SMTP error when trying to send test email

[KevDog]

I'm running the nightly truecommand docker version

I have a working SMTP email relay on my LAN which I've verified I can relay mail through it when using the bitwarden_rs container (So I think its working).

When trying to send a test email through the TrueCommand interface however I'm getting the following error from my postfix relay server (nothing is logging in the docker logs of truecommand):

Code:

Sep 30 07:06:50 archZFSProxy postfix/smtps/smtpd[16879]: connect from office.domain.com[10.0.1.162]
Sep 30 07:11:50 archZFSProxy postfix/smtps/smtpd[16879]: SSL_accept error from office.domain.com[10.0.1.162]: Connection timed out
Sep 30 07:11:50 archZFSProxy postfix/smtps/smtpd[16879]: lost connection after CONNECT from office.domain.com[10.0.1.162]
Sep 30 07:11:50 archZFSProxy postfix/smtps/smtpd[16879]: disconnect from office.domain.com[10.0.1.162] commands=0/0

In comparison this is what I get from my working bitwarden_rs implementation

Code:

Sep 30 07:13:12 archZFSProxy postfix/smtps/smtpd[16879]: connect from archBW.domain.com[10.0.1.81]
Sep 30 07:13:12 archZFSProxy postfix/smtps/smtpd[16879]: Anonymous TLS connection established from archbw.domain.com[10.0.1.81]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bi>
Sep 30 07:13:12 archZFSProxy postfix/smtps/smtpd[16879]: E5E9F4F9: client=archBW.domain.com[10.0.1.81], sasl_method=PLAIN, sasl_username=client
Sep 30 07:13:12 archZFSProxy postfix/cleanup[17455]: E5E9F4F9: message-id=<>

Digging into my main.cf, I have the following parameters set (which I borrowed from mozilla https://ssl-config.mozilla.org/#ser...fig=intermediate&openssl=1.1.1d&guideline=5.6)

Code:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
smtpd_tls_dh1024_param_file = /etc/ssl/dhparam1024.pem

So I'm not exactly sure what's going on here -- help?

 

[Jaron]

I ran into a very similar (if not the same) problem myself when trying to implement it.
Unfortunately, I cannot remember the exact one thing that made it all click.. Sorry
But below are the settings I have in postfix for a working combination... (some may be redundant and some non-applicable)
hopefully something here will help you out.
If you find the working combo please share and we will try to document it.

Code:

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file=/etc/ssl/mail.mydomain.com/key.pem
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtpd_use_tls=yes
smtp_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1

smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes

tls_ssl_options = NO_RENEGOTIATION

 

[Basil Hendroff]

I haven't been successful getting this working with a remote SMTP relay either. TC thinks a test alert is successful, but the receiver doesn't receive the email.

 

[KevDog]

@Jaron

Hey thanks for your config. Mine was similar to yours but you had a few options I didn't have. I added them to my config.

I think the problem I was running into was the choice of ports between 465 and 587. I have the milter set up on my postfix to use both ports 465(smtps) and 587(submission). (Note: On Arch linux smtps and submission is mapped to a specific port number by editing the /etc/services file - may be different on other linux variants). The master.cf file is listed below for reference. I've found with true command I'm only able to use port 587 and not 465. In addition, within the smtp setup -- my auth username/password -- the password is never saved correctly. It's always saved as 4 characters. If I type in the password and select test (with port 587), my test mail will send correctly. If I choose Save, then the password is reverted to 4 characters. Quite annoying.

Here is my master.cf

Code:

smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=subcleanup
smtps     inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetwoks,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=subcleanup
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
subcleanup unix n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_checks
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd

If needing my main.cf I can post, however I don't think my original problem had anything to do per se with my main.cf settings (although I could be wrong on this account).