Hallo,
ich versuche mir gerade einen Postfixserver aufzusetzen,
scheitere aber aus irgendwelchen Gründen. TLS bekomme ich einfach nicht ans laufen.
Postfix ist Version 2.2.1
Das ganze läuft zwar unter Netbsd sollte aber nicht ausschlaggebend sein... (Sollten nur die Verzeichnisse anders sein, die stimmen aber so...)
Postfix ist mit tls unterstützung gebaut:
ldd /usr/pkg/sbin/postfix
/usr/pkg/sbin/postfix:
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lssl.3 => /usr/lib/libssl.so.3
-lcrypt.0 => /usr/lib/libcrypt.so.0
-lpcre.0 => /usr/pkg/lib/libpcre.so.0
-llber-2.2.7 => /usr/pkg/lib/liblber-2.2.so.7
-lresolv.1 => /usr/lib/libresolv.so.1
-lsasl2.2 => /usr/pkg/lib/libsasl2.so.2
-lldap-2.2.7 => /usr/pkg/lib/libldap-2.2.so.7
-lm.0 => /usr/lib/libm.so.0
-lz.0 => /usr/lib/libz.so.0
-lmysqlclient.14 => /usr/pkg/lib/mysql/libmysqlclient.so.14
-lc.12 => /usr/lib/libc.so.12
saslauth funktioniert ohne tls einwandfrei.
Auszug aus meinen Maillogs:
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: no entropy for TLS key
generation: disabling TLS support
Postconf gibt mir folgendes aus:
/usr/pkg/sbin/postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/pkg/sbin
config_directory = /usr/pkg/etc/postfix
daemon_directory = /usr/pkg/libexec/postfix
debug_peer_level = 2
default_rbl_reply = $rbl_code RBLTRAP: You can't send us a E-mail today!!!
header_checks = regexp:/usr/pkg/etc/postfix/header_checks.regexp
html_directory = no
mail_owner = postfix
mailq_path = /usr/pkg/bin/mailq
manpage_directory = /usr/pkg/man
mime_header_checks = pcre:/usr/pkg/etc/postfix/body_check
mydomain = mruether.de
myhostname = smtp.mruether.de
myorigin = $mydomain
newaliases_path = /usr/pkg/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/pkg/share/doc/postfix
relay_clientcerts = hash:/usr/pkg/etc/postfix/relay_clientcerts
sample_directory = /usr/pkg/share/examples/postfix
sendmail_path = /usr/pkg/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtp_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtp_tls_loglevel = 4
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_non_fqdn_hostname, reject_invalid_hostname,
reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net,
reject_rbl_client opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client relays.ordb.org, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_clientopm.blitzed.org,
reject_rbl_client cbl.abuseat.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_unauth_pipelining
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client dynablock.njabl.org,
reject_rbl_client dialup.blacklist.jippg.org, reject_rbl_client
cbl.abuseat.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_client rhsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net, reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_rbl_client
opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_pipelining
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtpd_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
meine master.cf:
smtp inet n - n - - smtpd
# only used by postfix-tls
tlsmgr unix n - n 300 1 tlsmgr
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o
smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
#qmgr fifo n - n 300 1 qmgr
qmgr fifo n - n 300 1 oqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# See the pipe(8) man page for information about ${recipient} and
# other message envelope options.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
Hoffe, mit den Angaben kann mir jemand helfen...
Die ssl dateien sind für Postfix lesbar. Woran scheitere ich??
Gruß
Mirko
ich versuche mir gerade einen Postfixserver aufzusetzen,
scheitere aber aus irgendwelchen Gründen. TLS bekomme ich einfach nicht ans laufen.
Postfix ist Version 2.2.1
Das ganze läuft zwar unter Netbsd sollte aber nicht ausschlaggebend sein... (Sollten nur die Verzeichnisse anders sein, die stimmen aber so...)
Postfix ist mit tls unterstützung gebaut:
ldd /usr/pkg/sbin/postfix
/usr/pkg/sbin/postfix:
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lssl.3 => /usr/lib/libssl.so.3
-lcrypt.0 => /usr/lib/libcrypt.so.0
-lpcre.0 => /usr/pkg/lib/libpcre.so.0
-llber-2.2.7 => /usr/pkg/lib/liblber-2.2.so.7
-lresolv.1 => /usr/lib/libresolv.so.1
-lsasl2.2 => /usr/pkg/lib/libsasl2.so.2
-lldap-2.2.7 => /usr/pkg/lib/libldap-2.2.so.7
-lm.0 => /usr/lib/libm.so.0
-lz.0 => /usr/lib/libz.so.0
-lmysqlclient.14 => /usr/pkg/lib/mysql/libmysqlclient.so.14
-lc.12 => /usr/lib/libc.so.12
saslauth funktioniert ohne tls einwandfrei.
Auszug aus meinen Maillogs:
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: no entropy for TLS key
generation: disabling TLS support
Postconf gibt mir folgendes aus:
/usr/pkg/sbin/postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/pkg/sbin
config_directory = /usr/pkg/etc/postfix
daemon_directory = /usr/pkg/libexec/postfix
debug_peer_level = 2
default_rbl_reply = $rbl_code RBLTRAP: You can't send us a E-mail today!!!
header_checks = regexp:/usr/pkg/etc/postfix/header_checks.regexp
html_directory = no
mail_owner = postfix
mailq_path = /usr/pkg/bin/mailq
manpage_directory = /usr/pkg/man
mime_header_checks = pcre:/usr/pkg/etc/postfix/body_check
mydomain = mruether.de
myhostname = smtp.mruether.de
myorigin = $mydomain
newaliases_path = /usr/pkg/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/pkg/share/doc/postfix
relay_clientcerts = hash:/usr/pkg/etc/postfix/relay_clientcerts
sample_directory = /usr/pkg/share/examples/postfix
sendmail_path = /usr/pkg/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtp_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtp_tls_loglevel = 4
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_non_fqdn_hostname, reject_invalid_hostname,
reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net,
reject_rbl_client opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client relays.ordb.org, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_clientopm.blitzed.org,
reject_rbl_client cbl.abuseat.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_unauth_pipelining
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client dynablock.njabl.org,
reject_rbl_client dialup.blacklist.jippg.org, reject_rbl_client
cbl.abuseat.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_client rhsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net, reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_rbl_client
opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_pipelining
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtpd_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
meine master.cf:
smtp inet n - n - - smtpd
# only used by postfix-tls
tlsmgr unix n - n 300 1 tlsmgr
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o
smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
#qmgr fifo n - n 300 1 qmgr
qmgr fifo n - n 300 1 oqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# See the pipe(8) man page for information about ${recipient} and
# other message envelope options.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
Hoffe, mit den Angaben kann mir jemand helfen...
Die ssl dateien sind für Postfix lesbar. Woran scheitere ich??
Gruß
Mirko