Postfix/TLS - Testing

Testing the package is a little bit difficult, as the communication is encrypted, so that you cannot "imitate" the conversation just by telnetting to the SMTP port. You also cannot capture the packets (well, you can, but if everything is working as advertised, it won't help you :-).

Included debugging aids

As all of the messages generated by Postfix are sent to the syslog facility, debugging must be done using your normal system logfiles. Postfix/TLS supports the logging levels 0 (very quiet) up to 4 (a dump of the complete conversation, not recommended).

As a first step set smpt[d]_tls_loglevel=2 and watch the logfile. Typically you will have problems with the access to the keys or certificates, so you will find error messages here.

While testing the interoperability with ZMailer we learned, that an incorrect certificate type (must be server for the server :-) can lead to connection failures without clear symptoms. It helps to use Netscape 4.5x as a client and carefully study the message boxes and certificate information. I have yet to find out how to identify this problem from postfix to print a suitable warning to the logfile. Hopefully it will be possible without changes in the OpenSSL library.


Please don't comment on the stability of Netscape, especially not on HP-UX...


There is one other OpenSource package available, extending the Qmail [QMAIL] MTA to support RFC2487, written by Frederik Vermeulen [QMAILTLS]. Sending and receiving is working from both sides.

The author/maintainer of ZMailer, Matti Aarnio, is working to support the server side of RFC2487 in ZMailer [ZMAILER. Mail could be sent from a Postfix/TLS client to a ZMailer server.

I don't have access to other MTAs by now...

Known bugs

This software is just at the beginning, so please be patient. By now I have these points: