# Getting smtps to work in postfix



## BeastieBoy (Sep 4, 2010)

Hi,

I have a working mail server for imap+smtp that uses dovecot and postfix.

I want to add imaps+smtps support. Connection through imaps works, but smtps fails.

Here is what I currently have in my /var/log/maillog file;


```
SSL_accept error
```

From within Mail.app I ran the connection doctor I saw:


```
WROTE Sep 04 22:16:39.962 [kCFStreamSocketSecurityLevelNegotiatedSSL]  -- host: xxx.xxx.xxx.xxx -- port:993 -- socket:0x795f380 -- 
thread:0x61d7040
3.15 LOGOUT

CONNECTED Sep 04 22:17:09.567 [kCFStreamSocketSecurityLevelNone]  -- host: xxx.xxx.xxx.xxx -- port:2465 -- socket:0x7d1a370 -- 
thread:0x7d1cb70
```

Which proves imaps works. By the way don't pay attention to the 2465 port it's to bypass my isp lock.

To test manual access to smtps I issued:

[cmd=]$ openssl s_client -connect my.server.ip.Address:2465[/cmd]

And I get the following message:

```
CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Blabla, CN = mail.mysite.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Blabla, CN = mail.mysite.com
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Blabla/CN=mail.mysite.com
   i:/C=AU/ST=Some-State/O=Blabla/CN=mail.mysite.com
---
Server certificate
-----BEGIN CERTIFICATE-----
blablabla
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Blabla/CN=mail.mysite.com
issuer=/C=AU/ST=Some-State/O=Blabla/CN=mail.mysite.com
---
No client certificate CA names sent
---
SSL handshake has read 1432 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 1C9E2D01DDAEF3B49B4DEBA04F6B9BC45714B17DB75AA
    Session-ID-ctx: 
    Master-Key: D5549E87AEA778AF74162A6C7C08FDDA6FDC0C8CBA78692DC0EB50D2B87B0771862708CB
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 38 11 b6 1d 73 8b 0a 48-25 3a 7c c7 de ef 21 3a   8...s..H%:|...!:

    Start Time: 1283631128
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 mysite.com ESMTP Postfix
EHLO dude
250-mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
```
So it seems to work.

Any idea what could prevent smtps from working? Could it be the ssl certificate of postfix which I generated myself?

I'm sure there are millions of reasons, but I have a simple setup so it should be an easy issue to fix.


Thanks in advance for your support


----------



## BeastieBoy (Sep 4, 2010)

I added port 587 by uncommenting the submission line for postfix, and now there is more activity in Mail.app doctor, but still no completed connection.


----------



## BeastieBoy (Sep 4, 2010)

Where is CA.pl on FreeBSD 8?


----------



## graudeejs (Sep 5, 2010)

BeastieBoy said:
			
		

> Where is CA.pl on FreeBSD 8?



/usr/src/crypto/openssl/apps/CA.pl


----------



## AlexJ (Sep 12, 2010)

master.cf:

```
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
```

main.cf:


```
smtpd_tls_security_level = may
smtp_tls_security_level = may

smtp_tls_ciphers = export
smtp_tls_protocols = !SSLv2

smtp_tls_note_starttls_offer = yes


# private key
smtp_tls_key_file = /etc/ssl/YourDomain.com/key/YourDomain.com.key
# Signed by CA public key
smtp_tls_cert_file = /etc/ssl/YourDomain.com/crt/YourDomain.com.crt
# CA
smtp_tls_CAfile = /etc/ssl/cert.pem


# private key
smtpd_tls_key_file = /etc/ssl/YourDomain.com/key/YourDomain.com.key
# Signed by CA public key
smtpd_tls_cert_file = /etc/ssl/YourDomain.com/crt/YourDomain.com.crt
# CA
smtpd_tls_CAfile = /etc/ssl/cert.pem

smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

smtp_tls_scert_verifydepth = 5

smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

tls_random_source = dev:/dev/urandom
```

Install /usr/ports/security/nss, and create symlink to /etc/ssl/cert.pem from /usr/local/share/certs/ca-root-nss.crt
by doing this you will have fresh CA from mozzila.


----------

