Postfix telnet issue

xtaz · Feb 26, 2013

The problem is that you seem to have some configuration somewhere that has enabled SSL *ONLY* on port 25. So when you try a normal telnet postfix is waiting for it to negotiate SSL and the telnet isn't doing that so it's just hanging. Everything works fine when you actually use SSL via the openssl command.

The question is why is port 25 configured in that way? Usually SSL is configured on a different port which is 465 I believe. When running on port 25 the usual practice is to run it in standard plain text and allow a command called STARTTLS which changes a plain text connection into an encrypted one later in the SMTP conversation.

I'm not entirely sure what configuration would have been changed to give this behaviour, but I would suspect something in master.cf on the line that starts smtp. Guessing there might be a -o option on it that forces SSL or something along those lines.

Looking at that purplehat guide you were following it says to edit master.cf and change the lines that begin with smtps. Did you by any chance change the line that starts smtp rather than smtps?

Understudy · Feb 26, 2013

xtaz said:
The problem is that you seem to have some configuration somewhere that has enabled SSL *ONLY* on port 25. So when you try a normal telnet postfix is waiting for it to negotiate SSL and the telnet isn't doing that so it's just hanging. Everything works fine when you actually use SSL via the openssl command.

The question is why is port 25 configured in that way? Usually SSL is configured on a different port which is 465 I believe. When running on port 25 the usual practice is to run it in standard plain text and allow a command called STARTTLS which changes a plain text connection into an encrypted one later in the SMTP conversation.

I'm not entirely sure what configuration would have been changed to give this behaviour, but I would suspect something in master.cf on the line that starts smtp. Guessing there might be a -o option on it that forces SSL or something along those lines.

Looking at that purplehat guide you were following it says to edit master.cf and change the lines that begin with smtps. Did you by any chance change the line that starts smtp rather than smtps?

I think you may be absolutely correct.

Here is (in part )my current master.cf

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Here is what it should look like (I think):

Code:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

That basically makes changes on line 11 and 22. I will do a restart on postfix, apache, mysql and see what happens.

That actually made things worse:

Code:

postal# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1...
telnet: connect to address ::1: Connection refused
telnet: Unable to connect to remote host

Nothing in maillog

Code:

Feb 26 08:25:45 postal postfix/postfix-script[2208]: starting the Postfix mail system
Feb 26 08:25:45 postal postfix/master[2209]: daemon started -- version 2.9.5, configuration /usr/local/etc/postfix

Here is the sockstat, it looks like we lost port 25

Code:

postal# sockstat -4 
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
bhorne   sshd       2348  3  tcp4   192.168.1.16:22       192.168.1.2:15025
root     sshd       2344  3  tcp4   192.168.1.16:22       192.168.1.2:15025
www      httpd      2343  4  tcp4   *:80                  *:*
www      httpd      2343  6  tcp4   *:443                 *:*
www      httpd      2342  4  tcp4   *:80                  *:*
www      httpd      2342  6  tcp4   *:443                 *:*
www      httpd      2341  4  tcp4   *:80                  *:*
www      httpd      2341  6  tcp4   *:443                 *:*
www      httpd      2340  4  tcp4   *:80                  *:*
www      httpd      2340  6  tcp4   *:443                 *:*
www      httpd      2339  4  tcp4   *:80                  *:*
www      httpd      2339  6  tcp4   *:443                 *:*
root     sshd       2247  4  tcp4   *:22                  *:*
root     httpd      2224  4  tcp4   *:80                  *:*
root     httpd      2224  6  tcp4   *:443                 *:*
root     master     2209  12 tcp4   *:465                 *:*
dovecot  imap-login 2177  4  tcp4   *:143                 *:*
dovecot  imap-login 2177  5  tcp4   *:993                 *:*
dovecot  imap-login 2176  4  tcp4   *:143                 *:*
dovecot  imap-login 2176  5  tcp4   *:993                 *:*
dovecot  imap-login 2175  4  tcp4   *:143                 *:*
dovecot  imap-login 2175  5  tcp4   *:993                 *:*
dovecot  pop3-login 2174  4  tcp4   *:110                 *:*
dovecot  pop3-login 2174  5  tcp4   *:995                 *:*
dovecot  pop3-login 2173  4  tcp4   *:110                 *:*
dovecot  pop3-login 2173  5  tcp4   *:995                 *:*
dovecot  pop3-login 2172  4  tcp4   *:110                 *:*
dovecot  pop3-login 2172  5  tcp4   *:995                 *:*
root     dovecot    2127  6  tcp4   *:143                 *:*
root     dovecot    2127  7  tcp4   *:993                 *:*
root     dovecot    2127  8  tcp4   *:110                 *:*
root     dovecot    2127  9  tcp4   *:995                 *:*
mysql    mysqld     2106  11 tcp4   *:3306                *:*
root     ntpd       1394  20 udp4   *:123                 *:*
root     ntpd       1394  22 udp4   192.168.1.16:123      *:*
root     ntpd       1394  25 udp4   127.0.0.1:123         *:*
root     syslogd    1225  7  udp4   *:514                 *:*

Sincerely,

Brendhan

xtaz · Feb 26, 2013

Now you've commented out the smtp line completely. Each of the lines corresponds to a service that is started up. The smtp service is for port 25, and the smtps service is for port 465. What you have done on your first attempt is joined together the option (-o) config lines for smtps with the initial smtp service line, thus why you had SSL on port 25. On your second attempt you have commented out the smtp service completely so now nothing is listening on port 25.

Uncomment the smtp line again and leave all the other lines alone. Then you should have port 25 cleartext SMTP and port 465 as SSL.

Understudy · Feb 27, 2013

xtaz said:
Now you've commented out the smtp line completely. Each of the lines corresponds to a service that is started up. The smtp service is for port 25, and the smtps service is for port 465. What you have done on your first attempt is joined together the option (-o) config lines for smtps with the initial smtp service line, thus why you had SSL on port 25. On your second attempt you have commented out the smtp service completely so now nothing is listening on port 25.

Uncomment the smtp line again and leave all the other lines alone. Then you should have port 25 cleartext SMTP and port 465 as SSL.

And we have a winner!

Code:

postal# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.beebarfapiaries.com ESMTP Postfix
EHLO beebarfapiaries.com                                                
250-mail.beebarfapiaries.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
quit
quit
Connection closed by foreign host.
postal#

This is the result of this :

Code:

postal# ee /usr/local/etc/postfix/master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Please note this is not the entire master.cf file. Just the relevant parts. See lines 11 and 22.

and just for some more information:

Code:

postal# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     master     4173  12 tcp4   *:25                  *:*
root     master     4173  16 tcp4   *:465                 *:*
bhorne   sshd       2348  3  tcp4   192.168.1.16:22       192.168.1.2:15025
root     sshd       2344  3  tcp4   192.168.1.16:22       192.168.1.2:15025
www      httpd      2343  4  tcp4   *:80                  *:*
www      httpd      2343  6  tcp4   *:443                 *:*
www      httpd      2342  4  tcp4   *:80                  *:*
www      httpd      2342  6  tcp4   *:443                 *:*
www      httpd      2341  4  tcp4   *:80                  *:*
www      httpd      2341  6  tcp4   *:443                 *:*
www      httpd      2340  4  tcp4   *:80                  *:*
www      httpd      2340  6  tcp4   *:443                 *:*
www      httpd      2339  4  tcp4   *:80                  *:*
www      httpd      2339  6  tcp4   *:443                 *:*
root     sshd       2247  4  tcp4   *:22                  *:*
root     httpd      2224  4  tcp4   *:80                  *:*
root     httpd      2224  6  tcp4   *:443                 *:*
dovecot  imap-login 2177  4  tcp4   *:143                 *:*
dovecot  imap-login 2177  5  tcp4   *:993                 *:*
dovecot  imap-login 2176  4  tcp4   *:143                 *:*
dovecot  imap-login 2176  5  tcp4   *:993                 *:*
dovecot  imap-login 2175  4  tcp4   *:143                 *:*
dovecot  imap-login 2175  5  tcp4   *:993                 *:*
dovecot  pop3-login 2174  4  tcp4   *:110                 *:*
dovecot  pop3-login 2174  5  tcp4   *:995                 *:*
dovecot  pop3-login 2173  4  tcp4   *:110                 *:*
dovecot  pop3-login 2173  5  tcp4   *:995                 *:*
dovecot  pop3-login 2172  4  tcp4   *:110                 *:*
dovecot  pop3-login 2172  5  tcp4   *:995                 *:*
root     dovecot    2127  6  tcp4   *:143                 *:*
root     dovecot    2127  7  tcp4   *:993                 *:*
root     dovecot    2127  8  tcp4   *:110                 *:*
root     dovecot    2127  9  tcp4   *:995                 *:*
mysql    mysqld     2106  11 tcp4   *:3306                *:*
root     ntpd       1394  20 udp4   *:123                 *:*
root     ntpd       1394  22 udp4   192.168.1.16:123      *:*
root     ntpd       1394  25 udp4   127.0.0.1:123         *:*
root     syslogd    1225  7  udp4   *:514                 *:*

So this one will get marked solved and thanks will be passed along.

Awesome job everyone.

Sincerely,

Brendhan

wmoreno3 · Nov 8, 2013

xtaz said:
The "SSL_accept error" looks interesting to me. Why is it mentioning SSL? I'm thinking for some reason port 25 is expecting an SSL negotiation before it outputs anything. Try this:

# openssl s_client -connect localhost:25

and see if it negotiates SSL and then outputs the ESMTP message you are expecting. If it does then your configuration is weird. Although usually to enable SSL you would have had to configure a certificate and key and it seems unlikely it would allow SSL if you hadn't done so.

Code:

/usr/local/bin/openssl s_client -connect localhost:25
CONNECTED(00000003)
57771:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:607:

Anonymous · Nov 8, 2013

Try the following command:

# openssl s_client -connect localhost:25 -starttls smtp

At the beginning of a session SMTP servers expect plain contacts and they would talk TLS only after they received the STARTTLS command from the client. The above command reproduces this behaviour (connecting plain, continuing TLS). It is expected behaviour, that a direct TLS connection to a smtpd errors out.

Postfix telnet issue

xtaz

Understudy

xtaz

Understudy

wmoreno3

Anonymous

Guest