Postfix/TLS - Testing

Testing the package is a little bit difficult, as the communication is encrypted, so that you cannot "imitate" the conversation just by telnetting to the SMTP port. You also cannot capture the packets (well, you can, but if everything is working as advertised, it won't help you :-).

Included debugging aids

As all of the messages generated by Postfix are sent to the syslog facility, debugging must be done using your normal system logfiles. Postfix/TLS supports the logging levels 0 (very quiet) up to 4 (a dump of the complete conversation, not recommended).

As a first step set smpt[d]_tls_loglevel=2 and watch the logfile. Typically you will have problems with the access to the keys or certificates, so you will find error messages here.

While testing the interoperability with ZMailer we learned, that an incorrect certificate type (must be server for the server :-) can lead to connection failures without clear symptoms. It helps to use Netscape 4.5x as a client and carefully study the message boxes and certificate information. I have yet to find out how to identify this problem from postfix to print a suitable warning to the logfile. Hopefully it will be possible without changes in the OpenSSL library.

Platforms

Development Platform:
- OS: HP-UX 10.20
- OS: Linux 2.x (SuSE Linux)
Reported Success:
- OS: Solaris 2.5 - Walcir Fontanini <walcir@densis.fee.unicamp.br>
Test Client:
- Software: Netscape 4.5 and/or 4.51
- OS: HP-UX 10.20, Linux 2.x, Win95

Please don't comment on the stability of Netscape, especially not on HP-UX...

Interoperability

There is one other OpenSource package available, extending the Qmail [QMAIL] MTA to support RFC2487, written by Frederik Vermeulen [QMAILTLS]. Sending and receiving is working from both sides.

The author/maintainer of ZMailer, Matti Aarnio, is working to support the server side of RFC2487 in ZMailer [ZMAILER. Mail could be sent from a Postfix/TLS client to a ZMailer server.

I don't have access to other MTAs by now...

Known bugs

This software is just at the beginning, so please be patient. By now I have these points:

Under Win95/NT I have some problems with the client certificates. When opening the first connection (and Netscape asks for the password to access the certificate database), the connection hangs. This seems to be caused by Netscape: a dump of the communication shows, that Netscape just does not resume the TLS handshake.
Workaround: kill this connection, the next one will work immediately.
Outlook express as of Internet Explorer 5 will work with Postfix/TLS, but it will not present any client certificate. So you can encrypt your email transfer but you cannot authenticate (and relay) with client certificates.
Outlook express as of Internet Explorer 4 does not support RFC2487.