Postfix configuration issue with fips on centos 7; mailgun relay

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine.



I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing?



Any help would be appreciated!



postconf -n:



alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = loopback-only
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relayhost = [smtp.mailgun.org]:587
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_header_checks = regexp:/etc/postfix/header_check
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_mandatory_ciphers = high
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtpd_tls_security_level = encrypt
unknown_local_recipient_reject_code = 550


/var/log/maillog:



Apr 28 20:04:15 HOSTNAME postfix/pickup[85556]: SOME_ID_NUMBER: uid=0 from=<root>
Apr 28 20:04:15 HOSTNAME postfix/cleanup[85583]: SOME_ID_NUMBER: message-id=<20180429000415.SOME_ID_NUMBER@FQDN>
Apr 28 20:04:15 HOSTNAME postfix/qmgr[85557]: SOME_ID_NUMBER: from=<root@FQDN>, size=2261, nrcpt=1 (queue active)
Apr 28 20:04:16 HOSTNAME postfix/smtp[85585]: fatal: tls_fprint: error computing md5 message digest
Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: private/smtp socket: malformed response
Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: process /usr/libexec/postfix/smtp pid 85585 exit status 1
Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
Apr 28 20:04:17 HOSTNAME postfix/error[85587]: SOME_ID_NUMBER: to=<MY@EMAIL.com>, relay=none, delay=1.7, delays=0.05/1.6/0/0.02, dsn=4.3.0, status=deferred (unknown mail transport error)






share|improve this question























    up vote
    0
    down vote

    favorite












    I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine.



    I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing?



    Any help would be appreciated!



    postconf -n:



    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    command_directory = /usr/sbin
    config_directory = /etc/postfix
    daemon_directory = /usr/libexec/postfix
    data_directory = /var/lib/postfix
    debug_peer_level = 2
    debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
    html_directory = no
    inet_interfaces = loopback-only
    inet_protocols = ipv4
    local_recipient_maps =
    mail_owner = postfix
    mailq_path = /usr/bin/mailq.postfix
    manpage_directory = /usr/share/man
    mydestination =
    mynetworks = 127.0.0.0/8
    newaliases_path = /usr/bin/newaliases.postfix
    queue_directory = /var/spool/postfix
    readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
    relayhost = [smtp.mailgun.org]:587
    sample_directory = /usr/share/doc/postfix-2.10.1/samples
    sender_canonical_classes = envelope_sender, header_sender
    sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
    sendmail_path = /usr/sbin/sendmail.postfix
    setgid_group = postdrop
    smtp_generic_maps = hash:/etc/postfix/generic
    smtp_header_checks = regexp:/etc/postfix/header_check
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_mandatory_ciphers = high
    smtp_tls_note_starttls_offer = yes
    smtp_tls_security_level = encrypt
    smtpd_tls_security_level = encrypt
    unknown_local_recipient_reject_code = 550


    /var/log/maillog:



    Apr 28 20:04:15 HOSTNAME postfix/pickup[85556]: SOME_ID_NUMBER: uid=0 from=<root>
    Apr 28 20:04:15 HOSTNAME postfix/cleanup[85583]: SOME_ID_NUMBER: message-id=<20180429000415.SOME_ID_NUMBER@FQDN>
    Apr 28 20:04:15 HOSTNAME postfix/qmgr[85557]: SOME_ID_NUMBER: from=<root@FQDN>, size=2261, nrcpt=1 (queue active)
    Apr 28 20:04:16 HOSTNAME postfix/smtp[85585]: fatal: tls_fprint: error computing md5 message digest
    Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: private/smtp socket: malformed response
    Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
    Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: process /usr/libexec/postfix/smtp pid 85585 exit status 1
    Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
    Apr 28 20:04:17 HOSTNAME postfix/error[85587]: SOME_ID_NUMBER: to=<MY@EMAIL.com>, relay=none, delay=1.7, delays=0.05/1.6/0/0.02, dsn=4.3.0, status=deferred (unknown mail transport error)






    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine.



      I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing?



      Any help would be appreciated!



      postconf -n:



      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
      html_directory = no
      inet_interfaces = loopback-only
      inet_protocols = ipv4
      local_recipient_maps =
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination =
      mynetworks = 127.0.0.0/8
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
      relayhost = [smtp.mailgun.org]:587
      sample_directory = /usr/share/doc/postfix-2.10.1/samples
      sender_canonical_classes = envelope_sender, header_sender
      sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtp_generic_maps = hash:/etc/postfix/generic
      smtp_header_checks = regexp:/etc/postfix/header_check
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_sasl_security_options = noanonymous
      smtp_tls_mandatory_ciphers = high
      smtp_tls_note_starttls_offer = yes
      smtp_tls_security_level = encrypt
      smtpd_tls_security_level = encrypt
      unknown_local_recipient_reject_code = 550


      /var/log/maillog:



      Apr 28 20:04:15 HOSTNAME postfix/pickup[85556]: SOME_ID_NUMBER: uid=0 from=<root>
      Apr 28 20:04:15 HOSTNAME postfix/cleanup[85583]: SOME_ID_NUMBER: message-id=<20180429000415.SOME_ID_NUMBER@FQDN>
      Apr 28 20:04:15 HOSTNAME postfix/qmgr[85557]: SOME_ID_NUMBER: from=<root@FQDN>, size=2261, nrcpt=1 (queue active)
      Apr 28 20:04:16 HOSTNAME postfix/smtp[85585]: fatal: tls_fprint: error computing md5 message digest
      Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: private/smtp socket: malformed response
      Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
      Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: process /usr/libexec/postfix/smtp pid 85585 exit status 1
      Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
      Apr 28 20:04:17 HOSTNAME postfix/error[85587]: SOME_ID_NUMBER: to=<MY@EMAIL.com>, relay=none, delay=1.7, delays=0.05/1.6/0/0.02, dsn=4.3.0, status=deferred (unknown mail transport error)






      share|improve this question











      I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine.



      I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing?



      Any help would be appreciated!



      postconf -n:



      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
      html_directory = no
      inet_interfaces = loopback-only
      inet_protocols = ipv4
      local_recipient_maps =
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination =
      mynetworks = 127.0.0.0/8
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
      relayhost = [smtp.mailgun.org]:587
      sample_directory = /usr/share/doc/postfix-2.10.1/samples
      sender_canonical_classes = envelope_sender, header_sender
      sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtp_generic_maps = hash:/etc/postfix/generic
      smtp_header_checks = regexp:/etc/postfix/header_check
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_sasl_security_options = noanonymous
      smtp_tls_mandatory_ciphers = high
      smtp_tls_note_starttls_offer = yes
      smtp_tls_security_level = encrypt
      smtpd_tls_security_level = encrypt
      unknown_local_recipient_reject_code = 550


      /var/log/maillog:



      Apr 28 20:04:15 HOSTNAME postfix/pickup[85556]: SOME_ID_NUMBER: uid=0 from=<root>
      Apr 28 20:04:15 HOSTNAME postfix/cleanup[85583]: SOME_ID_NUMBER: message-id=<20180429000415.SOME_ID_NUMBER@FQDN>
      Apr 28 20:04:15 HOSTNAME postfix/qmgr[85557]: SOME_ID_NUMBER: from=<root@FQDN>, size=2261, nrcpt=1 (queue active)
      Apr 28 20:04:16 HOSTNAME postfix/smtp[85585]: fatal: tls_fprint: error computing md5 message digest
      Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: private/smtp socket: malformed response
      Apr 28 20:04:17 HOSTNAME postfix/qmgr[85557]: warning: transport smtp failure -- see a previous warning/fatal/panic logfile record for the problem description
      Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: process /usr/libexec/postfix/smtp pid 85585 exit status 1
      Apr 28 20:04:17 HOSTNAME postfix/master[85555]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
      Apr 28 20:04:17 HOSTNAME postfix/error[85587]: SOME_ID_NUMBER: to=<MY@EMAIL.com>, relay=none, delay=1.7, delays=0.05/1.6/0/0.02, dsn=4.3.0, status=deferred (unknown mail transport error)








      share|improve this question










      share|improve this question




      share|improve this question









      asked Apr 29 at 1:00









      George

      11




      11




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          0
          down vote













          If you only wany to configure relay host then you have to change the default entry of /etc/postfix/postfix.conf to the desired relay host.
          I hope this link will helpfull for you



          https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip






          share|improve this answer






























            up vote
            0
            down vote



            accepted










            After many more hours of trying to figure it out, including turning up debug on the smtp and tlsmgr processes in master.cf, I was able to determine that the FIPS disabling md5 was indeed the issue. Adding the following to master.cf fixed the issue:



            smtp_tls_fingerprint_digest=sha256


            Setting to sha1 and sha512 also worked. Note that the postfix documentation warns about setting to anything other than sha1 or md5 (md5 being the default). From the documentation:



            While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.


            However, for my needs sha256 seems to be working just fine.






            share|improve this answer





















              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );








               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440665%2fpostfix-configuration-issue-with-fips-on-centos-7-mailgun-relay%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              0
              down vote













              If you only wany to configure relay host then you have to change the default entry of /etc/postfix/postfix.conf to the desired relay host.
              I hope this link will helpfull for you



              https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip






              share|improve this answer



























                up vote
                0
                down vote













                If you only wany to configure relay host then you have to change the default entry of /etc/postfix/postfix.conf to the desired relay host.
                I hope this link will helpfull for you



                https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip






                share|improve this answer

























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  If you only wany to configure relay host then you have to change the default entry of /etc/postfix/postfix.conf to the desired relay host.
                  I hope this link will helpfull for you



                  https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip






                  share|improve this answer















                  If you only wany to configure relay host then you have to change the default entry of /etc/postfix/postfix.conf to the desired relay host.
                  I hope this link will helpfull for you



                  https://serverfault.com/questions/878841/cant-relay-on-postfix-accessing-it-from-external-ip







                  share|improve this answer















                  share|improve this answer



                  share|improve this answer








                  edited Apr 29 at 1:41


























                  answered Apr 29 at 1:30









                  dx.hmnt

                  318




                  318






















                      up vote
                      0
                      down vote



                      accepted










                      After many more hours of trying to figure it out, including turning up debug on the smtp and tlsmgr processes in master.cf, I was able to determine that the FIPS disabling md5 was indeed the issue. Adding the following to master.cf fixed the issue:



                      smtp_tls_fingerprint_digest=sha256


                      Setting to sha1 and sha512 also worked. Note that the postfix documentation warns about setting to anything other than sha1 or md5 (md5 being the default). From the documentation:



                      While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.


                      However, for my needs sha256 seems to be working just fine.






                      share|improve this answer

























                        up vote
                        0
                        down vote



                        accepted










                        After many more hours of trying to figure it out, including turning up debug on the smtp and tlsmgr processes in master.cf, I was able to determine that the FIPS disabling md5 was indeed the issue. Adding the following to master.cf fixed the issue:



                        smtp_tls_fingerprint_digest=sha256


                        Setting to sha1 and sha512 also worked. Note that the postfix documentation warns about setting to anything other than sha1 or md5 (md5 being the default). From the documentation:



                        While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.


                        However, for my needs sha256 seems to be working just fine.






                        share|improve this answer























                          up vote
                          0
                          down vote



                          accepted







                          up vote
                          0
                          down vote



                          accepted






                          After many more hours of trying to figure it out, including turning up debug on the smtp and tlsmgr processes in master.cf, I was able to determine that the FIPS disabling md5 was indeed the issue. Adding the following to master.cf fixed the issue:



                          smtp_tls_fingerprint_digest=sha256


                          Setting to sha1 and sha512 also worked. Note that the postfix documentation warns about setting to anything other than sha1 or md5 (md5 being the default). From the documentation:



                          While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.


                          However, for my needs sha256 seems to be working just fine.






                          share|improve this answer













                          After many more hours of trying to figure it out, including turning up debug on the smtp and tlsmgr processes in master.cf, I was able to determine that the FIPS disabling md5 was indeed the issue. Adding the following to master.cf fixed the issue:



                          smtp_tls_fingerprint_digest=sha256


                          Setting to sha1 and sha512 also worked. Note that the postfix documentation warns about setting to anything other than sha1 or md5 (md5 being the default). From the documentation:



                          While additional digest algorithms are often available with OpenSSL's libcrypto, only those used by libssl in SSL cipher suites are available to Postfix. For now this means just md5 or sha1.


                          However, for my needs sha256 seems to be working just fine.







                          share|improve this answer













                          share|improve this answer



                          share|improve this answer











                          answered Apr 29 at 13:35









                          George

                          11




                          11






















                               

                              draft saved


                              draft discarded


























                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440665%2fpostfix-configuration-issue-with-fips-on-centos-7-mailgun-relay%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?