zini2001
31.12.04, 00:47
alles lief rund .....bist zu dem tag als ich auf die idee kam tls/ssl in mein system einzubauen.
http://www.linuxforen.de/forums/showthread.php?t=166035
-schlüssel und zertifikat erstellt
-postfix auf tls support eingestellt
smtpd_use_tls = yes
smtpd_cert_file = /etc/postfix/ssl/smtpd.cert
smtpd_key_file = /etc/postfix/ssl/smtpd.key
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 4 // hab ich sonst auf 0
smtpd_auth_only = yes
-mailclient (kmail) use tls-plain
-eine mail geschrieben und versandt.....und gewartet....nix passiert!!!
-/var/log/mail
23:01:57 mail postfix/smtp[19576]: 37B4FE8B2: to=<steven@tld.de>, relay=mail.isp.de[ip-isp], delay=7, status=sent (250 Ok: queued as CE716BD62A)
-mail scheint auf dem ersten blick rausgegangen zu sein: von wegen.
komentier ich den amavis aus den konfig dateien vom postfix aus und starte neu dan wird wie mail wie immer versandt.
jetzt hab ich anhand der logs rausgefunden, das die verständigung zwischen client und postfix klappt. postfix gibt die mail brav an amavis. wenn die mail aus dem amavis zurück an den postfix gegeben wird scheitert es in einer mir unerklärlichen weise. den ich weis nicht ob amavis oder postfix das problem verursacht. so wie es scheint wird versucht eine neue tls sitzung zustarten, wenn die mail vom amavis zurück in den postfix geht. schau euch mal die logs an.
mailversandt mit amavis:
Jan 1 20:08:41 mail postfix/smtpd[15089]: connect from unknown[192.168.2.26]
Jan 1 20:08:41 mail postfix/smtpd[15089]: 4B63F9EEA: client=unknown[192.168.2.26], sasl_method=PLAIN, sasl_username=warnekes
Jan 1 20:08:41 mail postfix/cleanup[15092]: 4B63F9EEA: message-id=<200412302159.28150.steven@ewart.de>
Jan 1 20:08:41 mail postfix/qmgr[15086]: 4B63F9EEA: from=<steven@ewart.de>, size=508, nrcpt=1 (queue active)
Jan 1 20:08:41 mail postfix/smtpd[15089]: disconnect from unknown[192.168.2.26]
Jan 1 20:08:41 mail amavis[1900]: (01900-04) ESMTP::10024 /var/spool/amavis/amavis-20050101T190732-01900: <steven@ewart.de> -> <zini2001@web.de> Received:SIZE=508 from mail.ewart.netz ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01900-04 for <zini2001@web.de>; Sat, 1Jan 2005 20:08:41 +0100 (CET)
Jan 1 20:08:41 mail amavis[1900]: (01900-04) Checking: <steven@ewart.de> -> <zini2001@web.de>
Jan 1 20:08:41 mail amavis[1900]: (01900-04) FWD via SMTP: [127.0.0.1]:10025 <steven@ewart.de> -> <zini2001@web.de>
Jan 1 20:08:41 mail postfix/smtpd[15096]: connect from localhost[127.0.0.1]
Jan 1 20:08:42 mail postfix/smtpd[15096]: disconnect from localhost[127.0.0.1]
Jan 1 20:08:42 mail amavis[1900]: (01900-04) mail_via_smtp: 530 5.5.0 Rejected by MTA: 530 Must issue a STARTTLS command first, id=01900-04
Jan 1 20:08:42 mail amavis[1900]: (01900-04) Not-Delivered, <steven@ewart.de> -> <zini2001@web.de>, Message-ID: <200412302159.28150.steven@ewart.de>, Hits: -
Jan 1 20:08:42 mail amavis[1900]: (01900-04) TIMING [total 1173 ms] - SMTP EHLO: 4 (0%), SMTP pre-MAIL: 1 (0%), SMTP pre-DATA-flush: 6 (1%), SMTP DATA: 36(3%), body hash: 1 (0%), mime_decode: 28 (2%), get-file-type: 16 (1%), decompose_part: 2 (0%), parts: 0 (0%), fwd-connect: 62 (5%), fwd-rundown: 1007 (86%), unlink-1-files: 9 (1%), rundown: 1 (0%)
Jan 1 20:08:42 mail postfix/smtp[15094]: 4B63F9EEA: to=<zini2001@web.de>, relay=127.0.0.1[127.0.0.1], delay=1, status=bounced (host 127.0.0.1[127.0.0.1] said: 530 5.5.0 Rejected by MTA: 530 Must issue a STARTTLS command first, id=01900-04 (in reply to end of DATA command))
Jan 1 20:08:42 mail postfix/cleanup[15092]: D91E8E229: message-id=<20050101190842.D91E8E229@mail.ewart.netz>
Jan 1 20:08:42 mail postfix/qmgr[15086]: D91E8E229: from=<>, size=2365, nrcpt=1 (queue active)
Jan 1 20:08:42 mail postfix/qmgr[15086]: 4B63F9EEA: removed
Jan 1 20:08:48 mail postfix/smtp[15099]: D91E8E229: to=<steven@ewart.de>, relay=mail.isp.de[ip-adresse-isp], delay=6, status=sent (250 Ok: queued as 73498BD4EC)
Jan 1 20:08:48 mail postfix/qmgr[15086]: D91E8E229: removed
mailversandt ohne amavis:
Jan 1 23:42:09 mail postfix/smtpd[20051]: connect from unknown[192.168.2.26]
Jan 1 23:42:10 mail postfix/smtpd[20051]: 4C0B9E8A8: client=unknown[192.168.2.26], sasl_method=PLAIN, sasl_username=warnekes
Jan 1 23:42:10 mail postfix/cleanup[20054]: 4C0B9E8A8: message-id=<200412310132.57336.steven@ewart.de>
Jan 1 23:42:10 mail postfix/qmgr[20040]: 4C0B9E8A8: from=<steven@ewart.de>, size=597, nrcpt=1 (queue active)
Jan 1 23:42:10 mail postfix/smtpd[20051]: disconnect from unknown[192.168.2.26]
Jan 1 23:42:16 mail postfix/smtp[20056]: verify error:num=19:self signed certificate in certificate chain
Jan 1 23:42:16 mail postfix/smtp[20056]: Peer certficate could not be verified
Jan 1 23:42:17 mail postfix/smtp[20056]: 4C0B9E8A8: to=<zini2001@web.de>, relay=mail.isp.de[ip-adresse-isp], delay=7, status=sent (250 Ok: queued as E72F5BD655)
Jan 1 23:42:17 mail postfix/qmgr[20040]: 4C0B9E8A8: removed
hier mein main.cf
mail:/etc/postfix # postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:public/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = ewart.netz
myhostname = mail.ewart.netz
mynetworks = 127.0.0.0/8, 192.168.2.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost = mail.terralink.de
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = yes
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
und meine master.cf
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_recipient_restricions=permit_mynetwork,rejec t -o mynetworks=127.0.0.0/8
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#vscan unix - n n - 10 pipe
# user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
würd mich freuen wenn jemand
1. verstanden hat was ich meine.....
2. ahnung oder lösungs ansätze hätte.
gruß zini
EDIT: das t von reject in der master.cf ist hier falschdargestellt...ist in der datei schon richtig
http://www.linuxforen.de/forums/showthread.php?t=166035
-schlüssel und zertifikat erstellt
-postfix auf tls support eingestellt
smtpd_use_tls = yes
smtpd_cert_file = /etc/postfix/ssl/smtpd.cert
smtpd_key_file = /etc/postfix/ssl/smtpd.key
smtpd_enforce_tls = yes
smtpd_tls_loglevel = 4 // hab ich sonst auf 0
smtpd_auth_only = yes
-mailclient (kmail) use tls-plain
-eine mail geschrieben und versandt.....und gewartet....nix passiert!!!
-/var/log/mail
23:01:57 mail postfix/smtp[19576]: 37B4FE8B2: to=<steven@tld.de>, relay=mail.isp.de[ip-isp], delay=7, status=sent (250 Ok: queued as CE716BD62A)
-mail scheint auf dem ersten blick rausgegangen zu sein: von wegen.
komentier ich den amavis aus den konfig dateien vom postfix aus und starte neu dan wird wie mail wie immer versandt.
jetzt hab ich anhand der logs rausgefunden, das die verständigung zwischen client und postfix klappt. postfix gibt die mail brav an amavis. wenn die mail aus dem amavis zurück an den postfix gegeben wird scheitert es in einer mir unerklärlichen weise. den ich weis nicht ob amavis oder postfix das problem verursacht. so wie es scheint wird versucht eine neue tls sitzung zustarten, wenn die mail vom amavis zurück in den postfix geht. schau euch mal die logs an.
mailversandt mit amavis:
Jan 1 20:08:41 mail postfix/smtpd[15089]: connect from unknown[192.168.2.26]
Jan 1 20:08:41 mail postfix/smtpd[15089]: 4B63F9EEA: client=unknown[192.168.2.26], sasl_method=PLAIN, sasl_username=warnekes
Jan 1 20:08:41 mail postfix/cleanup[15092]: 4B63F9EEA: message-id=<200412302159.28150.steven@ewart.de>
Jan 1 20:08:41 mail postfix/qmgr[15086]: 4B63F9EEA: from=<steven@ewart.de>, size=508, nrcpt=1 (queue active)
Jan 1 20:08:41 mail postfix/smtpd[15089]: disconnect from unknown[192.168.2.26]
Jan 1 20:08:41 mail amavis[1900]: (01900-04) ESMTP::10024 /var/spool/amavis/amavis-20050101T190732-01900: <steven@ewart.de> -> <zini2001@web.de> Received:SIZE=508 from mail.ewart.netz ([127.0.0.1]) by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01900-04 for <zini2001@web.de>; Sat, 1Jan 2005 20:08:41 +0100 (CET)
Jan 1 20:08:41 mail amavis[1900]: (01900-04) Checking: <steven@ewart.de> -> <zini2001@web.de>
Jan 1 20:08:41 mail amavis[1900]: (01900-04) FWD via SMTP: [127.0.0.1]:10025 <steven@ewart.de> -> <zini2001@web.de>
Jan 1 20:08:41 mail postfix/smtpd[15096]: connect from localhost[127.0.0.1]
Jan 1 20:08:42 mail postfix/smtpd[15096]: disconnect from localhost[127.0.0.1]
Jan 1 20:08:42 mail amavis[1900]: (01900-04) mail_via_smtp: 530 5.5.0 Rejected by MTA: 530 Must issue a STARTTLS command first, id=01900-04
Jan 1 20:08:42 mail amavis[1900]: (01900-04) Not-Delivered, <steven@ewart.de> -> <zini2001@web.de>, Message-ID: <200412302159.28150.steven@ewart.de>, Hits: -
Jan 1 20:08:42 mail amavis[1900]: (01900-04) TIMING [total 1173 ms] - SMTP EHLO: 4 (0%), SMTP pre-MAIL: 1 (0%), SMTP pre-DATA-flush: 6 (1%), SMTP DATA: 36(3%), body hash: 1 (0%), mime_decode: 28 (2%), get-file-type: 16 (1%), decompose_part: 2 (0%), parts: 0 (0%), fwd-connect: 62 (5%), fwd-rundown: 1007 (86%), unlink-1-files: 9 (1%), rundown: 1 (0%)
Jan 1 20:08:42 mail postfix/smtp[15094]: 4B63F9EEA: to=<zini2001@web.de>, relay=127.0.0.1[127.0.0.1], delay=1, status=bounced (host 127.0.0.1[127.0.0.1] said: 530 5.5.0 Rejected by MTA: 530 Must issue a STARTTLS command first, id=01900-04 (in reply to end of DATA command))
Jan 1 20:08:42 mail postfix/cleanup[15092]: D91E8E229: message-id=<20050101190842.D91E8E229@mail.ewart.netz>
Jan 1 20:08:42 mail postfix/qmgr[15086]: D91E8E229: from=<>, size=2365, nrcpt=1 (queue active)
Jan 1 20:08:42 mail postfix/qmgr[15086]: 4B63F9EEA: removed
Jan 1 20:08:48 mail postfix/smtp[15099]: D91E8E229: to=<steven@ewart.de>, relay=mail.isp.de[ip-adresse-isp], delay=6, status=sent (250 Ok: queued as 73498BD4EC)
Jan 1 20:08:48 mail postfix/qmgr[15086]: D91E8E229: removed
mailversandt ohne amavis:
Jan 1 23:42:09 mail postfix/smtpd[20051]: connect from unknown[192.168.2.26]
Jan 1 23:42:10 mail postfix/smtpd[20051]: 4C0B9E8A8: client=unknown[192.168.2.26], sasl_method=PLAIN, sasl_username=warnekes
Jan 1 23:42:10 mail postfix/cleanup[20054]: 4C0B9E8A8: message-id=<200412310132.57336.steven@ewart.de>
Jan 1 23:42:10 mail postfix/qmgr[20040]: 4C0B9E8A8: from=<steven@ewart.de>, size=597, nrcpt=1 (queue active)
Jan 1 23:42:10 mail postfix/smtpd[20051]: disconnect from unknown[192.168.2.26]
Jan 1 23:42:16 mail postfix/smtp[20056]: verify error:num=19:self signed certificate in certificate chain
Jan 1 23:42:16 mail postfix/smtp[20056]: Peer certficate could not be verified
Jan 1 23:42:17 mail postfix/smtp[20056]: 4C0B9E8A8: to=<zini2001@web.de>, relay=mail.isp.de[ip-adresse-isp], delay=7, status=sent (250 Ok: queued as E72F5BD655)
Jan 1 23:42:17 mail postfix/qmgr[20040]: 4C0B9E8A8: removed
hier mein main.cf
mail:/etc/postfix # postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:public/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = $myhostname, localhost.$mydomain, $mydomain
mydomain = ewart.netz
myhostname = mail.ewart.netz
mynetworks = 127.0.0.0/8, 192.168.2.0/24
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost = mail.terralink.de
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = yes
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
und meine master.cf
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - n - - smtpd
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#localhost:10025 inet n - n - - smtpd -o content_filter=
smtp-amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_recipient_restricions=permit_mynetwork,rejec t -o mynetworks=127.0.0.0/8
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#vscan unix - n n - 10 pipe
# user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc ${sender} ${recipient}
würd mich freuen wenn jemand
1. verstanden hat was ich meine.....
2. ahnung oder lösungs ansätze hätte.
gruß zini
EDIT: das t von reject in der master.cf ist hier falschdargestellt...ist in der datei schon richtig