netbsd-users: Re: Next Step : postfix / sasl / tls

Subject: Re: Next Step : postfix / sasl / tls - pkgsrc 2004Q4
To: Peter I. Hansen <pih@bsdmail.dk>
From: Asmodehn Shade <asmodehn@9online.fr>
List: netbsd-users
Date: 02/21/2005 23:51:31
Hello again,

continuing the story...

postfix (2.1.5) is set up (from pkgsrc-current) with sasl2 and 
cyrus-imap22 / sasl2 also.
everything is running on NetBSD 2.0.1
The next step is to use TLS encryption...

First I enable tls in postfix like this :

| main.cf |
=======
[...]
# SASL setup
#
broken_sasl_auth_client = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
smtpd_recipient_restrictions = permit_sasl_authenticated, 
permit_mynetworks, check_relay_domains

# TLS setup
#
#smtp_tls_cert_file = /etc/ssl/private/mycert.pem
#smtp_tls_key_file = /etc/ssl/private/mycert.pem
#smtp_tls_CAfile = /etc/ssl/private/mycert.pem
#smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_enforce_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/mycert.pem
smtpd_tls_key_file = /etc/ssl/private/mycert.pem
smtpd_tls_CAfile = /etc/ssl/private/mycert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
#smtpd_tls_session_cache_database = sdbm:/var/run/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
================================

| master.cf |
========
[...]
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd
#submission inet n      -       n       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
smtp    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission   inet    n       -       n       -       -       smtpd
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr   fifo  -       -       n       300     1       tlsmgr
[...]
==============================

But tls negociation seems to timeout...
when I try to connect the server with Thunderbird or with telnet, the 
result is the same :

>  telnet localhost 25
> Trying ::1...
> telnet: connect to address ::1: Connection refused
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> EHLO test.net
> Connection closed by foreign host.


Here is the maillog :

Feb 21 23:34:19 Asmodehn postfix/master[600]: reload configuration
Feb 21 23:34:22 Asmodehn postfix/smtpd[946]: starting TLS engine
Feb 21 23:34:22 Asmodehn postfix/smtpd[946]: setting up TLS connection 
from localhost[127.0.0.1]
Feb 21 23:34:22 Asmodehn postfix/smtpd[946]: SSL_accept:before/accept 
initialization
Feb 21 23:34:22 Asmodehn postfix/smtpd[946]: read from 08094F40 
[080B0000] (11 bytes => -1 (0xFFFFFFFF))
Feb 21 23:34:22 Asmodehn postfix/smtpd[946]: SSL_accept:error in 
SSLv2/v3 read client hello A
Feb 21 23:34:28 Asmodehn postfix/smtpd[946]: read from 08094F40 
[080B0000] (11 bytes => 11 (0xB))
Feb 21 23:34:28 Asmodehn postfix/smtpd[946]: 0000 45 48 4c 4f 20 62 6f 
75|68 2e 6e     EHLO bou h.n
Feb 21 23:34:28 Asmodehn postfix/smtpd[946]: SSL_accept:error in 
SSLv2/v3 read client hello A
Feb 21 23:34:28 Asmodehn postfix/smtpd[946]: SSL_accept error from 
localhost[127.0.0.1]: -1
Feb 21 23:34:28 Asmodehn postfix/smtpd[946]: 946:error:140760FC:SSL 
routines:SSL23_GET_CLIENT_HELLO:unknown 
protocol:/usr/src/crypto/dist/openssl/ssl/s23_srvr.c:585:


Does anyone can help me with any hint or clue ?
I don't see what I'm missing... I suppose the handshake failed... but 
what am I missing ?

Thank you,

--
Asmodehn

Peter I. Hansen a écrit :

> Asmodehn Shade wrote:
>
>> OK I build postfix from pkgsrc current.
>>
>> But the setup is a bit hard... Do you know good howtos to do that on 
>> netbsd2 ?
>> Or can you give me any hints ?
>>
>> I promess I won't bother you anymore with this ;-)
>>
>> Thanks a lot !
>>
>> -- 
>> Asmodehn
>
>
> Setting up postfix is easy :)
>
> General howtos are the netbsd guide on alternative MTAs:
>
> http://netbsd.org/guide/en/chap-mail.html#chap-mail-sendmail-alternative-mta 
>
>
> and of course the howtos in the postfix documentation.
>
> http://www.postfix.org/documentation.html
>
> have fun with it
>
> -Peter