Postfix/TLS - Testing
Testing the package is a little bit difficult, as the communication is
encrypted, so that you cannot "imitate" the conversation just
by telnetting to the SMTP port. You also cannot capture the packets
(well, you can, but if everything is working as advertised, it won't
help you :-).
Included debugging aids
As all of the messages generated by Postfix are sent to the syslog
facility, debugging must be done using your normal system logfiles.
Postfix/TLS supports the logging levels 0 (very quiet) up to 4
(a dump of the complete conversation, not recommended).
As a first step set smpt[d]_tls_loglevel=2
and watch the logfile.
Typically you will have problems with the access to the keys or certificates,
so you will find error messages here.
While testing the interoperability with ZMailer we learned, that an incorrect
certificate type (must be server for the server :-) can lead to connection
failures without clear symptoms. It helps to use Netscape 4.5x as a client
and carefully study the message boxes and certificate information. I have
yet to find out how to identify this problem from postfix to print a
suitable warning to the logfile. Hopefully it will be possible without
changes in the OpenSSL library.
Platforms
- Development Platform:
- OS: HP-UX 10.20
- OS: Linux 2.x (SuSE Linux)
- Reported Success:
- OS: Solaris 2.5 - Walcir Fontanini <walcir@densis.fee.unicamp.br>
- Test Client:
- Software: Netscape 4.5 and/or 4.51
- OS: HP-UX 10.20, Linux 2.x, Win95
Please don't comment on the stability of Netscape, especially not on HP-UX...
Interoperability
There is one other OpenSource package available, extending the
Qmail [QMAIL] MTA to support
RFC2487, written by Frederik Vermeulen
[QMAILTLS].
Sending and receiving is working from both sides.
The author/maintainer of ZMailer, Matti Aarnio, is working to support
the server side of RFC2487 in ZMailer
[ZMAILER.
Mail could be sent from a Postfix/TLS client to a ZMailer server.
I don't have access to other MTAs by now...
Known bugs
This software is just at the beginning, so please be patient. By now I
have these points:
- Under Win95/NT I have some problems with the client certificates.
When opening the first connection (and Netscape asks for the password to
access the certificate database), the connection hangs. This seems to be
caused by Netscape: a dump of the communication shows, that Netscape just
does not resume the TLS handshake.
Workaround: kill this connection, the next one will work immediately.
- Outlook express as of Internet Explorer 5 will work with Postfix/TLS,
but it will not present any client certificate. So you can encrypt your
email transfer but you cannot authenticate (and relay) with client
certificates.
- Outlook express as of Internet Explorer 4 does not support RFC2487.