Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Can postfix work with a TLS, authenticated smtp relay server?

98 views
Skip to first unread message

Richard Chapman

unread,
Sep 10, 2010, 5:41:14 AM9/10/10
to
OK. I'm making some progress here:

After attempting a sasl/tls connection to smtp.gmail.com I get the following in the logs:

Sep 10 17:12:32 C5 postfix/postfix-script: starting the Postfix mail system
Sep 10 17:12:32 C5 postfix/master[20209]: daemon started -- version 2.3.3, configuration /etc/postfix
Sep 10 17:13:07 C5 postfix/smtpd[20273]: connect from unknown[192.168.0.166]
Sep 10 17:13:07 C5 postfix/smtpd[20273]: 9975E34E0002: client=unknown[192.168.0.166], sasl_method=PLAIN, sasl_username=richard
Sep 10 17:13:07 C5 postfix/cleanup[20277]: 9975E34E0002: message-id=<4C89F6A0...@aardvark.com.au>
Sep 10 17:13:07 C5 postfix/qmgr[20211]: 9975E34E0002: from=<rcha...@aardvark.com.au>, size=621, nrcpt=1 (queue active)
Sep 10 17:13:07 C5 postfix/smtpd[20273]: disconnect from unknown[192.168.0.166]
Sep 10 17:13:10 C5 postfix/smtp[20278]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
Sep 10 17:13:10 C5 postfix/smtp[20278]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
Sep 10 17:13:10 C5 postfix/smtp[20278]: warning: SASL authentication failure: No worthy mechs found
Sep 10 17:13:11 C5 postfix/smtp[20278]: 9975E34E0002: to=<chapman...@gmail.com>, relay=smtp.gmail.com[72.14.213.109]:587, delay=3.4, delays=0.02/0.05/3.3/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[72.14.213.109]: no mechanism available)


Can anyone advise me on the best way to enable trust for the google certificates which (I think) use an equifax CA. I am running a fairly standard Centos 5.5 system - which probably doesn't have root certificates installed by default.

hanks

Richard.


Patrick Ben Koetter

unread,
Sep 10, 2010, 6:17:52 AM9/10/10
to
* Richard Chapman <ric...@aardvark.com.au>:

> OK. I'm making some progress here:
>
> After attempting a sasl/tls connection to smtp.gmail.com I get the
> following in the logs:
>
> Sep 10 17:12:32 C5 postfix/postfix-script: starting the Postfix mail system
> Sep 10 17:12:32 C5 postfix/master[20209]: daemon started -- version 2.3.3, configuration /etc/postfix
> Sep 10 17:13:07 C5 postfix/smtpd[20273]: connect from unknown[192.168.0.166]
> Sep 10 17:13:07 C5 postfix/smtpd[20273]: 9975E34E0002: client=unknown[192.168.0.166], sasl_method=PLAIN, sasl_username=richard
> Sep 10 17:13:07 C5 postfix/cleanup[20277]: 9975E34E0002: message-id=<4C89F6A0...@aardvark.com.au>
> Sep 10 17:13:07 C5 postfix/qmgr[20211]: 9975E34E0002: from=<rcha...@aardvark.com.au>, size=621, nrcpt=1 (queue active)
> Sep 10 17:13:07 C5 postfix/smtpd[20273]: disconnect from unknown[192.168.0.166]
> Sep 10 17:13:10 C5 postfix/smtp[20278]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
> Sep 10 17:13:10 C5 postfix/smtp[20278]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
> Sep 10 17:13:10 C5 postfix/smtp[20278]: warning: SASL authentication failure: No worthy mechs found

Please read SASL_README for that error message.

p@rick

> Sep 10 17:13:11 C5 postfix/smtp[20278]: 9975E34E0002: to=<chapman...@gmail.com>, relay=smtp.gmail.com[72.14.213.109]:587, delay=3.4, delays=0.02/0.05/3.3/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[72.14.213.109]: no mechanism available)
>
>
> Can anyone advise me on the best way to enable trust for the google certificates which (I think) use an equifax CA. I am running a fairly standard Centos 5.5 system - which probably doesn't have root certificates installed by default.
>
>
> hanks
>
> Richard.
>
>

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

Richard Chapman

unread,
Sep 11, 2010, 1:01:19 AM9/11/10
to
Thanks to everyone who has helped with this. There are several of you
nd your help is much appreciated.
My recent posting on the "trust" issue with the google certificates is
not sorted - but is a red herring as far as this issue is concerned.
I think I have it sorted - or at least working so far.

Here s the relevant main.cf section:

# 8/9/2010 Here is a block I am adding to try to get the postfix server to
# relay through smtp.gmail.com to keep the google apps sent email
consistent.
#
smtp_tls_security_level = may
smtp_sender_dependent_authentication = yes
# sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = smtp.gmail.com:submission

#
# end of 8/9/2010 block


Richard.

Victor Duchovni

unread,
Sep 13, 2010, 10:02:54 AM9/13/10
to

That should probably be:

relayhost = [smtp.gmail.com]:submission

I don't think that "smtp.gmail.com" is intended to be an MX RRset.

--
Viktor.

Richard Chapman

unread,
Sep 13, 2010, 11:54:36 AM9/13/10
to

Hi Victor

I'm afraid I don't understand the distinction between the syntax
"sntp.gmail.com" and "[smtp.gmail.com]" and I'm not familiar with the
term "MX RRset" either.
Can you point me to a document discussing these issues? Strangely
(perhaps) - the above relayhost directive appears to be doing what I
intended it to...

Richard.

--
Richard Chapman

Victor Duchovni

unread,
Sep 13, 2010, 12:35:26 PM9/13/10
to
On Mon, Sep 13, 2010 at 11:54:36PM +0800, Richard Chapman wrote:

>>> relayhost = smtp.gmail.com:submission
>>
>> That should probably be:
>>
>> relayhost = [smtp.gmail.com]:submission
>>
>> I don't think that "smtp.gmail.com" is intended to be an MX RRset.
>
> I'm afraid I don't understand the distinction between the syntax

> "smtp.gmail.com" and "[smtp.gmail.com]" and I'm not familiar with the term
> "MX RRset" either.

Read the "SMTP DESTINATION SYNTAX" portion of:

http://www.postfix.org/smtp.8.html

Without "[]" the domainname specified is first subjected to DNS MX
lookups. This is required when sending mail to a domain, but is
typically wrong when resolving the address of a submission host.

> Can you point me to a document discussing these issues? Strangely (perhaps)
> - the above relayhost directive appears to be doing what I intended it
> to...

Any book that covers the DNS background for operating a mail server.
The Sendmail and Postfix books cover this.

While leaving out the "[]" often works, it can break when MX records
are introduced for the submission host (perhaps via a wildcard in
the parent domain).

--
Viktor.

Richard Chapman

unread,
Sep 14, 2010, 1:28:15 AM9/14/10
to
Many thanks Victor. I am learning all the time...:-)

Richard.

--
Richard Chapman

0 new messages