Postfix for sending email on port 465 using SSL

Hello;

I need to use postfix to send email from openSUSE Leap 42.3, I configured it using Yast → Network Services → Mail Server, then in the outgoing mail, I selected use TLS and I did the configuration under Authentication option (so I placed the domain of the outgoing server, the username and the password of the email that I am going to use it).

My questions are:
My email server provider is requesting from me to use SSL and to use port 465, so do I have to do anything other than selecting TLS while configuring the outgoing mail server using yast?
And the to use port 456, where I have to place it?

And how I can do test to send email and confirm that postfix is able to send email using my configured email to other emails?

Regards
Bilal

Hi
Can you not upgrade to a supported release, likely to face additional issues with out dated and unsupported versions of the likes of SSL…

I am using postfix to send mail using several relay hosts. None of them ever asked me to specify a port number. Currently I have relayhost = mail.mnet-online.de, smtp_use_tls = yes, smtp_enforce_tls = yes.

For testing mail transport I use e.g: “date | mail -s test -r address@nefkom.net address@mistelberger.net”. View the logs: journalctl -f -u postfix.service.

And I am using a recent version of postfix. :wink:

YaST configures postfix for explicit TLS using STARTTLS command (it sets smtp_use_tls and smtp_enforce_tls, exact values depends on option selected YaST). STARTTLS extension normally is using standard port 25.

And the to use port 456, where I have to place it?

Assuming that your provider wants you to use implicit SSL (which is what port 465 was originally intended for) this is enabled with smtp_tls_wrappermode option and you also need to configure outgoing relay to use port 465. Example from postfix documentation:

smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the legacy SMTPS protocol instead of using the STARTTLS command.


This mode requires "smtp_tls_security_level = encrypt" or stronger.


Example: deliver all remote mail via a provider's server "mail.example.com".


/etc/postfix/main.cf:
    # Client-side SMTPS requires "encrypt" or stronger.
    smtp_tls_security_level = encrypt
    smtp_tls_wrappermode = yes
    # The ] suppress MX lookups.
    relayhost = [mail.example.com]:465

Otherwise you really need to ask your provider what they want. Port number is just that - port number, it does not say what protocol must be run over this port. It is possible that it is enough to set relay host which can be done via YaST as well.

What you never wanted to know, but what you might need on some occasion: SSL, TLS, and STARTTLS – Fastmail

You can quickly check whether provider expects implicit TLS on port 465:

bor@bor-Latitude-E5450:~/src/qemu$ openssl s_client -quiet -no_ign_eof smtp.gmail.com:465 < /dev/null
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
DONE
bor@bor-Latitude-E5450:~/src/qemu$ openssl s_client -quiet -no_ign_eof smtp.gmail.com:25 < /dev/null
140518743758656:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
bor@bor-Latitude-E5450:~/src/qemu$ 

Thanks for all of you.

Please advise if I have to add the following:

smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom

Also, do I have to generate certificates for ssl? What is the best way to generate these certificates?

From the other side and regarding to port 465, kindly find the below output:

vicibox81:/etc/postfix # openssl s_client -quiet -no_ign_eof -connect smtp.xyz.com:465 < /dev/null
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.xyz.com
verify return:1
DONE

About the 465 port, no need to do any change in the master.cf? Because I read that I have to change the below line to use 465 instead of smtp, but really I am not convinced:

smtp inet n - n - - smtpd

Moreover:

I would like to know, postfix is email client or server or both?

Regards
Bilal

During the last few years providers asked users to switch to secure connections. But you can send unencrypted mail. From postfix documentation:

What Postfix TLS support does for you

Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication.
NOTE: By turning on TLS support in Postfix, you not only get the ability to encrypt mail and to authenticate remote SMTP clients or servers. You also turn on hundreds of thousands of lines of OpenSSL library code. Assuming that OpenSSL is written as carefully as Wietse’s own code, every 1000 lines introduce one additional bug into Postfix.

https://de.postfix.org/httpmirror/TLS_README.html

Mail is complex: A mail server runs lots of software. Postfix is a mail transfer agent. mail and kmail are also called mail user agents.

Hello;

Below is my configuration which is related to the smtp, actually I did not do any configuration for incoming mail because I am only caring to send, so that is why I did not post the configuration that is related to smtpd and I only paste the configuration that is related to smtp:

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = no
#smtpd_sasl_path = private/auth
#smtpd_sasl_type = dovecot
############################################################
# TLS stuff
############################################################
#tls_append_default_CA = no
relay_clientcerts =
#tls_random_source = dev:/dev/urandom
tls_random_source = dev:/dev/urandom


smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
#smtp_tls_loglevel = 0
#smtp_enforce_tls = no
smtp_enforce_tls = yes
smtp_tls_CAfile =
#smtp_tls_CApath = /etc/postfix/ssl/cacerts
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/smtp.cert
smtp_tls_key_file = /etc/ssl/smtp.key
#smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache



But I am facing the following errors when doing restart for postfix service (service postfix restart) and when trying to send email as following:

When doing restart for postfix service:

Apr 14 03:48:28 vicibox81 systemd[1]: Stopping Postfix Mail Transport Agent...
Apr 14 03:48:28 vicibox81 postfix/postfix-script[24957]: stopping the Postfix mail system
Apr 14 03:48:28 vicibox81 systemd[1]: Stopped Postfix Mail Transport Agent.
Apr 14 03:48:28 vicibox81 systemd[1]: Starting Postfix Mail Transport Agent...
Apr 14 03:48:28 vicibox81 echo[24974]: Starting mail service (Postfix)
Apr 14 03:48:29 vicibox81 postfix/master[25072]: daemon started -- version 3.2.0, configuration /etc/postfix
Apr 14 03:48:29 vicibox81 postfix/qmgr[25074]: F30361049DED: from=<bilal@testdomain.com>, size=460, nrcpt=1 (queue active)
Apr 14 03:48:29 vicibox81 postfix/qmgr[25074]: 23D6E1049EC8: from=<bilal@testdomain.com>, size=460, nrcpt=1 (queue active)
Apr 14 03:48:29 vicibox81 postfix/smtp[25077]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, error: No such file or directory
Apr 14 03:48:29 vicibox81 postfix/smtp[25083]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, error: No such file or directory
Apr 14 03:48:29 vicibox81 systemd[1]: Started Postfix Mail Transport Agent.
Apr 14 03:48:30 vicibox81 postfix/smtp[25077]: warning: SASL authentication failure: No worthy mechs found
Apr 14 03:48:30 vicibox81 postfix/smtp[25077]: F30361049DED: to=<bilmar_gh@yahoo.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:465, delay=2247, delays=2246/0.02/1.4/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.testdomain.com[XX.XX.XXX.XXX]: no mechanism available)
Apr 14 03:48:30 vicibox81 postfix/smtp[25083]: warning: SASL authentication failure: No worthy mechs found
Apr 14 03:48:30 vicibox81 postfix/smtp[25083]: 23D6E1049EC8: to=<bilmar_gh@yahoo.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:465, delay=356, delays=355/0.02/1.5/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.testdomain.com[XX.XX.XXX.XXX]: no mechanism available)



And below log when I am sending the email from the command line using: date | mail -s test -r bilal@testdomain.com bilmar_gh@yahoo.com:

Apr 14 03:58:55 vicibox81 postfix/pickup[25073]: 533DB1049F34: uid=0 from=<bilal@testdomain.com>
Apr 14 03:58:55 vicibox81 postfix/cleanup[26138]: 533DB1049F34: message-id=<5e94fcbf.Jc4zRjEJg78aylAc%bilal@testdomain.com>
Apr 14 03:58:55 vicibox81 postfix/qmgr[25074]: 533DB1049F34: from=<bilal@testdomain.com>, size=460, nrcpt=1 (queue active)
Apr 14 03:58:55 vicibox81 postfix/smtp[26317]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, error: No such file or directory
Apr 14 03:58:56 vicibox81 postfix/smtp[26317]: warning: SASL authentication failure: No worthy mechs found
Apr 14 03:58:56 vicibox81 postfix/smtp[26317]: 533DB1049F34: to=<bilmar_gh@yahoo.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:465, delay=1.3, delays=0.01/0.01/1.3/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.testdomain.com[XX.XX.XXX.XXX]: no mechanism available)




I created the certificates using the below command under the directory /etc/ssl:

sudo openssl req -new -outform PEM -out smtp.cert -newkey rsa:2048 -nodes -keyout smtp.key -keyform PEM -days 365 -x509

So what I am missing?

Regards
Bilal

I need to add one point, I removed the smtp_sasl_auth_enable = yes and I am depending on smtp_use_tls = yes.

Now I am getting

No unauthenticated relaying permitted (in reply to MAIL FROM command)

as in the below log:



Apr 14 04:50:40 vicibox81 postfix/cleanup[1802]: AF43C1049D26: message-id=<5e9508e0.yhkjw2z+qqTN7jeH%bilal@testdomain.com>
Apr 14 04:50:40 vicibox81 postfix/qmgr[471]: AF43C1049D26: from=<bilal@testdomain.com>, size=460, nrcpt=1 (queue active)
Apr 14 04:50:42 vicibox81 postfix/smtp[1804]: AF43C1049D26: to=<bilmar_gh@yahoo.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:465, delay=1.5, delays=0.01/0.01/1.2/0.27, dsn=5.0.0, status=bounced (host smtp.testdomain.com[XX.XX.XXX.XXX] said: 550 bosauthsmtp06: Host 145.255.73.135: No unauthenticated relaying permitted (in reply to MAIL FROM command))
Apr 14 04:50:42 vicibox81 postfix/cleanup[1802]: 341E01049DEC: message-id=<20200414005042.341E01049DEC@vicibox81.suse>
Apr 14 04:50:42 vicibox81 postfix/bounce[1806]: AF43C1049D26: sender non-delivery notification: 341E01049DEC
Apr 14 04:50:42 vicibox81 postfix/qmgr[471]: 341E01049DEC: from=<>, size=2604, nrcpt=1 (queue active)
Apr 14 04:50:42 vicibox81 postfix/qmgr[471]: AF43C1049D26: removed
Apr 14 04:50:43 vicibox81 postfix/smtp[1804]: 341E01049DEC: to=<bilal@testdomain.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:465, delay=1.4, delays=0/0/1.1/0.28, dsn=5.0.0, status=bounced (host smtp.testdomain.com[XX.XX.XXX.XXX] said: 550 bosauthsmtp06: Host 145.255.73.135: No unauthenticated relaying permitted (in reply to MAIL FROM command))
Apr 14 04:50:43 vicibox81 postfix/qmgr[471]: 341E01049DEC: removed






I need to mention something related to my email provider:
Normally and using microsoft outlook, if I selected encrypted connection to be SSL, the sending (SMTP) is working but if I selected it to be TLS, it is not working.
So, I think here is the problem.
How I can overcome it?
Appreciate the kindly help.
Regards
Bilal

I just contacted my email provider and they told me that only support SSL and they do not support TLS. But they told me that I can send without encryption using port 587 or 25 port but authentication should be enabled (it requires to send the username and password for the server), so because of the required authentication, then

smtp_sasl_auth_enable = yes
is needed and that is causing the error that is related to sasl as following:

Apr 14 06:19:47 vicibox81 postfix/pickup[15559]: B2ED91049EC3: uid=0 from=<bilal@testdomain.com>
Apr 14 06:19:47 vicibox81 postfix/cleanup[19643]: B2ED91049EC3: message-id=<5e951dc3.POITe4bG01jKFTiL%bilal@testdomain.com>
Apr 14 06:19:47 vicibox81 postfix/qmgr[15560]: B2ED91049EC3: from=<bilal@testdomain.com>, size=460, nrcpt=1 (queue active)
Apr 14 06:19:47 vicibox81 postfix/smtp[19645]: looking for plugins in '/usr/lib64/sasl2', failed to open directory, error: No such file or directory
Apr 14 06:19:48 vicibox81 postfix/smtp[19645]: warning: SASL authentication failure: No worthy mechs found
Apr 14 06:19:48 vicibox81 postfix/smtp[19645]: B2ED91049EC3: to=<bilmar_gh@yahoo.com>, relay=smtp.testdomain.com[XX.XX.XXX.XXX]:25, delay=1.3, delays=0.02/0/1.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.testdomain.com[XX.XX.XXX.XXX]: no mechanism available)



But, I tried to do search in my machine for sasl and that is the result (there is libsasl2.so.3 but there is not sasl2):

vicibox81:/ # find / -name "*sasl*"
/usr/lib64/libsasl2.so.3
/usr/lib64/esmtp-plugins/sasl-login.so
/usr/lib64/esmtp-plugins/sasl-plain.so
/usr/lib64/esmtp-plugins/sasl-ntlm.so
/usr/lib64/esmtp-plugins/sasl-cram-md5.so
/usr/lib64/libsasl2.so.3.0.0
/usr/share/nmap/nselib/sasl.lua
/usr/share/nmap/scripts/irc-sasl-brute.nse
/usr/share/YaST2/scrconf/mail_saslpasswd.scr
/etc/sasl2
/etc/postfix/sasl_passwd.db
/etc/postfix/sasl_passwd
/etc/postfix/sasl_passwd.YaST2.save



So, how I can overcome the problem of SASL Authentication failed which is resulted of not finding sasl2?
Again, I only need to send email and I do not need to receive email, so is it required to configured smtpd?
Please I need help for this and thanks in advance.

Regards
Bilal

That is pretty much the same as with my current relay host: https://www.m-net.de/fileadmin/Service/Downloads/Anleitungen_E-Mail_Programme/Allgemeine_E-Mail_Einstellungen.pdf It says: mail.mnet-online.de, port 587, authenticate. I had some hiccups when they enforced that. I fixed the problem by deleting and reinstalling an up to date version of postfix, see: E-Mail auf dem openSUSE Desktop | Karl Mistelberger

Thus I recommend to try the above procedure.