I recently changed my postfix installation to use TLS with a certificate issued by StartSSL. I then ran SMTP and TLS checks with no errors or warnings. Everything seemed to work fine.
My problem now is, that receiving mails doesn't seem to work in every case. There seem to be mail servers I cannot receive mails from. These are for example Amazon or Blizzard.
In Amazon's case my postfix log has this to say:
Jan 16 13:57:51 myhost postfix/smtpd[31551]: connect from mm-notify-out-127-214.amazon.com[176.32.127.214]
Jan 16 13:57:51 myhost postfix/smtpd[31551]: lost connection after EHLO from mm-notify-out-127-214.amazon.com[176.32.127.214]
Jan 16 13:57:51 myhost postfix/smtpd[31551]: disconnect from mm-notify-out-127-214.amazon.com[176.32.127.214]
When receiving mails from Blizzard the log looks the same, except that the "lost connection" line is missing.
I suspect that the StartSSL certificate may not be trusted by these two (and possibly more) companies and that I have to buy a certificate from a large, "trustworthy" CA.
Can anyone tell if my suspicion is correct or if there are any mistakes I could've made in my postfix configuration?
Thanks a lot in advance for any help.
Edit:
This is my output from a telnet session:
telnet host 587
Trying ip...
Connected to host.
Escape character is '^]'.
220 host ESMTP Postfix (Debian/GNU)
ehlo host
250-host
250-PIPELINING
250-SIZE 134217728
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Edit:
Postfix log with debug_peer_list enabled:
Jan 16 16:52:21 myhost postfix/smtpd[5712]: initializing the server-side TLS engine
Jan 16 16:52:21 myhost postfix/tlsmgr[5714]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
Jan 16 16:52:21 myhost postfix/tlsmgr[5714]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Jan 16 16:52:21 myhost postfix/smtpd[5712]: connect from smtp-out-127-108.amazon.com[176.32.127.108]
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: auto_clnt_open: connected to private/anvil
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr request = connect
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr ident = smtp:176.32.127.108
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: count
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: count
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 1
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: rate
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: rate
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 1
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: (end)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 220 mail.myhost ESMTP Postfix (Debian/GNU)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: < smtp-out-127-108.amazon.com[176.32.127.108]: EHLO smtp-out-127-108.amazon.com
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-mail.myhost
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-PIPELINING
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-SIZE 134217728
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-VRFY
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-ETRN
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-STARTTLS
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-ENHANCEDSTATUSCODES
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250-8BITMIME
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 250 DSN
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: < smtp-out-127-108.amazon.com[176.32.127.108]: MAIL FROM:<20140116155221ae18abe030864bbfaaa9b8af73986be6@bounces.amazon.de> SIZE=27930
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 530 5.7.0 Must issue a STARTTLS command first
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: < smtp-out-127-108.amazon.com[176.32.127.108]: RSET
Jan 16 16:52:21 myhost postfix/smtpd[5712]: > smtp-out-127-108.amazon.com[176.32.127.108]: 530 5.7.0 Must issue a STARTTLS command first
Jan 16 16:52:21 myhost postfix/smtpd[5712]: watchdog_pat: 0x7fa2f92c07b0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: smtp_get: EOF
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? 127.0.0.0/8
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::ffff:127.0.0.0]/104
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostname: smtp-out-127-108.amazon.com ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_hostaddr: 176.32.127.108 ~? [::1]/128
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: smtp-out-127-108.amazon.com: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: match_list_match: 176.32.127.108: no match
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr request = disconnect
Jan 16 16:52:21 myhost postfix/smtpd[5712]: send attr ident = smtp:176.32.127.108
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: status
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute value: 0
Jan 16 16:52:21 myhost postfix/smtpd[5712]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: input attribute name: (end)
Jan 16 16:52:21 myhost postfix/smtpd[5712]: lost connection after EHLO from smtp-out-127-108.amazon.com[176.32.127.108]
Jan 16 16:52:21 myhost postfix/smtpd[5712]: disconnect from smtp-out-127-108.amazon.com[176.32.127.108]
Best Answer
As you logging shows, you are offering STARTTLS, and as you have specified
smtp_tls_security_level=encryptyour server will not accept unencrypted mail connections.This is confirmed by the postfix manual: