1

Topic: After Update SMTPS blocked

Hi there,

i'm using IRedMail 0.7.4 with Debian Squeeze an MySQL Backend. I've updatetd this installation from 0.7.4.rc3 to this installation.

Upgrade went well and receiving is fine even through imaps (Port 993)

But sending through port 465 SSL is not possible anymore, because the port is not open.

I'm using the standard config files with my own certificate links. (which are working fine)

Is there anybody with the same problem? Is there any option i've forgotten to enable?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: After Update SMTPS blocked

Did you change some Postfix settings?
According to upgrade tutorial for 0.7.4-rc3, we didn't touch Postfix settings at all, so it cannot be caused by upgrading.

3

Re: After Update SMTPS blocked

ZhangHuangbin wrote:

Did you change some Postfix settings?
According to upgrade tutorial for 0.7.4-rc3, we didn't touch Postfix settings at all, so it cannot be caused by upgrading.


I´ve just changed the linked certs to my own, that´s all. i will post my config in a few minutes

4

Re: After Update SMTPS blocked

Tallaril wrote:

I´ve just changed the linked certs to my own

I think there may be something wrong with file permission on your own certs. Could you please show us the output of command "ls -l" of your certs? For example, default iRedMail certs:

# ls -l /etc/ssl/certs/iRedMail_CA.pem
# ls -l /etc/ssl/private/iRedMail.key

To make things easy, you can fix it with read permission:

# chmod +r /etc/ssl/certs/iRedMail_CA.pem /etc/ssl/private/iRedMail.key

If you prefer advanced file permission control, use file system ACL instead. Refer to command 'setfacl' and 'getfacl' for more details.

5

Re: After Update SMTPS blocked

ZhangHuangbin wrote:
Tallaril wrote:

I´ve just changed the linked certs to my own

I think there may be something wrong with file permission on your own certs. Could you please show us the output of command "ls -l" of your certs? For example, default iRedMail certs:

# ls -l /etc/ssl/certs/iRedMail_CA.pem
# ls -l /etc/ssl/private/iRedMail.key

To make things easy, you can fix it with read permission:

# chmod +r /etc/ssl/certs/iRedMail_CA.pem /etc/ssl/private/iRedMail.key

If you prefer advanced file permission control, use file system ACL instead. Refer to command 'setfacl' and 'getfacl' for more details.


I see, but the permissions are setted correctly. Read permissions are given for all. Dovecot is also able to and i've changed the certs in the dovecot.conf too.

The main problem is, that port 465 is not open and all questions to this service are blocked by this issue.

I will post my main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
relayhost =
mynetworks = 127.0.0.0/8
inet_interfaces = all
recipient_delimiter = +

virtual_alias_domains =
myhostname = mail.t4hosting.de
myorigin = mail.t4hosting.de
mydomain = t4hosting.de
inet_protocols = ipv4
mynetworks_style = subnet
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = yes
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
delay_warning_time = 0h
policy_time_limit = 3600
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domai$
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
enable_original_recipient = no
disable_vrfy_command = yes
home_mailbox = Maildir/
allow_min_user = no
message_size_limit = 15728640
virtual_minimum_uid = 1000
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
virtual_mailbox_base = /var/vmail
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/c$
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = no
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted$
smtpd_tls_security_level = may
smtpd_enforce_tls = no
smtpd_tls_loglevel = 0
smtpd_tls_key_file = /etc/ssl/mail_t4hosting_de.key
smtpd_tls_cert_file = /etc/ssl/mail_t4hosting_de.crt
smtpd_tls_CAfile = /etc/ssl/mail_t4hosting_de.ca
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom
#
# Uncomment the following line to enable policyd sender throttle.
#
#smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
mailbox_command = /usr/lib/dovecot/deliver
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = ./dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1


The only lines i've changed are:


smtpd_tls_key_file = /etc/ssl/mail_t4hosting_de.key
smtpd_tls_cert_file = /etc/ssl/mail_t4hosting_de.crt
smtpd_tls_CAfile = /etc/ssl/mail_t4hosting_de.ca

6

Re: After Update SMTPS blocked

Tallaril wrote:

smtpd_tls_key_file = /etc/ssl/mail_t4hosting_de.key
smtpd_tls_cert_file = /etc/ssl/mail_t4hosting_de.crt
smtpd_tls_CAfile = /etc/ssl/mail_t4hosting_de.ca

Please check Postfix log file, is there any cert related log when you restarted Postfix service? There should be some.

7

Re: After Update SMTPS blocked

ZhangHuangbin wrote:
Tallaril wrote:

smtpd_tls_key_file = /etc/ssl/mail_t4hosting_de.key
smtpd_tls_cert_file = /etc/ssl/mail_t4hosting_de.crt
smtpd_tls_CAfile = /etc/ssl/mail_t4hosting_de.ca

Please check Postfix log file, is there any cert related log when you restarted Postfix service? There should be some.


Unfortunately ... not

The only log i've got on restart is:

Feb  2 10:17:56 mail postfix/master[15432]: terminating on signal 15
Feb  2 10:17:56 mail postfix/master[15632]: daemon started -- version 2.7.1, configuration /etc/postfix

/var/log/syslog and /var/log/mail.log

There is no specific logfile for postfix in my system.

8

Re: After Update SMTPS blocked

Is there any error log when client connecting to port 465?
Can you see this port in output of below command:

# netstat -ntlp

9 (edited by Tallaril 2012-02-02 19:27:46)

Re: After Update SMTPS blocked

ZhangHuangbin wrote:

Is there any error log when client connecting to port 465?
Can you see this port in output of below command:

# netstat -ntlp

There is no error log at all, the client can't reach port 465, taht's why the mailserver doesn't recognise any error:

netstat -tulpen

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          115727025   313/apache2     
tcp        0      0 127.0.0.1:4190          0.0.0.0:*               LISTEN      0          115798418   2307/dovecot   
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      0          115798415   2307/dovecot   
tcp        0      0 127.0.0.1:7777          0.0.0.0:*               LISTEN      0          115727714   745/python     
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      0          115798417   2307/dovecot   
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      106        115798639   2339/amavisd (maste
tcp        0      0 127.0.0.1:10025         0.0.0.0:*               LISTEN      0          116374572   15632/master   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      103        115727826   880/mysqld     
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          116374557   15632/master   
tcp        0      0 127.0.0.1:9998          0.0.0.0:*               LISTEN      106        115798640   2339/amavisd (maste
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      0          115798416   2307/dovecot   
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      0          115798414   2307/dovecot   
tcp        0      0 127.0.0.1:10031         0.0.0.0:*               LISTEN      0          115728520   1074/postfix-policy
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          115726891   216/portmap     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          115727023   313/apache2     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          115728530   1075/sshd       
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      0          116374438   15632/master   
tcp6       0      0 :::22                   :::*                    LISTEN      0          115728532   1075/sshd       
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          115726890   216/portmap

Apache SSL is working fine, even dovecot SSL ....

like i said before, port 465 is not open and will not be opened and idkw sad

10

Re: After Update SMTPS blocked

Tallaril wrote:

tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      0          116374557   15632/master   

Port 587 is secured submission, you should use this one instead of 465.