Postfix does not use TLS in outside emails.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix does not use TLS in outside emails.

Josep M.-5
Hello.

I have Postfix with TLS and in the logs when enter mail all is ok, but
when Postfix send emails to another server, do not use TLS, or at least
is not registered in log files.

This is part of my master.cf


#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

smtp      inet  n       -       -       -       -       smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_sasl_auth_enable=yes
submission inet n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_sasl_auth_enable=yes
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
tlsmgr    unix  -       -       -       1000?   1       tlsmgr


And this is my postconf -n



debianet:/etc/postfix# postconf -n
address_verify_sender = [hidden email]
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
delay_notice_recipient = postmaster
delay_warning_time = 12h
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 5120000000
message_size_limit = 102400000
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = navegants.net localhost.navegants.net
mydomain = navegants.net
myhostname = 140.Red-80-25-20.staticIP.rima-tde.net
mynetworks = hash:/etc/postfix/network_table
mynetworks_style = class
myorigin = navegants.net
notify_classes = resource, software ,2bounce ,delay ,protocol, policy,
bounce
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext,noanonymous,nodictionary,noactive
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_session_cache_database = btree:${queue_directory}/cache/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,      
reject_unauth_destination,    reject_unauth_pipelining,    
check_recipient_access    hash:/etc/postfix/recipient_checks,    
check_helo_access pcre:/etc/postfix/helo_checks,    check_helo_access  
hash:/etc/postfix/access_helo    check_sender_access    
hash:/etc/postfix/sender_checks.domain,        check_sender_access    
hash:/etc/postfix/sender_checks.email,        check_client_access    
hash:/etc/postfix/client_checks,     reject_unknown_sender_domain,    
reject_unknown_recipient_domain,    reject_non_fqdn_recipient,    
reject_multi_recipient_bounce,    reject_unlisted_recipient,    
reject_unverified_recipient,    permit_sasl_authenticated,      
check_policy_service unix:private/policy ,    check_sender_access
hash:/etc/postfix/verify_domain ,    check_recipient_access
hash:/etc/postfix/verify_user , warn_if_reject
reject_unknown_sender_domain ,     warn_if_reject
reject_non_fqdn_recipient ,     warn_if_reject reject_non_fqdn_sender
,        permit
smtpd_restriction_classes = verify_domain,       verify_user,      
verify_user_testing
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/private/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/smtpd.crt
smtpd_tls_dh1024_param_file = /etc/postfix/dh/keys/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh/keys/dh_512.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:${queue_directory}/cache/smtpd_scache
tls_random_bytes = 32
tls_random_exchange_name = ${queue_directory}/cache/prng_exch
tls_random_prng_update_period = 3600s
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = hash:/etc/postfix/virtual
debianet:/etc/postfix#



Any help will be appreciated

Josep

Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not use TLS in outside emails.

Arne Hoffmann-2
Josep M. wrote:
> I have Postfix with TLS and in the logs when enter mail all is ok, but
> when Postfix send emails to another server, do not use TLS, or at least
> is not registered in log files.

You are missing a smtp_use_tls = yes in your main.cf.


> # ==========================================================================
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> # ==========================================================================
>
> smtp      inet  n       -       -       -       -       smtpd
>    -o smtpd_enforce_tls=yes
>    -o smtpd_sasl_auth_enable=yes

This is not a good idea.

,----[ postconf(5) ]
| smtpd_enforce_tls (default: no)
|    Mandatory  TLS:  announce STARTTLS support to SMTP clients, and require
|    that clients use TLS encryption.  According to RFC 2487 this MUST NOT be
|    applied in case of a publicly-referenced SMTP server.  This option is off
|    by default and should be used only on dedicated servers.
`----
Reply | Threaded
Open this post in threaded view
|

Re: Postfix does not use TLS in outside emails.

Josep M.-5
Hello Arne.

Thanks for your help, now all runs correctly, I put enable TLS in smtp
daemon  by error, trying of enable this, the fault was the smtp_use_tls
= yes in main.cf

Josep

> You are missing a smtp_use_tls = yes in your main.cf.
>
>
> > # ==========================================================================
> > # service type  private unpriv  chroot  wakeup  maxproc command + args
> > #               (yes)   (yes)   (yes)   (never) (100)
> > # ==========================================================================
> >
> > smtp      inet  n       -       -       -       -       smtpd
> >    -o smtpd_enforce_tls=yes
> >    -o smtpd_sasl_auth_enable=yes
>
> This is not a good idea.