OS13.2 - Postfix configuration - Postfix talk on port 25 but expected to talk to port 465 (SMTP+SSL)

jcdole · April 22, 2015, 7:28pm

Hello.
I restart an old project of mine.
Mail administration on small local network : 5 Linux users.
Linux user may have up to 3 different mail address from different providers.
Linux user reads and writes their mails from the local network :
http://paste.opensuse.org/18134681

Working conditions:

No owned domain name
No fixed IP adress behind the isp dsl modem
The server on the local network run as DHCP server and dns server using dnsmasq. Postfix is configured and running
Self signed cert has been generated for postfix and dovecot
FW is configured
For the moment, just testing postfix with an isp test account.
Test mail with the command “telnet” and “mail” on a test user on the mail server machine.

When testing postfix, I started by sending a mail via telnet. I have to modified **/etc/postfix/master.cf ** and /etc/postfix/main.cf because I did not see the startTLS message.

Now postfix try to send mail but connect to my ISP on port 25 which is not
[LEFT] allowed. Here info from ISP site :

Your login “my_user_name” is already authorized to make SMTP authenticated on “smtp.free.fr”.
Only encrypted password authentication methods are accepted. For example the use of SSL (on port 465) or of the ’ MD5 Challenge-Response’ (on port 587).

[/LEFT]

Here test session :

Postfix start

[CODE[hostname-1:~ # systemctl restart postfix.service
hostname-1:~ # systemctl -l status postfix.service
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled)
Active: active (running) since Wed 2015-04-22 17:22:19 CEST; 3s ago
Process: 9350 ExecStopPost=/etc/postfix/system/cond_slp deregister (code=exited, status=0/SUCCESS)
Process: 9340 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
Process: 9454 ExecStartPost=/etc/postfix/system/cond_slp register (code=exited, status=0/SUCCESS)
Process: 9450 ExecStartPost=/etc/postfix/system/wait_qmgr 60 (code=exited, status=0/SUCCESS)
Process: 9373 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 9370 ExecStartPre=/etc/postfix/system/update_postmaps (code=exited, status=0/SUCCESS)
Process: 9367 ExecStartPre=/etc/postfix/system/update_chroot (code=exited, status=0/SUCCESS)
Process: 9363 ExecStartPre=/etc/postfix/system/config_postfix (code=exited, status=0/SUCCESS)
Process: 9361 ExecStartPre=/bin/echo Starting mail service (Postfix) (code=exited, status=0/SUCCESS)
Main PID: 9447 (master)
CGroup: /system.slice/postfix.service
├─9447 /usr/lib/postfix/master -w
├─9448 pickup -l -t fifo -u
└─9449 qmgr -l -t fifo -u

Apr 22 17:22:18 hostname-1 echo[9361]: Starting mail service (Postfix)
Apr 22 17:22:19 hostname-1 postfix/master[9447]: daemon started – version 2.11.3, configuration /etc/postfix
hostname-1:~ #






  - telnet

hostname-1:~ # telnet hostname-1.my-dom-test.nwk 25
Trying 192.168.130.123…
Connected to hostname-1.my-dom-test.nwk.
Escape character is ‘^]’.
220 hostname-1.localdomain ESMTP
ehlo hostname-1.my-dom-test.nwk
250-hostname-1.localdomain
250-PIPELINING
250-SIZE
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM:xxxxxxxxx@free.fr
250 2.1.0 Ok
RCPT TO:xxxxxxxxxx@free.fr
250 2.1.5 Ok
DATA
354 End data with .
subject : Test
This is a test
.
250 2.0.0 Ok: queued as 24699E01A8
quit
221 2.0.0 Bye
Connection closed by foreign host.
hostname-1:~ #






  - systemd journal

Apr 22 17:22:18 hostname-1 echo[9361]: Starting mail service (Postfix)
Apr 22 17:22:19 hostname-1 postfix/master[9447]: daemon started – version 2.11.3, configuration /etc/postfix
Apr 22 17:22:47 hostname-1 postfix/smtpd[9470]: initializing the server-side TLS engine
Apr 22 17:22:47 hostname-1 postfix/tlsmgr[9472]: open smtp TLS cache btree:/var/lib/postfix/smtpd_tls_session_cache
Apr 22 17:22:47 hostname-1 postfix/tlsmgr[9472]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Apr 22 17:22:47 hostname-1 postfix/smtpd[9470]: connect from hostname-1.my-dom-test.nwk[192.168.130.123]
Apr 22 17:23:37 hostname-1 postfix/smtpd[9470]: 24699E01A8: client=hostname-1.my-dom-test.nwk[192.168.130.123]
Apr 22 17:23:58 hostname-1 postfix/cleanup[9474]: 24699E01A8: message-id=20150422152337.24699E01A8@hostname-1.localdomain
Apr 22 17:23:58 hostname-1 postfix/qmgr[9449]: 24699E01A8: from=xxxxxxxxxxxxx@free.fr, size=409, nrcpt=1 (queue active)
Apr 22 17:23:58 hostname-1 postfix/smtp[9476]: initializing the client-side TLS engine
Apr 22 17:24:02 hostname-1 postfix/smtpd[9470]: disconnect from hostname-1.my-dom-test.nwk[192.168.130.123]
Apr 22 17:24:28 hostname-1 postfix/smtp[9476]: connect to smtp.free.fr[212.27.48.4]:25: Connection timed out
Apr 22 17:24:28 hostname-1 postfix/smtp[9476]: 24699E01A8: to=xxxxxxxxxxxx@free.fr, relay=none, delay=73, delays=43/0.02/30/0, dsn=4.4.1, status=deferred (connect to smtp.free.fr[212.27.48.4]:25: Connection timed out)



**Config :**

Self signed cert (postfix example):

openssl req -new -x509 -days 3650 -nodes -out /etc/ssl/certs/postfix.pem -keyout /etc/ssl/private/postfix.pem



Firewall :
http://paste.opensuse.org/97458654
http://paste.opensuse.org/98962735

Have modified /etc/services because port was not open ( Not sure this was necessary )

smtps 465/tcp # Secure SMTP
smtps 465/udp # Secure SMTP



/etc/postfix/main.cf
http://paste.opensuse.org/46566243


/etc/postfix/master.cf
http://paste.opensuse.org/99236676

Any help is nwelcome.

robin_listas · April 23, 2015, 1:44am

On 2015-04-22 19:36, jcdole wrote:

>
> Working conditions:

Do you intend your postfix to send directly to the destination, or do
you intend to use your ISP as relay?

Please clarify.

Assuming the first one, ie, a /real/ mail server.

> - No owned domain name
> - No fixed IP adress behind the isp dsl modem

Well, this is a huge problem.
Many destinations will simply refuse to talk to you because of any of
those two conditions.

So… no need to continue reading…

> - Test mail with the command “telnet” and “mail” on a test user on the
> mail server machine.

Why telnet? What do you want to test/prove?

> Now postfix try to send mail but connect to my ISP on port 25 which is
> not allowed. Here info from ISP site :

You want to create a mail server while using an ISP that blocks port 25?
Impossible.

> Have modified /etc/services because port was not open ( Not sure this
> was necessary )

No.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

jcdole · April 23, 2015, 8:33pm

As relay via SMTP using ssl/tls on port 465

Testing connection and logging

Yes . See ISP recommendation :

Your login “my_user_name” is already authorized to make SMTP authenticated on “smtp.free.fr”.
Only encrypted password authentication methods are accepted. For example the use of SSL (on port 465) or of the ’ MD5 Challenge-Response’ (on port 587).

As master.cf is telling postfix to use port 465, i don’t understand why postfix is using port 25.

[/QUOTE]

I did that because nmap show that port 465 was closed.

jcdole · April 23, 2015, 8:40pm

Test using swaks :

[CODEswaks --from username@free.fr --to username@free.fr --auth-user username@free.fr --auth-pass password --body “This is a test mailing with swaks” -tls -apt --server smtp.free.fr -p 587

=== Trying smtp.free.fr:587…
=== Connected to smtp.free.fr.
← 220 smtp4-g21.free.fr ESMTP Postfix
→ EHLO hostname-1.my-dom-test.nwk
← 250-smtp4-g21.free.fr
← 250-PIPELINING
← 250-SIZE 35000000
← 250-VRFY
← 250-ETRN
← 250-STARTTLS
← 250-AUTH CRAM-MD5 DIGEST-MD5
← 250-ENHANCEDSTATUSCODES
← 250-8BITMIME
← 250 DSN
→ STARTTLS
← 220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES256-GCM-SHA384
~> EHLO hostname-1.my-dom-test.nwk
<~ 250-smtp4-g21.free.fr
<~ 250-PIPELINING
<~ 250-SIZE 35000000
<~ 250-VRFY
<~ 250-ETRN
<~ 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
<~ 250-ENHANCEDSTATUSCODES
<~ 250-8BITMIME
<~ 250 DSN
~> AUTH CRAM-MD5
<~ 334 3134385094.3750030@smtp4-g21.free.fr
~> iusername@free.fr 026193443d325f39283f1d0e967874e2
<~* 535 5.7.8 Error: authentication failed: authentication failure
~> AUTH LOGIN
<~ 334 Username:
~> username@free.fr
<~ 334 Password:
~> password
<~* 535 5.7.8 Error: authentication failed: authentication failure
~> AUTH PLAIN \0username@free.fr\0password
<~* 535 5.7.8 Error: authentication failed: authentication failure
*** No authentication type succeeded
~> QUIT
<~ 221 2.0.0 Bye
=== Connection closed with remote host.
hostname-1:~ #



test similar, but user name does not contain domain name "free.fr" 
[CODEswaks --from [EMAIL="username@free.fr"]username@free.fr[/EMAIL] --to [EMAIL="username@free.fr"]username@free.fr[/EMAIL] --auth-user username  --auth-pass password  --body "This is a test mailing with swaks" -tls  -apt --server smtp.free.fr -p 587


=== Trying smtp.free.fr:587...
=== Connected to smtp.free.fr.
<-  220 smtp4-g21.free.fr ESMTP Postfix
 -> EHLO hostname-1.my-dom-test.nwk
<-  250-smtp4-g21.free.fr
<-  250-PIPELINING
<-  250-SIZE 35000000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-AUTH CRAM-MD5 DIGEST-MD5
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started w/ cipher ECDHE-RSA-AES256-GCM-SHA384
 ~> EHLO hostname-1.my-dom-test.nwk
<~  250-smtp4-g21.free.fr
<~  250-PIPELINING
<~  250-SIZE 35000000
<~  250-VRFY
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250 DSN
 ~> AUTH CRAM-MD5
<~  334 <3134385094.3750030@smtp4-g21.free.fr>
 ~> iusername@free.fr 026193443d325f39283f1d0e967874e2
<~* 535 5.7.8 Error: authentication failed: authentication failure
 ~> AUTH LOGIN
<~  334 Username:
 ~> username
<~  334 Password:
 ~> password
<~* 535 5.7.8 Error: authentication failed: authentication failure
 ~> AUTH PLAIN \0username\0password
<~* 535 5.7.8 Error: authentication failed: authentication failure
*** No authentication type succeeded
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.
hostname-1:~ #

robin_listas · April 24, 2015, 1:34am

On 2015-04-23 20:36, jcdole wrote:
>
> robin_listas;2706340 Wrote:
>> On 2015-04-22 19:36, jcdole wrote:
>> Do you intend your postfix to send directly to the destination, or do
>> you intend to use your ISP as relay?
>>
>> Please clarify.
>
> As relay via SMTP using ssl/tls on port 465

Ok.

> robin_listas;2706340 Wrote:
>>
>>> Now postfix try to send mail but connect to my ISP on port 25 which is
>>> not allowed. Here info from ISP site :
>> You want to create a mail server while using an ISP that blocks port 25?
>> Impossible.
>
> Yes . See ISP recommendation :

No. You can not set up a real mail server if the ISP blocks port 25. A
real mail server sends on its own to the entire world, does not use your
ISP as relay host.

You are doing something else, simply using postfix as intermediary to
your ISP relay.

> As master.cf is telling postfix to use port 465, i don’t understand why
> postfix is using port 25.

I don’t see why you say that you tell it to use 465. :-?
I only see there that there is an entry defining what to do with smtps.

> robin_listas;2706340 Wrote:
>> Have modified /etc/services because port was not open ( Not sure this
>> was necessary )robin_listas;2706340 Wrote:
>
> *No.
> *
>
> I did that because nmap show that port 465 was closed.

Incoming. You have it closed incoming to your machine. That’s irrelevant
for sending.

By the way, I prefer the text entries from the firewall config with
comments removed, not photos from yast…


cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^:space:]]*$|^#"

And the only thing important is postfix mail log. Daemons started,
telnet… no.

I think (unsure) that you have to play with the transport file.
Perhaps smtp_enforce_tls.

My ISP doesn’t block port 25. My postfix uses whatever it automatically
decides to, which apparently is port 25, looking at the logs.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

jcdole · April 24, 2015, 6:34pm

Hello.
[LEFT]You can forget the beginning of this thread: I completely forgot to configure the permission to use “authenticated smtp” on each isp test account. This oversight prohibited access to ISP smtp port 465 and 587. Having corrected this mistake, from the server, I can send mails via “swarks” or “thunderbird” on each isp test account.

hostname-1:~ # swaks --from user1@free.fr --to user2@free.fr --auth-user user1 --auth-pass pass-user1  --body "This is a test mailing with swaks" -tlsc --server smtp.free.fr -p 465                       
=== Trying smtp.free.fr:465...
=== Connected to smtp.free.fr.
=== TLS started w/ cipher ECDHE-RSA-AES256-GCM-SHA384
<~  220 smtp4-g21.free.fr ESMTP Postfix
 ~> EHLO hostname-1.my-dom-test.nwk
<~  250-smtp4-g21.free.fr
<~  250-PIPELINING
<~  250-SIZE 35000000
<~  250-VRFY
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250 DSN
 ~> AUTH CRAM-MD5
<~  334 PDM4OTQ0MjE5MjQuMzgyODU2OUBzbXRwNC1nMjEuZnJlZS5mcj4=
 ~> amNkb2xlIGI1ZTI3NTA4NGNkZjAzNjVlNDM3YTBlNDg4NjYwN2Fl
<~  235 2.7.0 Authentication successful
 ~> MAIL FROM:<user1@free.fr>
<~  250 2.1.0 Ok
 ~> RCPT TO:<user2@free.fr>
<~  250 2.1.5 Ok
 ~> DATA
<~  354 End data with <CR><LF>.<CR><LF>
 ~> Date: Fri, 24 Apr 2015 18:13:15 +0200
 ~> To:user2@free.fr
 ~> From: user1@free.fr
 ~> Subject: test Fri, 24 Apr 2015 18:13:15 +0200
 ~> X-Mailer: swaks v20061116.0 jetmore.org/john/code/#swaks
 ~> 
 ~> This is a test mailing with swaks
 ~> 
 ~> .
<~  250 2.0.0 Ok: queued as 196AC4C8097
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.
hostname-1:~ #

[/LEFT]

tsu2 · April 24, 2015, 6:57pm

Working conditions:

No owned domain name

No fixed IP adress behind the isp dsl modem

The server on the local network run as DHCP server and dns server using dnsmasq. Postfix is configured and running

Self signed cert has been generated for postfix and dovecot

FW is configured

For the moment, just testing postfix with an isp test account.

Test mail with the command “telnet” and “mail” on a test user on the mail server machine.

That’s OK. Not necessary for setting up an SMTP Smart Relay. Only required if you’re setting up a mailserver for client apps, then you’ll need a Mail Domain (which isn’t always entirely consistent with a publicly registered FQDN) and support for a client app mail protocol, usually some variation of POP or IMAP (there are others like MS Outlook connections).
That’s OK. All depends on what you intend your SMTP Smart Relay to do. SMTP is used for outgoing mail and inter-mail server connections, so you need some kind of location resolution for whatever connects to your Smart Relay. But, a fixed IP is not critical although usually desirable.
OK. I assume you’re saying those additional network services are running on the same machine as your Smart Relay.
OK.
OK.
OK.
OK.

You don’t provide enough info about your Postfix configuration (you’d probably need to post your config file somewhere for inspection with possibly sanitized info) but before you do that, have you done the easy thing and simply installed the YAST mail applet and used it to configure your secure connection? Install with the following command and you’ll find it in YAST Network Services

zypper in yast2-mail

HTH,
TSU

robin_listas · April 25, 2015, 1:38am

On 2015-04-24 19:06, tsu2 wrote:
> You don’t provide enough info about your Postfix configuration (you’d
> probably need to post your config file somewhere for inspection with

He did post main and master.cf, in links.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

tsu2 · April 25, 2015, 11:41pm

Ah, my eyes missed.
But still a quick search of those files don’t contain any uncommented lines that specify address and ports.
So, before even considering whether security is setup properly I don’t see that the network address(es) is specified.

In any case, as I described using YAST to configure would probably be the fastest and easiest way to implement and with a higher degree of certainty without bugs.

TSU

jcdole · May 3, 2015, 12:04am

After reading a lot of things I have built my postfix config from robin_listas’s thread :
https://forums.opensuse.org/showthread.php/473991-Setting-up-postfix-to-send-local-mail-to-an-internet-email-address-OpenSUSE-12-1
In the following user1a, user1b, user1c are user account @ ISP; and user_1a, user_1b, user_1c are linux account users @ my local network.

I should have miss things because my test mail sent from the linux local network server by user_1a is delivred to the mailbox user_1a @my_local_network. The test was done under the user account and not under root account.

aliases : http://paste.opensuse.org/46868116
generic : http://paste.opensuse.org/70647934
main.cf : http://paste.opensuse.org/30964508
master.cf : http://paste.opensuse.org/82676013
sasl_passwd : http://paste.opensuse.org/49225605
sender_canonical : http://paste.opensuse.org/36874958
sender_relayhost : http://paste.opensuse.org/36154735
virtual : http://paste.opensuse.org/54742290

The command (from user_1a linux session) :

echo "This is the message body and contains the message from mailx -USING MAILX " | mailx -s "Test with mailx - port 587" -r "user1a@free.fr"  user1b@free.fr

journalctl:

May 02 20:15:27 hostname-1 postfix/pickup[4056]: 1C709E01D5: uid=1001 from=<user1a@free.fr>
May 02 20:15:27 hostname-1 postfix/cleanup[4614]: 1C709E01D5: message-id=<5545143f.36RlPVkO6OaL1B2f%user1a@free.fr>
May 02 20:15:27 hostname-1 postfix/qmgr[4057]: 1C709E01D5: from=<user1a@free.fr>, size=541, nrcpt=1 (queue active)
May 02 20:15:27 hostname-1 postfix/local[4616]: 1C709E01D5: to=<user_1b@hostname-1.my-dom-test.nwk>, orig_to=<user1b@free.fr>, relay=local, delay=0.14, delays=0.1/0/0/0.04, dsn=2.0.0, status=sent (delivered to mailbox)
May 02 20:15:27 hostname-1 postfix/qmgr[4057]: 1C709E01D5: removed

It seems that user1b@free.fr (good destination) is rewrite in user_1b@hostname-1.my-dom-test.nwk who is linux local user.

The delivered mail:

From user1a@free.fr  Sat May  2 20:15:27 2015
Return-Path: <user1a@free.fr>
X-Original-To: user2a@free.fr
Delivered-To: user_2a@hostname-1.my-dom-test.nwk
Received: by hostname-1.my-dom-test.nwk (Postfix, from userid 1001)
    id 1C709E01D5; Sat,  2 May 2015 20:15:27 +0200 (CEST)
Date: Sat, 02 May 2015 20:15:27 +0200
From: user1a@free.fr
To: user2a@free.fr
Subject: Test with mailx - port 587
Message-ID: <5545143f.36RlPVkO6OaL1B2f%user1a@free.fr>
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

This is the message body and contains the message from mailx -USING MAILX

Any help is welcome.

jcdole · May 3, 2015, 10:29pm

I have modify sasl_passwd and sender_relayhost but the address of the recipient of the mail is still incorrect.

sasl_passwd : http://paste.opensuse.org/13332412
sender_relayhost : http://paste.opensuse.org/65860146
Test Command : http://paste.opensuse.org/78556842
journalctl : http://paste.opensuse.org/35223866
sender : user_1a.mailbox : http://paste.opensuse.org/53734161
recipient : user_1b.mailbox : http://paste.opensuse.org/80866384

Any help is welcome