I ran into a problem which I just cannot solve with just googling it - I need some expert help. My company runs it's own mailserver (postfix with zarafa groupware). We're an insurance company so we often receive mails with personal information which should not be read by others. So one of our partners only wants to send them encrypted, which is total reasonable. But it just doens't seem to work for external users. I really don't know how to explain that, but I'll try:
They did a check on our mailserver via:
openssl s_client -host mx01.cevo.de -port 25 -starttls smtp -debug
Which failes with this output:
CONNECTED(00000003)
read from 0xec56b0 [0xec57e0] (4096 bytes => 38 (0x26))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 53-65 72 76 69 63 65 20 72 ESMTP Service r
0020 - 65 61 64 79 0d 0a eady..
write to 0xec56b0 [0xec67f0] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net..
read from 0xec56b0 [0xec57e0] (4096 bytes => 94 (0x5E))
0000 - 32 35 30 2d 52 65 71 75-65 73 74 65 64 20 6d 61 250-Requested ma
0010 - 69 6c 20 61 63 74 69 6f-6e 20 6f 6b 61 79 2c 20 il action okay,
0020 - 63 6f 6d 70 6c 65 74 65-64 0d 0a 32 35 30 2d 53 completed..250-S
0030 - 49 5a 45 20 32 30 34 38-30 30 30 30 0d 0a 32 35 IZE 20480000..25
0040 - 30 2d 45 54 52 4e 0d 0a-32 35 30 2d 38 42 49 54 0-ETRN..250-8BIT
0050 - 4d 49 4d 45 0d 0a 32 35-30 20 4f 4b 0d 0a MIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0xec56b0 [0x7fffd07d4ae0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0xec56b0 [0xeb79b0] (8192 bytes => 30 (0x1E))
0000 - 35 30 33 20 42 61 64 20-73 65 71 75 65 6e 63 65 503 Bad sequence
0010 - 20 6f 66 20 63 6f 6d 6d-61 6e 64 73 0d 0a of commands..
write to 0xec56b0 [0xec5730] (317 bytes => 317 (0x13D))
0000 - 16 03 01 01 38 01 00 01-34 03 03 94 e2 69 f3 8f ....8...4....i..
0010 - cb a4 fd 61 49 3f 15 c4-5d a2 3f ca 4e f0 a9 eb ...aI?..].?.N...
0020 - 71 72 6b ce 65 00 b9 0c-e1 ee 9f 00 00 9e c0 30 qrk.e..........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3 .,.(.$.....".!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32 ...k.j.9.8.....2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35 ...*.&.......=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d ................
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09 ...../.+.'.#....
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32 .........g.@.3.2
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25 .....E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11 .......<./...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09 ................
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6d ...............m
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e ...........4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16 ................
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05 ................
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11 ................
0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03 .#..... ........
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02 ................
0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01 .............
^Tread from 0xec56b0 [0xecac90] (7 bytes => 7 (0x7))
0000 - 34 32 31 20 53 4d 54 421 SMT
139855938602656:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 169 bytes and written 352 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Here's the log entry from mail.log for that request:
Jan 21 15:09:58 mx01 postfix/smtpd[1401]: connect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: lost connection after EHLO from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: disconnect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
So I tried it from my laptop at work with the same command and it worked without any problem:
CONNECTED(00000003)
read from 0xbdef20 [0xbdf020] (4096 bytes => 32 (0x20))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65 220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 50-6f 73 74 66 69 78 0d 0a ESMTP Postfix..
write to 0xbdef20 [0xbe0030] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69 EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a ent.net..
read from 0xbdef20 [0xbdf020] (4096 bytes => 138 (0x8A))
0000 - 32 35 30 2d 6d 78 30 31-2e 63 65 76 6f 2e 6c 6f 250-mx01.cevo.lo
0010 - 63 61 6c 0d 0a 32 35 30-2d 50 49 50 45 4c 49 4e cal..250-PIPELIN
0020 - 49 4e 47 0d 0a 32 35 30-2d 53 49 5a 45 20 32 30 ING..250-SIZE 20
0030 - 39 37 31 35 32 30 0d 0a-32 35 30 2d 56 52 46 59 971520..250-VRFY
0040 - 0d 0a 32 35 30 2d 45 54-52 4e 0d 0a 32 35 30 2d ..250-ETRN..250-
0050 - 53 54 41 52 54 54 4c 53-0d 0a 32 35 30 2d 45 4e STARTTLS..250-EN
0060 - 48 41 4e 43 45 44 53 54-41 54 55 53 43 4f 44 45 HANCEDSTATUSCODE
0070 - 53 0d 0a 32 35 30 2d 38-42 49 54 4d 49 4d 45 0d S..250-8BITMIME.
0080 - 0a 32 35 30 20 44 53 4e-0d 0a .250 DSN..
write to 0xbdef20 [0x7ffdc4723d90] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 0xbdef20 [0xad1c10] (8192 bytes => 30 (0x1E))
0000 - 32 32 30 20 32 2e 30 2e-30 20 52 65 61 64 79 20 220 2.0.0 Ready
0010 - 74 6f 20 73 74 61 72 74-20 54 4c 53 0d 0a to start TLS..
write to 0xbdef20 [0xbdefa0] (318 bytes => 318 (0x13E))
...
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cevo.de
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5189 bytes and written 488 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 244534A357837835FF9B28366E16DAA71E7D71C53AA9C0C5BBA8A2CFE065AA5A
Session-ID-ctx:
Master-Key: 9E8041FD2EC1DD4D3F9FDCEC2D920FA35EA403356DC7498767A43CC650314B0378D73BC7E786C29881BAB7EEE123DF6B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 12 89 a5 2e e9 2a 80 e0-29 9a e8 71 41 96 27 ef .....*..)..qA.'.
0010 - 58 29 f0 f7 c1 56 66 9a-9e 9e 7b 0f 47 8f 97 06 X)...Vf...{.G...
0020 - 47 bd 53 50 75 dd 8e 41-4f ea 52 f9 21 fc 30 1a G.SPu..AO.R.!.0.
0030 - 68 55 29 29 3c 33 80 f7-b4 af d6 32 21 80 78 24 hU))<3.....2!.x$
0040 - e7 37 e9 24 77 71 72 58-0e c9 fb 23 2f b8 3c 4d .7.$wqrX...#/.<M
0050 - 31 1b bb 8d bf ca b5 cd-ec 24 81 be e4 4f 00 d4 1........$...O..
0060 - 14 3f e5 68 5b 58 6c 19-b4 a2 03 a7 71 9e f7 58 .?.h[Xl.....q..X
0070 - 7a 0d b8 dc a6 0e 2c b5-24 5f 8e 33 2c 64 c2 82 z.....,.$_.3,d..
0080 - d2 25 ed bd e0 17 90 4a-29 a6 b1 4e f7 19 be d6 .%.....J)..N....
0090 - b0 4d 3f c3 83 29 ec c4-24 e9 5e e0 48 b2 b7 12 .M?..)..$.^.H...
00a0 - 8a 64 02 71 fe c3 42 e0-2b d7 99 da d3 04 7e 60 .d.q..B.+.....~`
Compression: 1 (zlib compression)
Start Time: 1453385327
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
And the log entry for the request:
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: connect from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: setting up TLS connection from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: unknown[172.19.5.135]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:before/accept initialization
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write certificate A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server done A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write session ticket A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write change cipher spec A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: Anonymous TLS connection established from unknown[172.19.5.135]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Here's the main.cfg (I removed all comments and unnecessary blank lines):
message_size_limit = 20971520
# mailbox_size_limit = 51200000
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mx01.cevo.local
myorigin = mx01.cevo.local
smtp_helo_name = mx01.cevo.de
append_dot_mydomain = no
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 172.19.3.29 172.19.3.36 172.19.3.41 172.19.3.50 172.19.3.123 192.168.100.28 172.19.3.18
masquerade_domains = $mydomain
masquerade_exceptions = root
transport_maps = hash:/etc/postfix/transport
disable_vrfy_command = no
smtpd_banner = mx01.cevo.de ESMTP $mail_name
local_header_rewrite_clients =
virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap.groups,
ldap:/etc/postfix/ldap.distlist,
ldap:/etc/postfix/ldap.sharedfolderremote,
ldap:/etc/postfix/ldap.sharedfolderlocal,
ldap:/etc/postfix/ldap.virtual
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains
virtual_mailbox_maps = hash:/etc/postfix/virtual,
ldap:/etc/postfix/ldap.groups,
ldap:/etc/postfix/ldap.distlist,
ldap:/etc/postfix/ldap.sharedfolderremote,
ldap:/etc/postfix/ldap.sharedfolderlocal,
ldap:/etc/postfix/ldap.virtual
virtual_transport = lmtp:127.0.0.1:2003
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unlisted_recipient
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_cert_file = /etc/ssl/certs/star_cevo_de.pem
smtpd_tls_key_file = /etc/ssl/private/star_cevo_de.key
smtpd_tls_CAfile = /etc/ssl/certs/star_cevo_de.cabundle
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtp_tls_security_level = may
broken_sasl_auth_clients = yes
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = strong
master.cfg:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
25 inet n - n - - smtpd
465 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 nqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
smtp unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
#virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
#587 inet n - n - - smtpd -v -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
relay unix - - n - - smtp
trace unix - - n - 0 bounce
proxymap unix - - n - - proxymap
anvil unix - - n - 1 anvil
scache unix - - - - 1 scache
discard unix - - n - - discard
tlsmgr unix - - n 1000? 1 tlsmgr
So, as you can see I can use SSL from my machine (like from the 'inside') but from outside it doesn't work. I'm at the end of my knowledge, which is pretty low when it comes to postfix and mail tbh. I already googled like hell but I didn't found a solution wich fixes my problem.
