LMTPS : TLS over LMTP not working
Hello, I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix. If I enforce TLS for LMTP at Postfix's side, communication between Postfix and Dovecot is not working.
I put ssl = yes ssl_cert = </dovecot/ssl/ssl-LMTP.pem ssl_key = </dovecot/ssl/ssl-LMTP.key in section protocol LMTP within 20-lmtp.conf
and service lmtp { inet_listener lmtp { name = dovecot_lmtp address = xx.xx.xx.xx port = 26 ssl = yes } process_min_avail = 5 } within 10-master.conf
Did I miss something ?
Thank you for your help.
Regards, Stan
Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
Hello, I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix. If I enforce TLS for LMTP at Postfix's side, communication between Postfix and Dovecot is not working.
I put ssl = yes ssl_cert = </dovecot/ssl/ssl-LMTP.pem ssl_key = </dovecot/ssl/ssl-LMTP.key in section protocol LMTP within 20-lmtp.conf
and service lmtp { inet_listener lmtp { name = dovecot_lmtp address = xx.xx.xx.xx port = 26 ssl = yes } process_min_avail = 5 } within 10-master.conf
Did I miss something?
did you configure postfix? postconf -d | grep tls
not sure if postfix prefers STARTTLS only (likely since the smtop-client also don't support wrapper mode and lmtp is more or less the same as smtp)
lmtp_enforce_tls = no lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_starttls_timeout = 300s lmtp_tls_CAfile = lmtp_tls_CApath = lmtp_tls_block_early_mail_reply = no lmtp_tls_cert_file = lmtp_tls_ciphers = export lmtp_tls_dcert_file = lmtp_tls_dkey_file = $lmtp_tls_dcert_file lmtp_tls_eccert_file = lmtp_tls_eckey_file = $lmtp_tls_eccert_file lmtp_tls_enforce_peername = yes lmtp_tls_exclude_ciphers = lmtp_tls_fingerprint_cert_match = lmtp_tls_fingerprint_digest = md5 lmtp_tls_force_insecure_host_tlsa_lookup = no lmtp_tls_key_file = $lmtp_tls_cert_file lmtp_tls_loglevel = 0 lmtp_tls_mandatory_ciphers = medium lmtp_tls_mandatory_exclude_ciphers = lmtp_tls_mandatory_protocols = !SSLv2 lmtp_tls_note_starttls_offer = no lmtp_tls_per_site = lmtp_tls_policy_maps = lmtp_tls_protocols = !SSLv2 lmtp_tls_scert_verifydepth = 9 lmtp_tls_secure_cert_match = nexthop lmtp_tls_security_level = lmtp_tls_session_cache_database = lmtp_tls_session_cache_timeout = 3600s lmtp_tls_trust_anchor_file = lmtp_tls_verify_cert_match = hostname
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
Le 17 nov. 2014 à 11:03, Reindl Harald <h.reindl@thelounge.net> a écrit :
Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
Hello, I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix. If I enforce TLS for LMTP at Postfix's side, communication between Postfix and Dovecot is not working.
I put ssl = yes ssl_cert = </dovecot/ssl/ssl-LMTP.pem ssl_key = </dovecot/ssl/ssl-LMTP.key in section protocol LMTP within 20-lmtp.conf
and service lmtp { inet_listener lmtp { name = dovecot_lmtp address = xx.xx.xx.xx port = 26 ssl = yes } process_min_avail = 5 } within 10-master.conf
Did I miss something?
did you configure postfix? postconf -d | grep tls
not sure if postfix prefers STARTTLS only (likely since the smtop-client also don't support wrapper mode and lmtp is more or less the same as smtp)
lmtp_enforce_tls = no lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_starttls_timeout = 300s lmtp_tls_CAfile = lmtp_tls_CApath = lmtp_tls_block_early_mail_reply = no lmtp_tls_cert_file = lmtp_tls_ciphers = export lmtp_tls_dcert_file = lmtp_tls_dkey_file = $lmtp_tls_dcert_file lmtp_tls_eccert_file = lmtp_tls_eckey_file = $lmtp_tls_eccert_file lmtp_tls_enforce_peername = yes lmtp_tls_exclude_ciphers = lmtp_tls_fingerprint_cert_match = lmtp_tls_fingerprint_digest = md5 lmtp_tls_force_insecure_host_tlsa_lookup = no lmtp_tls_key_file = $lmtp_tls_cert_file lmtp_tls_loglevel = 0 lmtp_tls_mandatory_ciphers = medium lmtp_tls_mandatory_exclude_ciphers = lmtp_tls_mandatory_protocols = !SSLv2 lmtp_tls_note_starttls_offer = no lmtp_tls_per_site = lmtp_tls_policy_maps = lmtp_tls_protocols = !SSLv2 lmtp_tls_scert_verifydepth = 9 lmtp_tls_secure_cert_match = nexthop lmtp_tls_security_level = lmtp_tls_session_cache_database = lmtp_tls_session_cache_timeout = 3600s lmtp_tls_trust_anchor_file = lmtp_tls_verify_cert_match = hostname
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
Le 17 nov. 2014 à 11:03, Reindl Harald <h.reindl@thelounge.net> a écrit :
Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
Hello, I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix. If I enforce TLS for LMTP at Postfix's side, communication between Postfix and Dovecot is not working.
I put ssl = yes ssl_cert = </dovecot/ssl/ssl-LMTP.pem ssl_key = </dovecot/ssl/ssl-LMTP.key in section protocol LMTP within 20-lmtp.conf
and service lmtp { inet_listener lmtp { name = dovecot_lmtp address = xx.xx.xx.xx port = 26 ssl = yes } process_min_avail = 5 } within 10-master.conf
Did I miss something?
did you configure postfix? postconf -d | grep tls
not sure if postfix prefers STARTTLS only (likely since the smtop-client also don't support wrapper mode and lmtp is more or less the same as smtp)
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
It did not work with 2.2.13 nor with 2.2.15
Le 17 nov. 2014 à 11:34, Timo Sirainen <tss@iki.fi> a écrit :
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
It was implemented AFTER 2.2.15 release. Requires a recent hg version / recent nightly snapshot. See http://hg.dovecot.org/dovecot-2.2 or http://dovecot.org/nightly/
On 17 Nov 2014, at 02:38, Stanislas SABATIER <s.sabatier@pobox.com> wrote:
It did not work with 2.2.13 nor with 2.2.15
Le 17 nov. 2014 à 11:34, Timo Sirainen <tss@iki.fi> a écrit :
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
Thanks. I'll install latest release on my sandbox to test LMTPS with Postfix. As soon as I tested, I'll report in this forum.
Regards, Stan. Le 17 nov. 2014 à 11:46, Timo Sirainen <tss@iki.fi> a écrit :
It was implemented AFTER 2.2.15 release. Requires a recent hg version / recent nightly snapshot. See http://hg.dovecot.org/dovecot-2.2 or http://dovecot.org/nightly/
On 17 Nov 2014, at 02:38, Stanislas SABATIER <s.sabatier@pobox.com> wrote:
It did not work with 2.2.13 nor with 2.2.15
Le 17 nov. 2014 à 11:34, Timo Sirainen <tss@iki.fi> a écrit :
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
I build the 20141115 nigthly release and succeeded to enforce TLS over LMTP between Postfix and Dovecot. But, I see the following error in maillog after each incoming message :
Nov 17 14:12:20 lmtp(291): Info: Connect from xx.xx.xx.xx Nov 17 14:12:20 lmtp(xxxx@yyyyy.zzz): Info: bdlxGjT0aVQjAQAAd7W7Aw: msgid=<B8D97FA0-E0AC-412F-A182-52B6ADF29ADC@xxxx.zz>: saved mail to INBOX Nov 17 14:12:20 lmtp(291): Info: Disconnect from xx.xx.xx.xx: Successful quit Nov 17 14:12:20 lmtp(291): Error: kevent(EV_DELETE, 12) failed: Bad file descriptor
Le 17 nov. 2014 à 12:18, Stanislas SABATIER <s.sabatier@pobox.com> a écrit :
Thanks. I'll install latest release on my sandbox to test LMTPS with Postfix. As soon as I tested, I'll report in this forum.
Regards, Stan. Le 17 nov. 2014 à 11:46, Timo Sirainen <tss@iki.fi> a écrit :
It was implemented AFTER 2.2.15 release. Requires a recent hg version / recent nightly snapshot. See http://hg.dovecot.org/dovecot-2.2 or http://dovecot.org/nightly/
On 17 Nov 2014, at 02:38, Stanislas SABATIER <s.sabatier@pobox.com> wrote:
It did not work with 2.2.13 nor with 2.2.15
Le 17 nov. 2014 à 11:34, Timo Sirainen <tss@iki.fi> a écrit :
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER:
I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp -o lmtp_send_xforward_command=yes -o lmtp_tls_security_level=encrypt
Then I tried to add starttls option : -o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log : (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
Am 17.11.2014 um 14:30 schrieb Stanislas SABATIER:
I build the 20141115 nigthly release and succeeded to enforce TLS over LMTP between Postfix and Dovecot. But, I see the following error in maillog after each incoming message :
Nov 17 14:12:20 lmtp(291): Info: Connect from xx.xx.xx.xx Nov 17 14:12:20 lmtp(xxxx@yyyyy.zzz): Info: bdlxGjT0aVQjAQAAd7W7Aw: msgid=<B8D97FA0-E0AC-412F-A182-52B6ADF29ADC@xxxx.zz>: saved mail to INBOX Nov 17 14:12:20 lmtp(291): Info: Disconnect from xx.xx.xx.xx: Successful quit Nov 17 14:12:20 lmtp(291): Error: kevent(EV_DELETE, 12) failed: Bad file descriptor
works here too, dont have any errors for small testings but looks like i need to reread all lmtp tls stuff now *g
2014-11-17T15:58:19.516398+01:00 mail dovecot: lmtp(19281): Connect from 127.0.0.1 2014-11-17T15:58:19.516798+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x10, ret=1: before/accept initialization 2014-11-17T15:58:19.516808+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: before/accept initialization 2014-11-17T15:58:19.516817+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2002, ret=-1: unknown state 2014-11-17T15:58:19.517092+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2002, ret=-1: unknown state 2014-11-17T15:58:19.517119+01:00 mail dovecot: lmtp(19281): Debug: SSL_get_servername() failed 2014-11-17T15:58:19.517134+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A 2014-11-17T15:58:19.517147+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A 2014-11-17T15:58:19.517251+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A 2014-11-17T15:58:19.522535+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A 2014-11-17T15:58:19.522553+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A 2014-11-17T15:58:19.522562+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 2014-11-17T15:58:19.522579+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A 2014-11-17T15:58:19.525910+01:00 mail dovecot: message repeated 2 times: [ lmtp(19281): Debug: SSL: where=0x2002, ret=-1: SSLv3 read client certificate A] 2014-11-17T15:58:19.527497+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A 2014-11-17T15:58:19.527572+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A 2014-11-17T15:58:19.527596+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A 2014-11-17T15:58:19.527614+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A 2014-11-17T15:58:19.527625+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2001, ret=1: SSLv3 flush data 2014-11-17T15:58:19.527631+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully 2014-11-17T15:58:19.527648+01:00 mail dovecot: lmtp(19281): Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
Le 17 nov. 2014 à 12:18, Stanislas SABATIER <s.sabatier@pobox.com> a écrit :
Thanks. I'll install latest release on my sandbox to test LMTPS with Postfix. As soon as I tested, I'll report in this forum.
Regards, Stan. Le 17 nov. 2014 à 11:46, Timo Sirainen <tss@iki.fi> a écrit :
It was implemented AFTER 2.2.15 release. Requires a recent hg version / recent nightly snapshot. See http://hg.dovecot.org/dovecot-2.2 or http://dovecot.org/nightly/
On 17 Nov 2014, at 02:38, Stanislas SABATIER <s.sabatier@pobox.com> wrote:
It did not work with 2.2.13 nor with 2.2.15
Le 17 nov. 2014 à 11:34, Timo Sirainen <tss@iki.fi> a écrit :
On 17 Nov 2014, at 02:27, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 17.11.2014 um 11:24 schrieb Stanislas SABATIER: > I setup a service in master.conf like this : > > dovecotsandbox unix - - n - 10 lmtp > -o lmtp_send_xforward_command=yes > -o lmtp_tls_security_level=encrypt > > Then I tried to add starttls option : > -o lmtp_tls_note_starttls_offer=yes > > But Postfix still can't deliver the email. Postfix log : > (…) status=deferred (TLS is required, but was not offered by host xx.xx.xx.xx[xx.xx.xx.xx])
that you should have included in your first post as somebody else said: seems not to be supported now
just setup a SSH tunnel and let postfix deliver to 127.0.0.1:port
I thought the problem was with the new LMTP STARTTLS command that was added after v2.2.15 release. But if not, try the latest hg version and see if it works.
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
Hello, I tried to activate SSL on LMTP service, to secure connections between Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session with Postfix. If I enforce TLS for LMTP at Postfix's side, communication between Postfix and Dovecot is not working.
I put ssl = yes ssl_cert = </dovecot/ssl/ssl-LMTP.pem ssl_key = </dovecot/ssl/ssl-LMTP.key in section protocol LMTP within 20-lmtp.conf
and service lmtp { inet_listener lmtp { name = dovecot_lmtp address = xx.xx.xx.xx port = 26 ssl = yes } process_min_avail = 5 } within 10-master.conf
Did I miss something ?
Thank you for your help.
Regards, Stan
as far in know this isnt implemented in dovecot yet, but will come
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
participants (4)
-
Reindl Harald
-
Robert Schetterer
-
Stanislas SABATIER
-
Timo Sirainen