5

I want to enable STARTTLS on port 25, but for unknown reasons it only works on port 465.

master.cf:

smtp      inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtp
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=no
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

main.cf:

smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_recipient_limit = 25
smtpd_tls_CAfile = /root/chain.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /root/cert.pem
smtpd_tls_key_file = /root/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_prng_update_period = 3600s
tls_random_source = dev:/dev/urandom

Now when I try to check the certificate with openssl s_client -connect hostname:25 I get this error:

CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 308 bytes

On port 465 everything works fine, so the certificate and CA chain is correct.

Log says:

postfix/smtp/smtpd[2623]: SSL_accept error
postfix/smtp/smtpd[2623]: warning: TLS library problem: 2623:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:

Help is highly appreciated!

JohnnyFromBF
  • 1,239
  • 6
  • 21
  • 25
  • In your master.cf, `smtps` line a.k.a port 465 is commented. How can be postfix listening in port 465? – masegaloeh Mar 19 '15 at 16:24
  • 1
    I tried the same config on port 465 and it worked perfectly, thus I know it can't be the cert or CA chain. – JohnnyFromBF Mar 19 '15 at 17:51
  • 1
    Ah, I see... Actually with `smtpd_tls_wrappermode=yes` you doesn't enable STARTTLS, but SMTPS instead. Anyway what's the output of openssl and postfix logs entry when you connect to port 465? – masegaloeh Mar 19 '15 at 19:04
  • Turns out this is perfectly normal and the config seems okay since I get this openssl error message with every TLS supporting MX listening on port 25. Guess I misunderstood how STARTTLS works. – JohnnyFromBF Mar 20 '15 at 15:57
  • SMTPS (typically over port 465, deprecated) is not STARTTLS (typically over port 587), these are two different things. SMTPS requires a dedicated port, STARTTLS could be used on port 25 as an option. – basic6 Sep 02 '15 at 16:13

1 Answers1

11

SMTPS means SMTP over TLS, like with HTTPS. So first a TLS connection is established (without fallback), and then SMTP is started. Just as nobody expects HTTPS on the HTTP-Port 80, you should not expect that anybody who connects to your SMTP-service sends TLS requests. Thus, all connections to your server on port 25 will likely fail, if you enforce TLS!

STARTTLS makes encryption optional. First, a normal, unencrypted SMTP-connection is established and then the Server announces it can upgrade to STARTTLS (using a so called SMTP extension). If the server also supports STARTTLS (and it is enabled for usage), the the client requests the upgrade to TLS.

SMTPS (SMTP over TLS) is enabled in Postfix via smtpd_tls_wrappermode=yes, you set that for the smtp service, thus on port 25. As written above, this is not recommended.

I want to cite parts of Bettercrypto's paper Applied Crypto Hardening on this issue for both master.cf and main.cf. You may also consult it, as you probably have some settings in your main.cf that are hindering proper setup of TLS usage.

main.cf:

# enable opportunistic TLS support in the SMTP server and client
smtpd_tls_security_level = may
smtp_tls_security_level = may
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes

master.cf:

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt

We don't set anything new for TLS on port 25, as the defaults in main.cf are all we need.

anastrophe
  • 5,388
  • 2
  • 15
  • 16
sebix
  • 4,175
  • 2
  • 25
  • 45
  • Yeah but why does a professional hoster like hosteurope.de have an MX that receives mail only on port 25, but supports TLS as you can check [here](https://www.checktls.com/TestReceiver) when typing in anybody@hosteurope.de? I guess because it relays mails to some postfix server behind it but all that happens only on port 25, you can nmap the MX, there's only port 25 open. – JohnnyFromBF Mar 21 '15 at 17:43
  • mx0.hosteurope.de doesn't use STMPS, but STARTTLS. You can test it by using `openssl s_client -connect mx0.hosteurope.de:25`, this fails, but `telnet mx0.hosteurope.de 25` succeeds. – sebix Mar 21 '15 at 19:24
  • Yes and that's exactly what I want. – JohnnyFromBF Mar 22 '15 at 11:37
  • And that's exactly what my answer does. If you have problems or questions, please **describe** them, including expected and observed behavior. Or give the hostname, so we can look into it, what's supported currently. (It facing the public internet anyway) – sebix Mar 22 '15 at 11:58