I want to enable STARTTLS on port 25, but for unknown reasons it only works on port 465.
master.cf:
smtp inet n - - - - smtpd
-o syslog_name=postfix/smtp
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
#submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=no
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
main.cf:
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname
smtpd_recipient_limit = 25
smtpd_tls_CAfile = /root/chain.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /root/cert.pem
smtpd_tls_key_file = /root/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_prng_update_period = 3600s
tls_random_source = dev:/dev/urandom
Now when I try to check the certificate with openssl s_client -connect hostname:25 I get this error:
CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 308 bytes
On port 465 everything works fine, so the certificate and CA chain is correct.
Log says:
postfix/smtp/smtpd[2623]: SSL_accept error
postfix/smtp/smtpd[2623]: warning: TLS library problem: 2623:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
Help is highly appreciated!
SMTPS means SMTP over TLS, like with HTTPS. So first a TLS connection is established (without fallback), and then SMTP is started. Just as nobody expects HTTPS on the HTTP-Port 80, you should not expect that anybody who connects to your SMTP-service sends TLS requests. Thus, all connections to your server on port 25 will likely fail, if you enforce TLS!
STARTTLS makes encryption optional. First, a normal, unencrypted SMTP-connection is established and then the Server announces it can upgrade to STARTTLS (using a so called SMTP extension). If the server also supports STARTTLS (and it is enabled for usage), the the client requests the upgrade to TLS.
SMTPS (SMTP over TLS) is enabled in Postfix via
smtpd_tls_wrappermode=yes, you set that for the smtp service, thus on port 25. As written above, this is not recommended.I want to cite parts of Bettercrypto's paper Applied Crypto Hardening on this issue for both
master.cfandmain.cf. You may also consult it, as you probably have some settings in yourmain.cfthat are hindering proper setup of TLS usage.main.cf:master.cf:We don't set anything new for TLS on port 25, as the defaults in
main.cfare all we need.