Mail Services Update 1.0 killed SMTP/TLS, cannot send mail anymore
Apple yesterday released the
Mail Services Update 1.0 Update for Mac OS X Server 10.6.2.
It seems the update somehow broke TLS/SSL and now I cannot send email anymore when SSL is enabled on the server for SMTP.
Apple's so called pathetic documentation of course gives no clue what the update really does. This is considered a normal failure by Apple now. I did inspect the contents manually though, and as I said, didn't find anything that could easily kill my setup (only to be proven wrong a bit later).
When having activated SSL on SMTP postfix cannot start up anymore and logs these error messages to mail.log about every minute.
Dec 18 13:31:23 prometheus postfix/tlsmgr[50317]: fatal: poll: Unknown error: 0
Dec 18 13:31:24 prometheus postfix/master[49551]: warning: process /usr/libexec/postfix/tlsmgr pid 50317 exit status 1
Dec 18 13:31:24 prometheus postfix/master[49551]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
One thing I have noticed that the update modifies the /etc/postfix/master.cf file and disables smtp-submission.
One needs to remove the comments on these two lines to have the system accept client connections on port 587 with encryption again.
Here's a diff:
13,14c13,14
< #submission inet n - n - - smtpd
< # -o smtpd tls_securitylevel=encrypt
---
submission inet n - n - - smtpd
-o smtpd tls_securitylevel=encrypt
Sadly uncommenting these lines does not help with the tlsmgr problem and having clients send authenticated mail without TLS/SSL is considered harmful and therefor not allowed for security reasons. When disabling SSL (which of course is an absolutely absolute not-possible no-go) SMTP works again.
Just for the usual mail-gurus in this forum… 🙂
My postconf is slightly modified from Apple's original and has been proven to work well, though I cannot tell if everything is set up perfectly.
$ postconf -n
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
disable vrfycommand = yes
enable serveroptions = yes
header_checks = pcre:/etc/postfix/custom headerchecks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local recipientmaps = proxy:unix:passwd.byname $alias_maps
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 23068672
mydestination = $myhostname, localhost.$mydomain, localhost, 127.0.0.1, $mydomain
mydomain = prometheus.maclemon.at
mydomain_fallback = localhost
mynetworks = 127.0.0.1/32,localhost
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit saslauthenticated permit_mynetworks reject rblclient zen.spamhaus.org reject rblclient ix.dnsbl.manitu.net permit
smtpd datarestrictions = permit_mynetworks reject unauthpipelining permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated permit_mynetworks check heloaccess hash:/etc/postfix/helo_access reject invalid_helohostname reject non_fqdn_helohostname reject non_fqdnhostname reject invalidhostname permit
smtpd pw_server_securityoptions = cram-md5,gssapi
smtpd recipientrestrictions = reject invalidhostname reject non_fqdnsender reject non_fqdnrecipient permit saslauthenticated permit_mynetworks reject unauthdestination reject rblclient zen.spamhaus.org reject rblclient ix.dnsbl.manitu.net check policyservice unix:private/policy permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated permit_mynetworks reject non_fqdnsender permit
smtpd tlsCAfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.chain.pem
smtpd tls_certfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.cert.pem
smtpd tls_excludeciphers = SSLv2, aNULL, ADH, eNULL
smtpd tls_keyfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.key.pem
smtpd tlsloglevel = 0
smtpd use_pwserver = yes
smtpd usetls = yes
tls randomsource = dev:/dev/urandom
unknown local_recipient_rejectcode = 550
virtual aliasdomains = $virtual aliasmaps hash:/etc/postfix/virtual_domains
virtual aliasmaps = hash:/etc/postfix/virtual_users, hash:/var/mailman/data/virtual-mailman
Some possibly relevant version numbers:
$ postconf -d | grep mail_version
mail_version = 2.5.5
$ amavisd -V
amavisd-new-2.5.1 (20070531)
$ spamassassin -V
SpamAssassin version 3.2.1
running on Perl version 5.10.0
$ clamscan -V
ClamAV 0.95.2/10197/Fri Dec 18 02:59:38 2009
Best regards
Pepi
PS: Sorry this is so hard to read, Apple makes it impossible to properly format posts via BBCode as they mess up everything that is [QUOTE], [CODE], [TT] and even [NOPARSE]
It seems the update somehow broke TLS/SSL and now I cannot send email anymore when SSL is enabled on the server for SMTP.
Apple's so called pathetic documentation of course gives no clue what the update really does. This is considered a normal failure by Apple now. I did inspect the contents manually though, and as I said, didn't find anything that could easily kill my setup (only to be proven wrong a bit later).
When having activated SSL on SMTP postfix cannot start up anymore and logs these error messages to mail.log about every minute.
Dec 18 13:31:23 prometheus postfix/tlsmgr[50317]: fatal: poll: Unknown error: 0
Dec 18 13:31:24 prometheus postfix/master[49551]: warning: process /usr/libexec/postfix/tlsmgr pid 50317 exit status 1
Dec 18 13:31:24 prometheus postfix/master[49551]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
One thing I have noticed that the update modifies the /etc/postfix/master.cf file and disables smtp-submission.
One needs to remove the comments on these two lines to have the system accept client connections on port 587 with encryption again.
Here's a diff:
13,14c13,14
< #submission inet n - n - - smtpd
< # -o smtpd tls_securitylevel=encrypt
---
submission inet n - n - - smtpd
-o smtpd tls_securitylevel=encrypt
Sadly uncommenting these lines does not help with the tlsmgr problem and having clients send authenticated mail without TLS/SSL is considered harmful and therefor not allowed for security reasons. When disabling SSL (which of course is an absolutely absolute not-possible no-go) SMTP works again.
Just for the usual mail-gurus in this forum… 🙂
My postconf is slightly modified from Apple's original and has been proven to work well, though I cannot tell if everything is set up perfectly.
$ postconf -n
alias_maps = hash:/etc/aliases,hash:/var/mailman/data/aliases
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
disable vrfycommand = yes
enable serveroptions = yes
header_checks = pcre:/etc/postfix/custom headerchecks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local recipientmaps = proxy:unix:passwd.byname $alias_maps
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 23068672
mydestination = $myhostname, localhost.$mydomain, localhost, 127.0.0.1, $mydomain
mydomain = prometheus.maclemon.at
mydomain_fallback = localhost
mynetworks = 127.0.0.1/32,localhost
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = hash:/etc/postfix/smtpdreject cidr:/etc/postfix/smtpdreject.cidr permit saslauthenticated permit_mynetworks reject rblclient zen.spamhaus.org reject rblclient ix.dnsbl.manitu.net permit
smtpd datarestrictions = permit_mynetworks reject unauthpipelining permit
smtpd enforcetls = no
smtpd helorequired = yes
smtpd helorestrictions = permit saslauthenticated permit_mynetworks check heloaccess hash:/etc/postfix/helo_access reject invalid_helohostname reject non_fqdn_helohostname reject non_fqdnhostname reject invalidhostname permit
smtpd pw_server_securityoptions = cram-md5,gssapi
smtpd recipientrestrictions = reject invalidhostname reject non_fqdnsender reject non_fqdnrecipient permit saslauthenticated permit_mynetworks reject unauthdestination reject rblclient zen.spamhaus.org reject rblclient ix.dnsbl.manitu.net check policyservice unix:private/policy permit
smtpd sasl_authenable = yes
smtpd senderrestrictions = permit saslauthenticated permit_mynetworks reject non_fqdnsender permit
smtpd tlsCAfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.chain.pem
smtpd tls_certfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.cert.pem
smtpd tls_excludeciphers = SSLv2, aNULL, ADH, eNULL
smtpd tls_keyfile = /etc/certificates/prometheus.maclemon.at.502E049545F7A1F1ED985BE049FB03FB792F7E B8.key.pem
smtpd tlsloglevel = 0
smtpd use_pwserver = yes
smtpd usetls = yes
tls randomsource = dev:/dev/urandom
unknown local_recipient_rejectcode = 550
virtual aliasdomains = $virtual aliasmaps hash:/etc/postfix/virtual_domains
virtual aliasmaps = hash:/etc/postfix/virtual_users, hash:/var/mailman/data/virtual-mailman
Some possibly relevant version numbers:
$ postconf -d | grep mail_version
mail_version = 2.5.5
$ amavisd -V
amavisd-new-2.5.1 (20070531)
$ spamassassin -V
SpamAssassin version 3.2.1
running on Perl version 5.10.0
$ clamscan -V
ClamAV 0.95.2/10197/Fri Dec 18 02:59:38 2009
Best regards
Pepi
PS: Sorry this is so hard to read, Apple makes it impossible to properly format posts via BBCode as they mess up everything that is [QUOTE], [CODE], [TT] and even [NOPARSE]
MacBook Pro, Mac OS X (10.6.2), Recommended Reading: http://en.wikipedia.org/wiki/Netiquette
