Sending error in smtps (587)(465)

[Alain Dralain]

Hello everyone,

I can't send any message in SSL with either port 587 or 465.

To understand what I've done, here's my main.cf file.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 3.6
debug_peer_list = 127.0.0.1
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
maillog_file = /var/log/postfix.log
message_size_limit = 20480000
mydestination = $myhostname,, localhost.domain.uk, localhost
myhostname = domain.uk
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $myhostname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/letsencrypt/live/domain.uk/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/domain.uk/privkey.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/domain.uk/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = may
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:8
virtual_mailbox_base = /var/mail/
virtual_mailbox_domains = mysql:/etc/postfix/mysql/mysql_virtual_domain_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

For the master.cf file

# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
# Choose one: enable submission for loopback clients only, or for any client.

#port 587
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes

# port 465
submissions inet n - y - - smtpd
-o syslog_name=postfix/submissions
-o smtpd_tls_wrappermode=yes
# ============================DOVECOT=========================
dovecot unix - n n - - pipe
flags=DRhu user=mail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

I did a test with telnet

root:/etc/postfix# telnet localhost 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mondomain.uk ESMTP Postfix
ehlo mondomain.uk
250-mondomain.uk
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: A
530 5.7.0 Must issue a STARTTLS command first

[Jonathan N. Little]

Alain Dralain wrote:
> #port 587
> submission inet n - y - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> # -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_auth_only=yes

<snip>

> 530 5.7.0 Must issue a STARTTLS command first

telnet will not support the STARTTLS handshake. telnet is the wrong
tool, use openssl

openssl s_client -connect localhost:587 -starttls smtp

I believe is what you want.

--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com