Postfix authentication to ComCast port 587
Michael O'Donnell
michael.odonnell at comcast.net
Mon Jan 19 17:46:40 EST 2009
[ this msg transmitted via ComCast's godawful WWW email tool ]
Once upon a time, ComCast invited customers to send copies of SPAM
messages (those few which managed to get past ComCast's filters)
to a particular email address, so I rigged my system to do so
because I presumed they'd use them to better train their Bayesian
recognizers, or some such. I must say, I was happy to cooperate
because their filters seemed quite effective and very little
SPAM got through. But, of course, no good deed goes unpunished;
ComCast has consequently just summarily decided that *I* am a
SPAM source and blocked all outbound traffic on port 25 (SMTP)
and decreed that I may only use port 587 (submission) which my
configured-and-working-for-at-least-10-years Exim installation
seemed incapable of coping with.
So I replaced Exim with Postfix in an attempt to get back on
the air and made considerable progress. I *think* I'm to the
point where if I can figure out WTF is going on with Certificates
and such I might be in good shape. Details shown below (errors
toward the end); any help or advice gratefully accepted, though
please be informed that I am addicted to my local MH setup and
very much want to get this working, so recommendations like
"just give up and use Gmail" aren't really what I'm after... >-/
#################################
# The "stock" contents of my /etc/postfix/main.cf after the config script
# had finished setting up Postfix to route outbound messages via ComCast's
# server as a "smarthost" on the SMTP port 25:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = e521
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
# I then added these, intending to cause Postfix to act as an SMTP
# client of ComCast's server, using the "submission" port 587 :
relayhost = [smtp.comcast.net]:submission
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# ...and I made sure that the referenced file /etc/postfix/sasl_passwd
# has a single line, thus:
[smtp.comcast.net]:submission michael.odonnell:myPasswordHere
# When I run 'dpkg -l' on my very recent Debian box and grep for (what
# I imagine to be) items relevant to this problem I see this:
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
ii openssl 0.9.8g-14 Secure Socket Layer (SSL) binary and related cryptographic tools
ii openssl-blacklist 0.4.2 list of blacklisted OpenSSL RSA keys
ii ssl-cert 1.0.23 simple debconf wrapper for OpenSSL
ii postfix 2.5.5-1.1 High-performance mail transport agent
# When I run 'ldd /usr/sbin/postfix' I see this:
linux-gate.so.1 => (0xffffe000)
libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0xb7ee5000)
libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb7eb8000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7e71000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d1e000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d07000)
libdb-4.6.so => /usr/lib/libdb-4.6.so (0xb7bd4000)
libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb7bbb000)
libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb7ba7000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7a4b000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7a47000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7a32000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7a19000)
/lib/ld-linux.so.2 (0xb7f2a000)
# I can grab my mail via fetchmail at will from the specified server,
# but when I try to transmit email thus:
x=HiMom ; echo $x | mailx -s$x michael.odonnell at comcast.net
# ...the message never arrives. I see this in /var/log/syslog:
postfix/pickup[11811]: 3C4A1918124: uid=1570 from=<mod>
postfix/cleanup[11989]: 3C4A1918124: message-id=<20090119215456.3C4A1918124 at e521>
postfix/qmgr[2137]: 3C4A1918124: from=<mod at e521>, size=298, nrcpt=1 (queue active)
postfix/smtp[11991]: certificate verification failed for smtp.comcast.net[76.96.62.117]:587: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
postfix/smtp[11991]: 3C4A1918124: to=<michael.odonnell at comcast.net>, relay=smtp.comcast.net[76.96.62.117]:587, delay=0.39, delays=0.01/0.02/0.33/0.04, dsn=5.1.0, status=bounced (host smtp.comcast.net[76.96.62.117] said: 550 5.1.0 <mod at e521> sender rejected : invalid sender domain (in reply to MAIL FROM command))
postfix/cleanup[11989]: 9CD3E91812D: message-id=<20090119215456.9CD3E91812D at e521>
postfix/qmgr[2137]: 9CD3E91812D: from=<>, size=2065, nrcpt=1 (queue active)
postfix/bounce[11992]: 3C4A1918124: sender non-delivery notification: 9CD3E91812D
postfix/qmgr[2137]: 3C4A1918124: removed
postfix/smtp[11991]: certificate verification failed for smtp.comcast.net[76.96.62.117]:587: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
postfix/smtp[11991]: 9CD3E91812D: to=<mod at e521>, relay=smtp.comcast.net[76.96.62.117]:587, delay=0.39, delays=0/0/0.34/0.05, dsn=5.1.1, status=bounced (host smtp.comcast.net[76.96.62.117] said: 550 5.1.1 <mod at e521> recipient invalid domain (in reply to RCPT TO command))
postfix/qmgr[2137]: 9CD3E91812D: removed
# If I watch the transaction using WireShark it appears that all
# is going well - the inital conversation takes place, I see the
# STARTTLS phase, then a fair amount of encrypted goobledegook,
# and then it craps out, restarts the whole session, craps out
# the same way again and then terminates.
More information about the gnhlug-discuss
mailing list