon as TLS enters the picture, it bombs out.  Also note that even thought the log is more verbose now, there are still no TLS related output.

----------

## Weejoker

Sorry, I should have made this more clearer: you have not defined $mydomain (i.e. there is no 'mydomain =' line).  The lack of this, and the mismatch of the connecting hostname makes me certain that this is the issue. 

Also, the lack of TLS stuff is rather worrying, but I'll compare this to my logs later.

John

----------

## jhboricua

It seems is parsing the domain correctly even though the 'mydomain' entry is not present.  If I do:

```

root@smtp jhboricua # postconf mydomain

mydomain = zerochill.com

root@smtp jhboricua #

```

I'll add the entry anyway and see if that does anything.

Also, on the previous log, I forgot to re-enable tls, when I do this is what I get when trying to use tls:

```

Nov 17 21:15:04 [postfix/smtpd] match_string: mynetworks ~? debug_peer_list

Nov 17 21:15:04 [postfix/smtpd] match_string: mynetworks ~? fast_flush_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: mynetworks ~? mynetworks

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? debug_peer_list

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? fast_flush_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? mynetworks

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? permit_mx_backup_networks

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? qmqpd_authorized_clients

Nov 17 21:15:04 [postfix/smtpd] match_string: relay_domains ~? relay_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: permit_mx_backup_networks ~? debug_peer_list

Nov 17 21:15:04 [postfix/smtpd] match_string: permit_mx_backup_networks ~? fast_flush_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: permit_mx_backup_networks ~? mynetworks

Nov 17 21:15:04 [postfix/smtpd] match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

Nov 17 21:15:04 [postfix/smtpd] connect to subsystem private/proxymap

Nov 17 21:15:04 [postfix/smtpd] send attr request = open

Nov 17 21:15:04 [postfix/smtpd] send attr table = unix:passwd.byname

Nov 17 21:15:04 [postfix/smtpd] send attr flags = 64

Nov 17 21:15:04 [postfix/smtpd] private/proxymap socket: wanted attribute: status

Nov 17 21:15:04 [postfix/smtpd] input attribute name: status

Nov 17 21:15:04 [postfix/smtpd] input attribute value: 0

Nov 17 21:15:04 [postfix/smtpd] private/proxymap socket: wanted attribute: flags

Nov 17 21:15:04 [postfix/smtpd] input attribute name: flags

Nov 17 21:15:04 [postfix/smtpd] input attribute value: 80

Nov 17 21:15:04 [postfix/smtpd] private/proxymap socket: wanted attribute: (list terminator)

Nov 17 21:15:04 [postfix/smtpd] input attribute name: (end)

Nov 17 21:15:04 [postfix/smtpd] dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

Nov 17 21:15:04 [postfix/smtpd] dict_open: proxy:unix:passwd.byname

Nov 17 21:15:04 [postfix/smtpd] dict_open: hash:/etc/mail/aliases

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? debug_peer_list

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? fast_flush_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? mynetworks

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? permit_mx_backup_networks

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? qmqpd_authorized_clients

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? relay_domains

Nov 17 21:15:04 [postfix/smtpd] match_string: smtpd_access_maps ~? smtpd_access_maps

Nov 17 21:15:04 [postfix/smtpd] smtpd_sasl_initialize: SASL config file is smtpd.conf

Nov 17 21:15:04 [postfix/smtpd] starting TLS engine

Nov 17 21:15:04 [postfix/smtpd] match_string: fast_flush_domains ~? debug_peer_list

Nov 17 21:15:04 [postfix/smtpd] match_string: fast_flush_domains ~? fast_flush_domains

Nov 17 21:15:04 [postfix/smtpd] watchdog_create: 0x809dcf8 18000

Nov 17 21:15:04 [postfix/smtpd] watchdog_stop: 0x809dcf8

Nov 17 21:15:04 [postfix/smtpd] watchdog_start: 0x809dcf8

Nov 17 21:15:04 [postfix/smtpd] connection established

Nov 17 21:15:04 [postfix/smtpd] master_notify: status 0

Nov 17 21:15:04 [postfix/smtpd] name_mask: resource

Nov 17 21:15:04 [postfix/smtpd] name_mask: software

Nov 17 21:15:04 [postfix/smtpd] name_mask: noanonymous

Nov 17 21:15:04 [postfix/smtpd] connect from unknown[192.168.4.101]

Nov 17 21:15:04 [postfix/smtpd] match_list_match: unknown: no match

Nov 17 21:15:04 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 21:15:04 [postfix/smtpd] match_list_match: unknown: no match

Nov 17 21:15:04 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 220 smtp.zerochill.com ESMTP Postfix

Nov 17 21:15:04 [postfix/smtpd] watchdog_pat: 0x809dcf8

Nov 17 21:15:04 [postfix/smtpd] < unknown[192.168.4.101]: EHLO [127.0.0.1]

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-smtp.zerochill.com

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-PIPELINING

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-SIZE 10240000

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-VRFY

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-ETRN

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-STARTTLS

Nov 17 21:15:04 [postfix/smtpd] match_list_match: unknown: no match

Nov 17 21:15:04 [postfix/smtpd] match_list_match: 192.168.4.101: no match

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250 8BITMIME

Nov 17 21:15:04 [postfix/smtpd] watchdog_pat: 0x809dcf8

Nov 17 21:15:06 [postfix/smtpd] < unknown[192.168.4.101]: QUIT

Nov 17 21:15:06 [postfix/smtpd] > unknown[192.168.4.101]: 221 Bye

Nov 17 21:15:06 [postfix/smtpd] disconnect from unknown[192.168.4.101]

Nov 17 21:15:06 [postfix/smtpd] master_notify: status 1

Nov 17 21:15:06 [postfix/smtpd] connection closed

```

So you can see that it has two TLS entries in it:

```

Nov 17 21:15:04 [postfix/smtpd] starting TLS engine

```

and

```

Nov 17 21:15:04 [postfix/smtpd] > unknown[192.168.4.101]: 250-STARTTLS

```

Now, when TLS was working and I sent an email, there was a lot of output on the mail logs TLS related.

----------

## jhboricua

Hmmmmm, ooooooooook,

I tried to do this from work and TLS works.  So it seems that this is a local issue when I tried to email from inside my home network and TLS not working.  It used to, though.

----------

## jhboricua

I'm still at a lost on this and it is irritating to some degree.

I still cannot do SMTP-AUTH via TLS from inside my LAN, but it works just fine outside of it.  Has someone run into this problem too?  It is strictly a TLS issue at this point, it not working from inside the LAN in which the server resides.

Anyone?

----------

## jhboricua

I've run into a interesting discovery on this.  I hope someone can duplicate it.

All this time, using Thunderbird, I'm not able to do TLS SMTP-AUTH with Postfix from inside the same subnet as my home server.  The TLS portion just hangs.  I've reinstalled TBird and wiped my profile but still no dice.  I never get a prompt to accept the self-signed certificate at all. So...

I installed Thunderbird on my work laptop and tried again to send a test msg from inside my home lan, same behavior.  Logs show the TLS portion starting when I try to do the SMTP-AUTH but just hangs and Tbird complains with an error message that it can not send the test email.  This is a new TBird install on this laptop too and I never get a certificate prompt.  So its not working right???

HOWEVER,

Once I work, I try and true enough, I fire up TBird and when I press 'send' I get the certificate prompt and after accepting it the test email goes out just fine.

The Kicker????

Once I get back home, I try again with the laptop from inside the LAN and now it authenticates just fine using SMTP-AUTH with TLS.  The difference with my home computer being that when I took my laptop to work I was able to install the certificate cause I got prompted too.

But on my home computer I never get prompted by TBird to install the cert.  I suspect if I take my HUNK of Desktop PC outside my LAN and try to do it from the WAN, I'll get prompted to install the certificate.

So the bottom line with Thunderbird is that something is preventing the certificate prompt from showing up when trying to do SMTP-AUTH TLS from inside the same LAN as the server.

I wonder if anyone can replicate this behaviour.

----------

## computx

If you think thunderbird is blocking the prompt to accept the cert. then moving your .thunderbird directory elswhere temporarily and retrying might be helpful. perhaps an extension or a misconfiguration in your prefs is the culprit.   

Edit: didn't see that it worked from a different location. Now it looks possibly like a firewall issue to me.

----------

## jhboricua

To clarify, I don't get the prompt to accept the certificate from inside my home network, which is the same network were my gentoo mail server is, so it is unlikely to be a firewall issue, I'm already inside the firewall.

I do get the cert prompt outside of my home network, and once it is installed, I can do SMTP-AUTH with TLS from inside my home network.

I'm trying to figure out why the I don't get the cert install prompt from inside my home network on a fresh install of TBird. I will try another mail client to see if I get the cert install from inside my network, that way I'll be able to narrow it down to a client issue or not.

----------

## digimonkey

[quote="jhboricua"]To clarify, I don't get the prompt to accept the certificate from inside my home network, which is the same network were my gentoo mail server is, so it is unlikely to be a firewall issue, I'm already inside the firewall.

I do get the cert prompt outside of my home network, and once it is installed, I can do SMTP-AUTH with TLS from inside my home network.

I'm trying to figure out why the I don't get the cert install prompt from inside my home network on a fresh install of TBird. I will try another mail client to see if I get the cert install from inside my network, that way I'll be able to narrow it down to a client issue or not.[/quote]

Unfortunately I don't have any solution or ideas on this at the moment, but I wanted to let you know that I am having the exact same issue.  I thought it might be something with TBird at first, but my certs for IMAP go through and I tried manually installing a cert for the mail server and had no luck.  Tomorrow I'll see if I can get it to go from work and let you know the results.

----------

## phoe

Ive been trying to get this running and having the exact same issues.

noticed today a small line in messages:

Oct 18 15:17:52 bigbox postfix/smtpd[6329]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

not sure what this a part of, but probably part of the TLS disappearing act im getting.

----------

## eNTi

having similar problems. any progress on this?

update: have a look here, maybe that helps.

----------

