I am using sendmail in node.js to send Emails. my mail server is postfix.
my TLS parameters in postfix config file is like this:
# TLS parameters
smtpd_tls_cert_file = /home/avanel/CMS/Render/ipeccongress_com.crt
smtpd_tls_key_file = /home/avanel/CMS/Render/capk.txt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
BTW i used my SSL certificate and key (I mean same as https).
but when receive gmail says is not encrypted. what is wrong?
Related
I installed postfix on a server, but port 25 was blocked by ISP. I followed http://www.postfix.org/TLS_README.html#client_smtps to configure smtps on port 465.
I follow the configuration as Postfix ≥ 3.0: Sending only mail for a specific destination via SMTPS,
But I have to add mail domain to /etc/postfix/transport.
a.com relay-smtps:mx.a.com:465
b.com relay-smtps:mx.b.com:465
part of /etc/postfix/main.cf:
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_security_level = may
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 1
transport_maps = hash:/etc/postfix/transport
part of /etc/postfix/master.cf:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=encrypt
-o smtp_tls_wrappermode=yes
For destination not in transport, postfix tries connect to port 25.
I can only send email to destination listed in transport.
How do I change the postfix so that it tries send all emails to [their own DNS MX record]:465 ?
I have tried Postfix ≥ 3.0: Sending all remote mail to an SMTPS server:
relayhost = [mx.a.com]:465
But it was regarded as spam.
If I do like:
mydomain.com :
* relay-smtps:how can use DNS MX recode auto:465
How can I specify port 465 and use DNS MX record?
Thanks!
I'm using PHPmailer to send account verification mail, I'm using AWS ec2 instance, however, that mailer is working fine in localhost but when I upload that to server emails are not going,
at first, i used SendGrid credentials to send emails, failed, then tried Gmail SMTP, failed, and somewhere I read that ec2 can't send emails, then I created SES also, still can't able to send.
searched on the web abt that but no answers are fixing my problem,
in localhost, in can send emails with the same code and with SendGrid of Gmail credentials, why I can't send with the server?
my PHP mailer code is:
$sub = "Thankyou For registration! Confirm Your mail to Login";
$mailBody = "<h1>You are successfully registered<br />Visit site to login</h1>";
require 'mailer/PHPMailerAutoload.php';
$mail = new PHPMailer;
$mail->isSMTP(); // Set mailer to use SMTP
$mail->Host = "tls://email-smtp.us-east-1.amazonaws.com"; // Specify main and backup SMTP servers
$mail->SMTPAuth = true; // Enable SMTP authentication
$mail->Username = "smtp_username"; // SMTP username
$mail->Password = "smtp_password"; // SMTP password
// $mail->SMTPSecure = 'ssl'; // Enable TLS encryption, `ssl` also accepted
$mail->Port = 465; // TCP port to connect to
$mail->setFrom("my_mail_id#gmail.com", "SMTP_REPLAY_NAME");
$mail->addReplyTo("my_mail_id#gmail.com", "SMTP_REPLAY_NAME");
$mail->addAddress("recipient_mail_id#gmail.com"); // Add a recipient
$mail->isHTML(true); // Set email format to HTML
$mail->Subject = $sub;
$mail->Body = $mailBody;
if(!$mail->send()) {
echo 'Message could not be sent.';
} else {
echo 'Message has been sent';
}
it shows Message has been sent but I cant receive emails, checked in spam folder also, no clue of mail!
even I have openSSL certificate also! opened SMTP port for both inbound and outbound in security group of ec2, everything working fine but PHPMailer!
Get your protocols straight. In the Host you're specifying tls, but telling it to connect to Port = 465, which will not work with TLS. Either change your Port to 587 (preferred) or change your encryption method to ssl. Enabling debug output (SMTPDebug = 2) will let you in on what's happening in the conversation with the server.
A perusal of the troubleshooting guide would probably help.
I've had a Ubuntu 14.04 server configured and running fine for some time now. There are web, ftp and mail server installed and functioning properly on it. A week ago the SSL certificate that I had been using to connect to the management console and for mail expired and I went ahead and acquired a new one from StartSSL.
The new certificate is for mail.mydomain.com. The Postfix (main.cf) configuration contains the following:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/mail.crt
smtpd_tls_key_file = /etc/postfix/mail.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = mail.mysite.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = mail.mysite.eu, localhost, localhost.localdomain
Dovecot.conf
protocols = imap pop3
auth_mechanisms = plain login
disable_plaintext_auth = no
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_privileged_group = vmail
postmaster_address = postmaster#saturn13.eu
ssl_cert = </etc/postfix/mail.crt
ssl_key = </etc/postfix/mail.key
ssl_protocols = !SSLv2 !SSLv3
Dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/postix/mail.crt
ssl_key = </etc/postfix/mail.key
I read that StartSSL requires an intermediate and root CA to be installed, so I tried concatenating them into a mail.pem file which I then proceeded to set in both Postfix and Dovecot. Try as I might, every time I ran openSSL test, the results were like this:
root#server:/etc/dovecot# openssl s_client -connect mail.mysite.com:465
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
What's even more puzzling for me is the fact that when I try to connect to the account with Thunderbird, a popup window appears asking to confirm a security exception for www.mysite.com:443.
So, could you help me figure out what's wrong in this configuration? When I open the mail.crt file in Windows, everything appears normal. So why can't I connect to the server and why is Thunderbird trying to connect to www and on port 443?
Thank you!
with startssl certs you need to wait for one day or ocsp validating will fail.
firefox and thunderbird have ocsp enabled. maybe this was the cause for TB...
for the openssl error, maybe you are using the wrong ciphers? Check here: https://weakdh.org/sysadmin.html
your mail.crt looks like:
-----BEGIN CERTIFICATE-----
..xxx..
-----END CERTIFICATE-----
and your mail.key like
-----BEGIN RSA PRIVATE KEY-----
...xxx...
-----END RSA PRIVATE KEY-----
you don't need to install startssl root cert as it is installed in all browsers...
just the intermediate:
for postfix i'm using
smtpd_tls_CAfile = /etc/ssl/private/sub.class1.server.ca.pem
for dovecot
ssl_ca = </etc/ssl/private/sub.class1.server.ca.pem
and apache
SSLCertificateChainFile /etc/ssl/private/sub.class1.server.ca.pem
I have two machines, one running Ubuntu and one runing Debian, both running Postfix. The intent is that machine#2 becomes a SMTP relay/smarthost for machine#1. I have created a CA and issued certificates for both of the machines: a server certificate for #2 and a client certificate for #1.
When sending e-mail from #1 (by having the MUA talk to Postfix on localhost:25 with the intent that it relays e-mail to #2), the basic things work fine: the machines can talk to each other and an attempt to relay is actually made. The idea is to allow relaying on #2 if a valid client-side SSL/TLS certificate is presented from #1.
The relevant configuration for #2 is:
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 2
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/private/cert2.pem
smtpd_tls_key_file = /etc/ssl/private/key2-d.pem
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_auth_only = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination permit_tls_all_clientcerts
The configuration on #1 is:
smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_cert_file = /etc/ssl/private/cert1.pem
smtp_tls_key_file = /etc/ssl/private/key1-d.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = verify
smtp_tls_loglevel = 2
Machine#1 connects to #2, enables STARTTLS, the log files show that it successfuly verifies the certificate from #2, and attempts to relay the message. However, it appears not to send the client certificate to #2, and #2 refuses to relay the message.
Log entries from #1:
Apr 17 01:18:14 mail1 postfix/smtp[30250]: Verified TLS connection established to mail2[x.x.x.x]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:14 mail1 postfix/smtp[30244]: 8A2328BDB4: to=<addr#gmail.com>, relay=mail2[x.x.x.x]:25, delay=3488, delays=3486/0.41/0.85/0.19, dsn=4.7.1, status=deferred (host mail2[x.x.x.x] said: 454 4.7.1 <addr#gmail.com>: Relay access denied (in reply to RCPT TO command))
Log entries from #2:
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: Anonymous TLS connection established from unknown[y.y.y.y]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 17 01:18:13 mail2 postfix/smtpd[28798]: NOQUEUE: reject: RCPT from unknown[y.y.y.y]: 454 4.7.1 <addr#gmail.com>: Relay access denied; from=<addr#mail1> to=<addr#gmail.com> proto=ESMTP helo=<mail1>
Any ideas? I'm basing my assumption that #1 didn't send its client cert on the "Anonymous TLS connection established" part in the logs from mail2.
A TLS server must request a certificate from the client, the client will not send it by its own. Try to add
smtpd_tls_ask_ccert=yes
on the server side
add your server adress ( server1.domaine.com ) in the postfix conf file main.cf
mynetworks = 127.0.0.1/8
I'm using postfix to send email via gmail with an application's password (two step-validation activated).
Each time I test sending mail using sendmail command, I get this error:
Action: delayed
Status: 4.7.14
Diagnostic-Code: X-Postfix; delivery temporarily suspended: SASL authentication
failed; server smtp.gmail.com said: 534-5.7.14
<https://accounts.google.com/signin/continue?...> Please log in via your web browser and?534-5.7.14 then try again.?534-5.7.14
This is my postfix configuration:
main.cf
myorigin = /etc/mailname
mydestination = mydomain.com, localhost.fr, localhost
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
/etc/postfix/sasl/sasl_passwd:
[smtp.gmail.com]:587 admin#mydomain.com:application_password
And this is how I used sendmail:
sendmail -v ...
From: admin#mydomain.com
Subject: Test
This is a test mail
.
Any ideas ? Thanks !
For anyone finding this who has run into the same scenario:
Using an app specific password
2FA enabled on your account
Seeing 'delivery temporarily suspended: SASL authentication failed; server smtp.gmail.com[173.194.68.109] said: 534-5.7.9 Please log in with your web browser and then try again' in your log
You may need to visit https://accounts.google.com/DisplayUnlockCaptcha to 'bypass' the captcha, which will enable the account access and get everything working.
Allow less secure apps: If you don't use 2-Step Verification, you might need to allow less secure apps to access your account.