Relayhosts over both submission and smtps

To: postfix-users%postfix.org@localhost, netbsd-users%NetBSD.org@localhost
Subject: Relayhosts over both submission and smtps
From: Frédéric Fauberteau <triaxx%NetBSD.org@localhost>
Date: Mon, 05 Aug 2019 18:10:59 +0200

My mail server runs postfix 3.4.6 on NetBSD 8.0. I use several senderdependent relayhosts that need authentication:

| sender_dependent_relayhost_maps =  hash:$config_directory/relayhosts
| smtp_sasl_auth_enable =            yes
| smtp_sasl_password_maps =          hash:$config_directory/passwords

Some of these relayhosts use smtps while the others use submission(e.g.):

| triaxx%foobar.org@localhost [smtp.foobar.org]:587
| triaxx%foobar.xyz@localhost [smtp.foobar.xyz]:587
| triaxx%legacy.com@localhost [mail.legacy.com]:465

I use certificate generated by Let's Encrypt. The TLS configuration isas follows:

| smtp_enforce_tls =                 yes
| smtp_tls_CApath =                  /etc/openssl/certs
| smtp_tls_cert_file =               /etc/openssl/certs/$mydomain.pem
| smtp_tls_key_file =                /etc/openssl/private/$mydomain.pem
| smtp_tls_mandatory_ciphers =       high
| smtp_tls_note_starttls_offer =     yes
| smtp_tls_note_starttls_offer =     yes
| smtp_tls_security_level =          may

According to this configuration, if I try to send a mail through a smtpsrelay, I get a message in log:[ postfix/smtp 9055 - - SMTPS wrappermode (TCP port 465) requiressetting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level =encrypt" (or stronger)

Now, if I try to respect these requirements, I get the followingmessages (with smtp_tls_loglevel = 3) when I send a mail through asubmission relay:

[ postfix/smtp 13746 - - initializing the client-side TLS engine

[ postfix/smtp 13746 - - setting up TLS connection tosmtp.gmail.com[64.233.167.109]:587[ postfix/smtp 13746 - - smtp.gmail.com[64.233.167.109]:587: TLS cipherlist "aNULL:-aNULL:HIGH:@STRENGTH:!eNULL"

[ postfix/smtp 13746 - - SSL_connect:before/connect initialization

[ postfix/smtp 13746 - - write to 75D542187400 [75D5421B6000] (517 bytes=> 517 (0x205))[ postfix/smtp 13746 - - 0000 16 03 01 02 00 01 00 01|fc 03 03 37 24 0695 1a ........ ...7$...[ postfix/smtp 13746 - - 0010 2d 4b 7f 33 c3 e9 a2 5c|0e ca b3 a4 30 146c 30 -K.3...\ ....0.l0[ postfix/smtp 13746 - - 0020 44 92 71 c7 d8 ec a1 86|93 91 ce 00 00 96c0 19 D.q..... ........[ postfix/smtp 13746 - - 0030 00 a7 00 6d 00 3a 00 89|c0 30 c0 2c c0 28c0 24 ...m.:.. .0.,.(.$[ postfix/smtp 13746 - - 0040 c0 14 c0 0a 00 a5 00 a3|00 a1 00 9f 00 6b00 6a ........ .....k.j[ postfix/smtp 13746 - - 0050 00 69 00 68 00 39 00 38|00 37 00 36 00 8800 87 .i.h.9.8 .7.6....[ postfix/smtp 13746 - - 0060 00 86 00 85 c0 32 c0 2e|c0 2a c0 26 c0 0fc0 05 .....2.. .*.&....[ postfix/smtp 13746 - - 0070 00 9d 00 3d 00 35 00 84|c0 18 00 a6 00 6c00 34 ...=.5.. .....l.4[ postfix/smtp 13746 - - 0080 00 46 c0 2f c0 2b c0 27|c0 23 c0 13 c0 0900 a4 .F./.+.' .#......[ postfix/smtp 13746 - - 0090 00 a2 00 a0 00 9e 00 67|00 40 00 3f 00 3e00 33 .......g .@.?.>.3[ postfix/smtp 13746 - - 00a0 00 32 00 31 00 30 00 45|00 44 00 43 00 42c0 31 .2.1.0.E .D.C.B.1[ postfix/smtp 13746 - - 00b0 c0 2d c0 29 c0 25 c0 0e|c0 04 00 9c 00 3c00 2f .-.).%.. .....<./[ postfix/smtp 13746 - - 00c0 00 41 00 ff 01 00 01 3d|00 0b 00 04 03 0001 02 .A.....= ........[ postfix/smtp 13746 - - 00d0 00 0a 00 08 00 06 00 17|00 19 00 18 00 2300 00 ........ .....#..[ postfix/smtp 13746 - - 00e0 00 0d 00 20 00 1e 06 01|06 02 06 03 05 0105 02 ... .... ........[ postfix/smtp 13746 - - 00f0 05 03 04 01 04 02 04 03|03 01 03 02 03 0302 01 ........ ........[ postfix/smtp 13746 - - 0100 02 02 02 03 00 0f 00 01|01 00 15 00 f8........ .....

[ postfix/smtp 13746 - - 010d - <SPACES/NULLS>
[ postfix/smtp 13746 - - SSL_connect:SSLv2/v3 write client hello A

[ postfix/smtp 13746 - - read from 75D542187400 [75D5421BC000] (7 bytes=> -1 (0xFFFFFFFFFFFFFFFF))[ postfix/smtp 13746 - - read from 75D542187400 [75D5421BC000] (7 bytes=> 7 (0x7))[ postfix/smtp 13746 - - 0000 32 32 30 20 73 6d 74220 smt[ postfix/smtp 13746 - - SSL_connect:error in SSLv2/v3 read server helloA[ postfix/smtp 13746 - - SSL_connect error tosmtp.gmail.com[64.233.167.109]:587: -1[ postfix/smtp 13746 - - warning: TLS library problem:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknownprotocol:/usr/src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:794:

[ postfix/smtp 13746 - - 370FC270D7: Cannot start TLS: handshake failure

If I understand correctly, smtp cannot read the HELO sent bysmtp.gmail.com because submission is configured to use STARTTLS andexchange messages in clear before instantiating a TLS communication.


My question is:
Is it possible to manage this use case with postfix only?

I thought to smtp_tls_policy_maps but it remains smtp_tls_wrappermodethat does not seem to be selectable according to a dedicatedrelayhost...

Prev by Date: Re: log-structured filesystem in netbsd : still there?
Next by Date: 9.0_BETA suffers from lib/53675 (ldaps won't work)
Previous by Thread: log-structured filesystem in netbsd : still there?
Next by Thread: 9.0_BETA suffers from lib/53675 (ldaps won't work)
Indexes:

Home | Main Index | Thread Index | Old Index