[Postfixbuch-users] Fwd: TLS Prblem bei Postfix und Netbsd
Mirko Rüther
mail at mruether.de
Do Apr 7 18:00:21 CEST 2005
Hallo,
ich versuche mir gerade einen Postfixserver unter Netbsd aufzusetzen,
scheitere aber an TLS. Ich bekomme es einfach nicht ans laufen.
Netbsd-Version ist 2.0 pkgsrc ist aktuell per cvs.
Postfix ist mit tls unterstützung gebaut:
ldd /usr/pkg/sbin/postfix
/usr/pkg/sbin/postfix:
-lcrypto.2 => /usr/lib/libcrypto.so.2
-lssl.3 => /usr/lib/libssl.so.3
-lcrypt.0 => /usr/lib/libcrypt.so.0
-lpcre.0 => /usr/pkg/lib/libpcre.so.0
-llber-2.2.7 => /usr/pkg/lib/liblber-2.2.so.7
-lresolv.1 => /usr/lib/libresolv.so.1
-lsasl2.2 => /usr/pkg/lib/libsasl2.so.2
-lldap-2.2.7 => /usr/pkg/lib/libldap-2.2.so.7
-lm.0 => /usr/lib/libm.so.0
-lz.0 => /usr/lib/libz.so.0
-lmysqlclient.14 => /usr/pkg/lib/mysql/libmysqlclient.so.14
-lc.12 => /usr/lib/libc.so.12
saslauth funktioniert ohne tls einwandfrei.
Auszug aus meinen Maillogs:
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:00 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: connect to private/tlsmgr:
Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: problem talking to server
private/tlsmgr: Connection refused
Apr 1 16:10:01 sun postfix/smtpd[25754]: warning: no entropy for TLS key
generation: disabling TLS support
Postconf gibt mir folgendes aus:
/usr/pkg/sbin/postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/pkg/sbin
config_directory = /usr/pkg/etc/postfix
daemon_directory = /usr/pkg/libexec/postfix
debug_peer_level = 2
default_rbl_reply = $rbl_code RBLTRAP: You can't send us a E-mail today!!!
header_checks = regexp:/usr/pkg/etc/postfix/header_checks.regexp
html_directory = no
mail_owner = postfix
mailq_path = /usr/pkg/bin/mailq
manpage_directory = /usr/pkg/man
mime_header_checks = pcre:/usr/pkg/etc/postfix/body_check
mydomain = mruether.de
myhostname = smtp.mruether.de
myorigin = $mydomain
newaliases_path = /usr/pkg/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/pkg/share/doc/postfix
relay_clientcerts = hash:/usr/pkg/etc/postfix/relay_clientcerts
sample_directory = /usr/pkg/share/examples/postfix
sendmail_path = /usr/pkg/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtp_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtp_tls_loglevel = 4
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_non_fqdn_hostname, reject_invalid_hostname,
reject_rhsbl_client rhsbl.sorbs.net, reject_rhsbl_sender rhsbl.sorbs.net,
reject_rbl_client opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client relays.ordb.org, reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_clientopm.blitzed.org,
reject_rbl_client cbl.abuseat.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_unauth_pipelining
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_pipelining,
reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
unconfirmed.dsbl.org, reject_rbl_client dynablock.njabl.org,
reject_rbl_client dialup.blacklist.jippg.org, reject_rbl_client
cbl.abuseat.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_client rhsbl.sorbs.net,
reject_rhsbl_sender rhsbl.sorbs.net, reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org,
reject_rbl_client unconfirmed.dsbl.org, reject_rbl_client list.dsbl.org,
reject_rbl_client dynablock.njabl.org, reject_rbl_client
dialup.blacklist.jippg.org, reject_rbl_client multihop.dsbl.org,
reject_rbl_client dialup.rbl.kropka.net, reject_rbl_client
opm.blitzed.org, reject_rbl_client cbl.abuseat.org,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_pipelining
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/pkg/etc/postfix/certs/smtp.cert
smtpd_tls_key_file = /usr/pkg/etc/postfix/certs/smtp.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
meine master.cf:
smtp inet n - n - - smtpd
# only used by postfix-tls
tlsmgr unix n - n 300 1 tlsmgr
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o
smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
#qmgr fifo n - n 300 1 qmgr
qmgr fifo n - n 300 1 oqmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# See the pipe(8) man page for information about ${recipient} and
# other message envelope options.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
Hoffe, mit den Angaben kann mir jemand helfen...
Die ssl keys sind für Postfix lesbar. Woran scheitere ich??
Gruß
Mirko
-------------------------------------------------------
Mehr Informationen über die Mailingliste Postfixbuch-users