# Postfix telnet issue



## Understudy (Feb 24, 2013)

Hi I have been working on setting up a mail server with postfix, dovecot, apache, mysql, and php. I am trying to do the telnet test and it is not working. 


```
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HELO justtesting
Connection closed by foreign host.
```

I thought I would see something like this:


```
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
220  ESMTP
Escape character is '^]'.
```


So I am missing whatever turns on the 220 ESTMP setup. Since I am new to this type of setup, where would I look?

Sincerely,

Brendhan


----------



## johnblue (Feb 24, 2013)

It seems like something is preventing your mail server from answering your telnet because, as you mentioned, your missing the 220 status.  Just for conversation here is what it should look like:
	
	



```
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 argus-array ESMTP Sendmail 8.14.5/8.14.5; Sat, 23 Feb 2013 23:15:59 -0600 (CST)
^]
telnet> quit
Connection closed.
```
Following that you can sockstat your box to see what is going on:
	
	



```
# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
john.blue sshd      23116 3  tcp4   2.4.6.8:22            10.12.14.16:49876
root     sshd       23113 3  tcp4   2.4.6.8:22            10.12.14.16:49876
root     sendmail   1088  4  tcp4   127.0.0.1:25          *:*
root     sshd       1085  4  tcp4   *:22                  *:*
root     ntpd       1062  20 udp4   *:123                 *:*
root     ntpd       1062  22 udp4   2.4.6.8:123           *:*
root     ntpd       1062  25 udp4   127.0.0.1:123         *:*
root     syslogd    975   7  udp4   *:514                 *:*
?        ?          ?     ?  tcp4   127.0.0.1:16312       127.0.0.1:25
```

You should be able to see the connections established to port 25.  Do you have any firewall rules pass in/out that are missing or mangled?


----------



## johnblue (Feb 24, 2013)

*snap*

Forgot about /var/log/maillog:
	
	



```
Feb 23 23:16:14 argus-array sm-mta[23122]: r1O5Fxpi023122: localhost [127.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0
```

There should be some clues in there ..


----------



## Understudy (Feb 24, 2013)

Here are the results of the [CMD=""]sockstat -4[/CMD]


```
postal# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
bhorne   sshd       47839 3  tcp4   192.168.1.16:22       192.168.1.2:35230
root     sshd       47836 3  tcp4   192.168.1.16:22       192.168.1.2:35230
www      httpd      4565  4  tcp4   *:80                  *:*
www      httpd      4565  6  tcp4   *:443                 *:*
www      httpd      3896  4  tcp4   *:80                  *:*
www      httpd      3896  6  tcp4   *:443                 *:*
root     master     3892  12 tcp4   *:25                  *:*
www      httpd      3817  4  tcp4   *:80                  *:*
www      httpd      3817  6  tcp4   *:443                 *:*
www      httpd      3816  4  tcp4   *:80                  *:*
www      httpd      3816  6  tcp4   *:443                 *:*
www      httpd      3815  4  tcp4   *:80                  *:*
www      httpd      3815  6  tcp4   *:443                 *:*
www      httpd      3814  4  tcp4   *:80                  *:*
www      httpd      3814  6  tcp4   *:443                 *:*
www      httpd      3813  4  tcp4   *:80                  *:*
www      httpd      3813  6  tcp4   *:443                 *:*
dovecot  imap-login 99460 4  tcp4   *:143                 *:*
dovecot  imap-login 99460 5  tcp4   *:993                 *:*
dovecot  imap-login 99459 4  tcp4   *:143                 *:*
dovecot  imap-login 99459 5  tcp4   *:993                 *:*
dovecot  imap-login 99458 4  tcp4   *:143                 *:*
dovecot  imap-login 99458 5  tcp4   *:993                 *:*
dovecot  pop3-login 99457 4  tcp4   *:110                 *:*
dovecot  pop3-login 99457 5  tcp4   *:995                 *:*
dovecot  pop3-login 99456 4  tcp4   *:110                 *:*
dovecot  pop3-login 99456 5  tcp4   *:995                 *:*
dovecot  pop3-login 99455 4  tcp4   *:110                 *:*
dovecot  pop3-login 99455 5  tcp4   *:995                 *:*
root     dovecot    99451 6  tcp4   *:143                 *:*
root     dovecot    99451 7  tcp4   *:993                 *:*
root     dovecot    99451 8  tcp4   *:110                 *:*
root     dovecot    99451 9  tcp4   *:995                 *:*
root     httpd      96192 4  tcp4   *:80                  *:*
root     httpd      96192 6  tcp4   *:443                 *:*
mysql    mysqld     88536 11 tcp4   *:3306                *:*
root     sshd       1465  4  tcp4   *:22                  *:*
root     ntpd       1426  20 udp4   *:123                 *:*
root     ntpd       1426  22 udp4   192.168.1.16:123      *:*
root     ntpd       1426  25 udp4   127.0.0.1:123         *:*
root     syslogd    1224  7  udp4   *:514                 *:*
```


Here are the results of [CMD=""]less /var/log/maillog[/CMD]


```
Feb 24 09:21:45 postal postfix/smtpd[50008]: error: open database /etc/aliases.db: No such file or directory
Feb 24 09:21:45 postal postfix/proxymap[50009]: error: open /usr/local/etc/postfix
/mysql_virtual_mailbox_maps.cf: No such file or directory
Feb 24 09:21:45 postal postfix/smtpd[50008]: connect from localhost[127.0.0.1]
Feb 24 09:21:53 postal postfix/smtpd[50008]: SSL_accept error from localhost[127.0.0.1]: lost 
connection
Feb 24 09:21:53 postal postfix/smtpd[50008]: lost connection after CONNECT from localhost[127.0.0.1]
Feb 24 09:21:53 postal postfix/smtpd[50008]: disconnect from localhost[127.0.0.1]
```

From what I am reading it say there is no aliases.db. However there is. it is just located at:


```
postal# locate aliases.db
/etc/mail/aliases.db
```

It also says it is looking for mysql_virtual_mailbox_maps.cf  however that cannot be found. 

I have been working with the instructions on http://www.purplehat.org/?page_id=4. 

Sincerely,

Brendhan


----------



## Understudy (Feb 24, 2013)

```
postal# cd /usr/local/etc/postfix/
postal# ls -a
.                                       master.cf
..                                      mysql_relay_domains_maps.cf
LICENSE                                 mysql_virtual_alias_maps.cf
TLS_LICENSE                             mysql_virtual_domains_maps.cf
bounce.cf.default                       mysql_virtual_mailbox_limit_maps.cf
main.cf                                 transport
main.cf.default                         transport.db
makedefs.out
```


----------



## johnblue (Feb 24, 2013)

I see where the mail dameon is listing on port 25, so that is a good thing.

I think that once you get those two postfix errors resolved it might lite up and start working on it's own.  I have just enough time to post this, but I remember reading the purplehat guide sometime back and thought that it was, generally speaking, well done.  Technology may have obsoleted some sections of it so be advised of that.  Isn't there a howto in the fourms here that is loosely based on the purplehat guide?

Postfix aliases.db must be generated with command "newaliases" usually ran as root.  Did you do that?


----------



## Understudy (Feb 24, 2013)

Okay, I have gone through and fixed a couple of the errors. 

Now it just looks like the aliases.db is the issue. It currently is in /etc/mail/aliases.db and it is trying to find it in /etc/aliases.db. 

I could create a sym link to it but I would prefer to not do that. So what is the best way to deal with this?


```
Feb 24 13:58:44 postal postfix/smtpd[50715]: error: open database /etc/aliases.db: No such file or directory
Feb 24 13:58:44 postal postfix/smtpd[50715]: connect from localhost[127.0.0.1]
Feb 24 13:58:52 postal postfix/smtpd[50715]: SSL_accept error from localhost[127.0.0.1]: lost connection
Feb 24 13:58:52 postal postfix/smtpd[50715]: lost connection after CONNECT from localhost[127.0.0.1]
Feb 24 13:58:52 postal postfix/smtpd[50715]: disconnect from localhost[127.0.0.1]
```

And yes, I did run [CMD=""]newaliases[/CMD]. 

Sincerely,

Brendhan


----------



## johnblue (Feb 25, 2013)

Understudy said:
			
		

> Okay, I have gone through and fixed a couple of the errors.


Out of curiosity, what did you fix?



> Now it just looks like the aliases.db is the issue. It currently is in /etc/mail/aliases.db and it is trying to find it in /etc/aliases.db.


What does /etc/postfix/main.cf say it is pointing "alias database" to?


----------



## DutchDaemon (Feb 25, 2013)

The rest of the discussion aside: are you sure that Postfix does not introduce a 'connection sleep' to catch out trojans? Sendmail has a GreetPause directive for this, Postfix may have something similar. The 220 prompt showing only after x seconds is how that setting manifests itself, as does breaking the connection when responding too soon. Have you tried waiting for 30 seconds before typing EHLO, to see if the 220 prompt shows up first?


----------



## Understudy (Feb 25, 2013)

johnblue said:
			
		

> Out of curiosity, what did you fix?
> 
> What does /etc/postfix/main.cf say it is pointing "alias database" to?



I fixed an issue with this:


```
Feb 24 09:21:45 postal postfix/proxymap[50009]: error: open /usr/local/etc/postfix
/mysql_virtual_mailbox_maps.cf: No such file or directory
```

I had forgotten to create it. I did and than I restarted dovecot, postfix and apache. Now I just get the error about the alises.db. 

I am not sure if that would fix the problem with the 220 ESMTP not showing up on a telnet or not. 

Sincerely,

Brendhan


----------



## Understudy (Feb 25, 2013)

DutchDaemon said:
			
		

> The rest of the discussion aside: are you sure that Postfix does not introduce a 'connection sleep' to catch out trojans? Sendmail has a GreetPause directive for this, Postfix may have something similar. The 220 prompt showing only after x seconds is how that setting manifests itself, as does breaking the connection when responding too soon. Have you tried waiting for 30 seconds before typing EHLO, to see if the 220 prompt shows up first?



If it does I am not sure where the setting is. However I have tried your point and it did not change. 



```
postal# date
Mon Feb 25 08:26:39 EST 2013
postal# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
postal# date
Mon Feb 25 08:31:50 EST 2013
```

I just waited for five minutes. Never showed up. 

Sincerely,

Brendhan


----------



## johnblue (Feb 25, 2013)

What does /etc/postfix/main.cf say it is pointing "alias database" to?


----------



## xtaz (Feb 25, 2013)

Understudy said:
			
		

> Feb 24 13:58:44 postal postfix/smtpd[50715]: connect from localhost[127.0.0.1]
> Feb 24 13:58:52 postal postfix/smtpd[50715]: SSL_accept error from localhost[127.0.0.1]: lost connection
> Feb 24 13:58:52 postal postfix/smtpd[50715]: lost connection after CONNECT from localhost[127.0.0.1]
> Feb 24 13:58:52 postal postfix/smtpd[50715]: disconnect from localhost[127.0.0.1]



The "SSL_accept error" looks interesting to me. Why is it mentioning SSL? I'm thinking for some reason port 25 is expecting an SSL negotiation before it outputs anything. Try this:

`# openssl s_client -connect localhost:25`

and see if it negotiates SSL and then outputs the ESMTP message you are expecting. If it does then your configuration is weird. Although usually to enable SSL you would have had to configure a certificate and key and it seems unlikely it would allow SSL if you hadn't done so.


----------



## Understudy (Feb 25, 2013)

johnblue said:
			
		

> What does /etc/postfix/main.cf say it is pointing "alias database" to?




```
postal# grep aliases main.cf                                                   
# a domain-wide alias database that aliases each user to
# and /etc/aliases or their equivalent.
#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
# database, then the NIS alias database. See aliases(5) for syntax
# If you change the alias database, run "postalias /etc/aliases" (or
# "newaliases" to build the necessary DBM or DB file.
#alias_maps = dbm:/etc/aliases
#alias_maps = hash:/etc/aliases
#alias_maps = hash:/etc/aliases, nis:mail.aliases
#alias_maps = netinfo:/aliases
# are built with "newaliases" or "sendmail -bi".  This is a separate
#alias_database = dbm:/etc/aliases
#alias_database = hash:/etc/aliases
#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
# aliases, canonical, virtual, relocated and .forward file lookups.
# to use after processing aliases and .forward files. This parameter
# newaliases_path: The full pathname of the Postfix newaliases command.
newaliases_path = /usr/local/bin/newaliases
```


----------



## Understudy (Feb 25, 2013)

xtaz said:
			
		

> The "SSL_accept error" looks interesting to me. Why is it mentioning SSL? I'm thinking for some reason port 25 is expecting an SSL negotiation before it outputs anything. Try this:
> 
> `# openssl s_client -connect localhost:25`
> 
> and see if it negotiates SSL and then outputs the ESMTP message you are expecting. If it does then your configuration is weird. Although usually to enable SSL you would have had to configure a certificate and key and it seems unlikely it would allow SSL if you hadn't done so.




Here is the result certain parts abbreviated for security and length. 


```
postal# openssl s_client -connect localhost:25
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxxxxxxx.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxxxxxxx.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxx.com
   i:/C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxxxx.com
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxxxxxxx.com
issuer=/C=US/ST=Florida/L=West Palm Beach/O=Bee Barf Apiaries/CN=Brendhan /emailAddress=admin@xxxxxxxxxxxx.com
---
No client certificate CA names sent
---
SSL handshake has read 1521 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx: 
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1361825476
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 mail.xxxxxxxxxxxxxxx.com ESMTP Postfix
```


So it is there. Now what, I think my brain my melt. 

Sincerely,

Brendhan


----------



## johnblue (Feb 25, 2013)

Understudy said:
			
		

> ```
> postal# grep aliases main.cf
> # a domain-wide alias database that aliases each user to
> # and /etc/aliases or their equivalent.
> ...


Unless I am missing something, the reason why you are getting this error:
	
	



```
error: open database /etc/aliases.db: No such file or directory
```
 is because main.cf is telling Postfix to look for the alias_map at /etc/aliases.  Why there is an alias file at /etc/mail/aliases.db is anybody's guess.


----------



## wblock@ (Feb 25, 2013)

johnblue said:
			
		

> Unless I am missing something, the reason why you are getting this error:
> 
> 
> 
> ...



/etc/mail/aliases.db is where Sendmail puts it.  In other words, that is Where It Is Supposed To Be. 

On my 9-STABLE system, /etc/aliases is a link to /etc/mail/aliases.  There is no link for /etc/aliases.db, though.


----------



## Understudy (Feb 25, 2013)

wblock@ said:
			
		

> /etc/mail/aliases.db is where Sendmail puts it.  In other words, that is Where It Is Supposed To Be.
> 
> On my 9-STABLE system, /etc/aliases is a link to /etc/mail/aliases.  There is no link for /etc/aliases.db, though.



If I delete the current /etc/mail/aliases.db and run [CMD=""]newaliases[/CMD] would that fix it? or do I need to edit a file and tell it where to look?

Sincerely,

Brendhan


----------



## johnblue (Feb 25, 2013)

wblock@ said:
			
		

> /etc/mail/aliases.db is where Sendmail puts it.  In other words, that is Where It Is Supposed To Be.


*smacks forhead*

Ya know, when I was typing that I thought .. this doesn't feel right.


----------



## kpa (Feb 25, 2013)

You could make a separate aliases file in /usr/local/etc for postfix to avoid any confusion of which one is for which MTA.


----------



## wblock@ (Feb 25, 2013)

Understudy said:
			
		

> If I delete the current /etc/mail/aliases.db and run [CMD=""]newaliases[/CMD] would that fix it? or do I need to edit a file and tell it where to look?



For Sendmail, both files are really in /etc/mail/.  For Postfix... I don't know.  Deleting aliases.db should not be necessary, rebuilding with newaliases(1) will overwrite it.


----------



## kpa (Feb 25, 2013)

Running newaliases(1) when MTA is set to postfix in mailer.conf(5) does not work because you're supposed to run postalias(1) to create/update the aliases database for postfix.


----------



## Understudy (Feb 26, 2013)

Okay, we have made some progress but still have the issue. 

In order to get the aliases.db recognized. I had to rerun from /usr/local/etc/postfix. Now I have this:


```
postal# find / -name aliases.db
/etc/mail/aliases.db
/etc/aliases.db
```

So now when I do the telnet I still get the same thing:


```
postal# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HELO justtesting
Connection closed by foreign host.
```

However on the positive when I look at /var/log/maillog I get this:


```
Feb 25 19:02:22 postal postfix/smtpd[2565]: connect from localhost[127.0.0.1]
Feb 25 19:02:29 postal postfix/smtpd[2565]: SSL_accept error from localhost[127.0.0.1]: -1
Feb 25 19:02:29 postal postfix/smtpd[2565]: warning: TLS library problem: 2565:error:140760FC:SSL 
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl
/ssl/s23_srvr.c:578:
Feb 25 19:02:29 postal postfix/smtpd[2565]: lost connection after CONNECT from localhost[127.0.0.1]
Feb 25 19:02:29 postal postfix/smtpd[2565]: disconnect from localhost[127.0.0.1]
```

So it now appears that it doesn't like the SSL. 

Sincerely,

Brendhan


----------



## johnblue (Feb 26, 2013)

Understudy said:
			
		

> Okay, we have made some progress but still have the issue.


As I said before, the purplehat guide was good, but I have a nagging feeling that there was/is holes in the guide that may be tripping this install up especially if it has not been updated recently.  Just say'n ..


----------



## Understudy (Feb 26, 2013)

johnblue said:
			
		

> As I said before, the purplehat guide was good, but I have a nagging feeling that there was/is holes in the guide that may be tripping this install up especially if it has not been updated recently.  Just say'n ..




I can agree but it is still the best tutorial I have found and what it probably needs are some minor updates. So I guess I am finding out what some of those are. 

The create of the smtp ssl is done like this:


```
# mkdir -p /etc/ssl/postfix
# cd /etc/ssl/postfix
# openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650
# chmod 640 /etc/ssl/postfix/smtpd.pem
# chgrp -R postfix /etc/ssl/postfix
```

The apache ssl is done like this:


```
# mkdir -p /etc/ssl/apache
# cd /etc/ssl/apache
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
```

The dovecot ssl is done like this:


```
# mkdir -p /etc/ssl/dovecot
# cd /etc/ssl/dovecot
# openssl req -new -x509 -nodes -out cert.pem -keyout key.pem -days 365
```


So which ssl is causing the problem?

Sincerely,

Brendhan


----------



## xtaz (Feb 26, 2013)

The problem is that you seem to have some configuration somewhere that has enabled SSL **ONLY** on port 25. So when you try a normal telnet postfix is waiting for it to negotiate SSL and the telnet isn't doing that so it's just hanging. Everything works fine when you actually use SSL via the openssl command.

The question is why is port 25 configured in that way? Usually SSL is configured on a different port which is 465 I believe. When running on port 25 the usual practice is to run it in standard plain text and allow a command called STARTTLS which changes a plain text connection into an encrypted one later in the SMTP conversation.

I'm not entirely sure what configuration would have been changed to give this behaviour, but I would suspect something in master.cf on the line that starts smtp. Guessing there might be a -o option on it that forces SSL or something along those lines.

Looking at that purplehat guide you were following it says to edit master.cf and change the lines that begin with smtps. Did you by any chance change the line that starts smtp rather than smtps?


----------



## Understudy (Feb 26, 2013)

xtaz said:
			
		

> The problem is that you seem to have some configuration somewhere that has enabled SSL **ONLY** on port 25. So when you try a normal telnet postfix is waiting for it to negotiate SSL and the telnet isn't doing that so it's just hanging. Everything works fine when you actually use SSL via the openssl command.
> 
> The question is why is port 25 configured in that way? Usually SSL is configured on a different port which is 465 I believe. When running on port 25 the usual practice is to run it in standard plain text and allow a command called STARTTLS which changes a plain text connection into an encrypted one later in the SMTP conversation.
> 
> ...




I think you may be absolutely correct. 

Here is (in part )my current master.cf


```
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
```

Here is what it should look like (I think):


```
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
```

That basically makes changes on line 11 and 22. I will do a restart on postfix, apache, mysql and see what happens. 

That actually made things worse:


```
postal# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1...
telnet: connect to address ::1: Connection refused
telnet: Unable to connect to remote host
```

Nothing in maillog


```
Feb 26 08:25:45 postal postfix/postfix-script[2208]: starting the Postfix mail system
Feb 26 08:25:45 postal postfix/master[2209]: daemon started -- version 2.9.5, configuration /usr/local/etc/postfix
```

Here is the sockstat, it looks like we lost port 25


```
postal# sockstat -4 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
bhorne   sshd       2348  3  tcp4   192.168.1.16:22       192.168.1.2:15025
root     sshd       2344  3  tcp4   192.168.1.16:22       192.168.1.2:15025
www      httpd      2343  4  tcp4   *:80                  *:*
www      httpd      2343  6  tcp4   *:443                 *:*
www      httpd      2342  4  tcp4   *:80                  *:*
www      httpd      2342  6  tcp4   *:443                 *:*
www      httpd      2341  4  tcp4   *:80                  *:*
www      httpd      2341  6  tcp4   *:443                 *:*
www      httpd      2340  4  tcp4   *:80                  *:*
www      httpd      2340  6  tcp4   *:443                 *:*
www      httpd      2339  4  tcp4   *:80                  *:*
www      httpd      2339  6  tcp4   *:443                 *:*
root     sshd       2247  4  tcp4   *:22                  *:*
root     httpd      2224  4  tcp4   *:80                  *:*
root     httpd      2224  6  tcp4   *:443                 *:*
root     master     2209  12 tcp4   *:465                 *:*
dovecot  imap-login 2177  4  tcp4   *:143                 *:*
dovecot  imap-login 2177  5  tcp4   *:993                 *:*
dovecot  imap-login 2176  4  tcp4   *:143                 *:*
dovecot  imap-login 2176  5  tcp4   *:993                 *:*
dovecot  imap-login 2175  4  tcp4   *:143                 *:*
dovecot  imap-login 2175  5  tcp4   *:993                 *:*
dovecot  pop3-login 2174  4  tcp4   *:110                 *:*
dovecot  pop3-login 2174  5  tcp4   *:995                 *:*
dovecot  pop3-login 2173  4  tcp4   *:110                 *:*
dovecot  pop3-login 2173  5  tcp4   *:995                 *:*
dovecot  pop3-login 2172  4  tcp4   *:110                 *:*
dovecot  pop3-login 2172  5  tcp4   *:995                 *:*
root     dovecot    2127  6  tcp4   *:143                 *:*
root     dovecot    2127  7  tcp4   *:993                 *:*
root     dovecot    2127  8  tcp4   *:110                 *:*
root     dovecot    2127  9  tcp4   *:995                 *:*
mysql    mysqld     2106  11 tcp4   *:3306                *:*
root     ntpd       1394  20 udp4   *:123                 *:*
root     ntpd       1394  22 udp4   192.168.1.16:123      *:*
root     ntpd       1394  25 udp4   127.0.0.1:123         *:*
root     syslogd    1225  7  udp4   *:514                 *:*
```

Sincerely,

Brendhan


----------



## xtaz (Feb 26, 2013)

Now you've commented out the smtp line completely. Each of the lines corresponds to a service that is started up. The smtp service is for port 25, and the smtps service is for port 465. What you have done on your first attempt is joined together the option (-o) config lines for smtps with the initial smtp service line, thus why you had SSL on port 25. On your second attempt you have commented out the smtp service completely so now nothing is listening on port 25.

Uncomment the smtp line again and leave all the other lines alone. Then you should have port 25 cleartext SMTP and port 465 as SSL.


----------



## Understudy (Feb 27, 2013)

xtaz said:
			
		

> Now you've commented out the smtp line completely. Each of the lines corresponds to a service that is started up. The smtp service is for port 25, and the smtps service is for port 465. What you have done on your first attempt is joined together the option (-o) config lines for smtps with the initial smtp service line, thus why you had SSL on port 25. On your second attempt you have commented out the smtp service completely so now nothing is listening on port 25.
> 
> Uncomment the smtp line again and leave all the other lines alone. Then you should have port 25 cleartext SMTP and port 465 as SSL.




And we have a winner!


```
postal# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.beebarfapiaries.com ESMTP Postfix
EHLO beebarfapiaries.com                                                
250-mail.beebarfapiaries.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
quit
quit
Connection closed by foreign host.
postal#
```

This is the result of this :


```
postal# ee /usr/local/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
```

Please note this is not the entire master.cf file. Just the relevant parts. See lines 11 and 22. 

and just for some more information:


```
postal# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     master     4173  12 tcp4   *:25                  *:*
root     master     4173  16 tcp4   *:465                 *:*
bhorne   sshd       2348  3  tcp4   192.168.1.16:22       192.168.1.2:15025
root     sshd       2344  3  tcp4   192.168.1.16:22       192.168.1.2:15025
www      httpd      2343  4  tcp4   *:80                  *:*
www      httpd      2343  6  tcp4   *:443                 *:*
www      httpd      2342  4  tcp4   *:80                  *:*
www      httpd      2342  6  tcp4   *:443                 *:*
www      httpd      2341  4  tcp4   *:80                  *:*
www      httpd      2341  6  tcp4   *:443                 *:*
www      httpd      2340  4  tcp4   *:80                  *:*
www      httpd      2340  6  tcp4   *:443                 *:*
www      httpd      2339  4  tcp4   *:80                  *:*
www      httpd      2339  6  tcp4   *:443                 *:*
root     sshd       2247  4  tcp4   *:22                  *:*
root     httpd      2224  4  tcp4   *:80                  *:*
root     httpd      2224  6  tcp4   *:443                 *:*
dovecot  imap-login 2177  4  tcp4   *:143                 *:*
dovecot  imap-login 2177  5  tcp4   *:993                 *:*
dovecot  imap-login 2176  4  tcp4   *:143                 *:*
dovecot  imap-login 2176  5  tcp4   *:993                 *:*
dovecot  imap-login 2175  4  tcp4   *:143                 *:*
dovecot  imap-login 2175  5  tcp4   *:993                 *:*
dovecot  pop3-login 2174  4  tcp4   *:110                 *:*
dovecot  pop3-login 2174  5  tcp4   *:995                 *:*
dovecot  pop3-login 2173  4  tcp4   *:110                 *:*
dovecot  pop3-login 2173  5  tcp4   *:995                 *:*
dovecot  pop3-login 2172  4  tcp4   *:110                 *:*
dovecot  pop3-login 2172  5  tcp4   *:995                 *:*
root     dovecot    2127  6  tcp4   *:143                 *:*
root     dovecot    2127  7  tcp4   *:993                 *:*
root     dovecot    2127  8  tcp4   *:110                 *:*
root     dovecot    2127  9  tcp4   *:995                 *:*
mysql    mysqld     2106  11 tcp4   *:3306                *:*
root     ntpd       1394  20 udp4   *:123                 *:*
root     ntpd       1394  22 udp4   192.168.1.16:123      *:*
root     ntpd       1394  25 udp4   127.0.0.1:123         *:*
root     syslogd    1225  7  udp4   *:514                 *:*
```

So this one will get marked solved and thanks will be passed along. 

Awesome job everyone. 

Sincerely,

Brendhan


----------



## wmoreno3 (Nov 8, 2013)

xtaz said:
			
		

> The "SSL_accept error" looks interesting to me. Why is it mentioning SSL? I'm thinking for some reason port 25 is expecting an SSL negotiation before it outputs anything. Try this:
> 
> `# openssl s_client -connect localhost:25`
> 
> and see if it negotiates SSL and then outputs the ESMTP message you are expecting. If it does then your configuration is weird. Although usually to enable SSL you would have had to configure a certificate and key and it seems unlikely it would allow SSL if you hadn't done so.




```
/usr/local/bin/openssl s_client -connect localhost:25
CONNECTED(00000003)
57771:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:607:
```


----------



## Anonymous (Nov 8, 2013)

Try the following command:

`# openssl s_client -connect localhost:25 -starttls smtp`

At the beginning of a session SMTP servers expect plain contacts and they would talk TLS only after they received the STARTTLS command from the client. The above command reproduces this behaviour (connecting plain, continuing TLS). It is expected behaviour, that a direct TLS connection to a smtpd errors out.


----------

