As I just finished setting TLS and SASL to secure the access to my Postfix server, I realized that it was working only from inside my network.
What I got from my lan :
$ telnet mars 25 Trying 192.168.222.10... Connected to phocean.net. Connected to phocean.net. Escape character is '^]'. 220 phocean.net ESMTP Postfix (Debian/GNU) 220 phocean.net ESMTP Postfix (Debian/GNU) ehlo phocean.net ehlo phocean.net 250-phocean.net 250-phocean.net 250-PIPELINING 250-SIZE 200000000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH NTLM DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
I shows well that the TLS handshake is initiated.
But from this outside, I just got this weired thing :
$ telnet phocean.net 25$ telnet phocean.net 25 Trying 81.64.194.119... Connected to phocean.net. Connected to phocean.net. Escape character is '^]'. 220 ********************************************** ehlo phocean.net ehlo phocean.net 502 5.5.2 Error: command not recognizedOf course, the firewall, a Cisco Pix one, was properly set to redirect port 25 UDP/TCP to my server.
However, I soon focused my effort on this equipment. I considered a while that the cause could be some filtering from my provider, but most probably, the problem came from the Pix.
That was not difficult to figure out : it had some protocol inspector activated for SMTP :
$ sh ru [...] fixup protocol smtp 25 [...]Just after :
> no fixup protocol smtp 25… it started to work perfectly well !!!
The engine for the SMTP protocol could not recognize the TLS handshake, considered that the SMTP session as not valid and therefore blocked it !
I can deactivate it without any fear as my Postfix server is already pretty well secured, or at least configured to reject any weired SMTP dialog.