I am having a lot of trouble setting up the Postfix to do STARTTLS. It seems that I could successfully send outgoing mail using Thunderbird. However, I can't seem to get the Postman SMTP for Wordpress to work with STARTTLS and PLAIN AUTH.
I configured my firewall to only open port 25:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:memcache
REJECT tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn reject-with icmp-port-unreachable
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
main.cf:
#http://www.postfix.org/TLS_README.html#server_tls
myhostname = host.com
myorigin = /home/mail
mydomain = host..com
mydestination = $myhostname, localhost, localhost.$mydomain, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/home/etc/postfix/aliases
alias_database = hash:/home/etc/postfix/aliases
smtpd_use_tls=yes
smtp_use_tls=yes
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_cert_file=/home/keys/postfix/certs/certificate-self.crt
smtpd_tls_key_file=/home/keys/postfix/private/private-key.key
smtpd_tls_CAfile = /home/keys/postfix/certs/cacert.pem
smtpd_tls_security_level=may
smtp_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_loglevel = 4
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
smtp_tls_ciphers = $smtpd_tls_ciphers
lmtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
lmtp_tls_ciphers = $smtpd_tls_ciphers
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject
smtpd_sasl_security_options = noanonymous
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301
master.cf:
smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
dovecot.conf:
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:/home/mail
userdb {
driver = passwd
}
passdb {
driver = pam
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user=postfix
group=postfix
}
}
ssl=required
ssl_cert = </home/keys/postfix/certs/certificate-self.crt
ssl_key = </home/keys/postfix/private/private-key.key
maillog:
host..com[74.2.3.193]: 220 2.0.0 Ready to start TLS
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: setting up TLS connection from host..com[74.2.3.193]
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: host..com[74.2.3.193]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!aNULL:!LOW:!EXP:!MEDIUM:!ADH:!AECDH:!MD5:!DSS:!ECDSA:!CAMELLIA128:!3DES:!CAMELLIA256:!RSA+AES:!eNULL"
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: send attr request = seed
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: send attr size = 32
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: private/tlsmgr: wanted attribute: status
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: input attribute name: status
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: input attribute value: 0
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: private/tlsmgr: wanted attribute: seed
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: input attribute name: seed
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: input attribute value: dgCi5kk5Jn2+7TS3B8+s9oB3mfQL426CwogdB8AWoxE=
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: private/tlsmgr: wanted attribute: (list terminator)
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: input attribute name: (end)
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: SSL_accept:before/accept initialization
Feb 19 13:44:58 li86-193 postfix/smtpd[16864]: read from 56442DA22B30 [56442DA28110] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Feb 19 13:45:01 li86-193 postfix/smtpd[16864]: read from 56442DA22B30 [56442DA28110] (11 bytes => 11 (0xB))
Feb 19 13:45:01 li86-193 postfix/smtpd[16864]: 0000 65 68 6c 6f 20 6c 6f 63|61 6c 68 ehlo loc alh
Feb 19 13:45:01 li86-193 postfix/smtpd[16864]: SSL_accept:error in SSLv2/v3 read client hello A
Feb 19 13:45:01 li86-193 postfix/smtpd[16864]: SSL_accept error from host..com[74.2.3.193]: -1
Feb 19 13:45:01 li86-193 postfix/smtpd[16864]: warning: TLS library problem: 16864:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:
telnet host.com 25:
ehlo localhost
250-host.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
starttls
220 2.0.0 Ready to start TLS
ehlo localhost
Connection closed by foreign host.
I could openssl to port 25 with -starttls fine.
I have been reading and reading and its not going anywhere. Please help me find my error. Your help is greatly appreciated.
