SSL/TLS configuration for relaying

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL/TLS configuration for relaying

Nachtfalter

Hi all

 

I’m stuck with enabling SSL/TLS on an existing setup.

 

I got a postfix mail server (host=smtp) configured for some domains that relay all messages for these domains to a second mail server (hmailserver, host = mail). This setup works fine when I use smtp:25 to forward mail from postfix to hmailserver.

 

main.cf

transport_maps = hash:/etc/postfix/transport

 

transport

yyyy.com            smtp:[mail.xxxx.com]:25

 

Now I would like to encrypt communication between postfix -> hmailserver.

The remote mailserver is configured to accept SSL/TLS on port 587. This is proven to work since user mail clients successfully directly connect to hmailserver using the related port with SSL/TLS.

 

I therefore changed transport to:

yyyy.com              smtp:[mail.xxxx.com]:587

 

and added

 

smtp_tls_security_level = may

 

to main.cf.

 

Now is can see the mails getting forwared to mail.xxxx.com:587 but still plain smtp is used (tcpdump shows no SSL handshake being initiated). It seems smtp_tls_security_level has no effect at all. I experimented with different settings for smtp_tls_security_level with no effect at all. I also tried to enforce the use of ssl using smtp_tls_policy_maps = hash:/etc/postfix/tls_policy, but again this seems to have no effect.

 

Although I read a bunch of blog posts and had a look into the postfix documentation, I just got no idea, what the correct configuration option would be. So I would really appreciate a little help J

 

Thanks a lot

-Frank

 

 

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS configuration for relaying

Marat Khalili
I don't pretend to be expert, but that's what works for me with postfix 3.1:

> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_mandatory_ciphers = high
> smtp_tls_security_level = secure
> smtp_tls_secure_cert_match = nexthop
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Just checked that I have STARTTLS and handshake in tcpdump.

--

With Best Regards,
Marat Khalili

Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS configuration for relaying

Matus UHLAR - fantomas
In reply to this post by Nachtfalter
On 29.09.17 13:09, Nachtfalter wrote:
>I got a postfix mail server (host=smtp) configured for some domains that
>relay all messages for these domains to a second mail server (hmailserver,
>host = mail). This setup works fine when I use smtp:25 to forward mail from
>postfix to hmailserver.

>Now I would like to encrypt communication between postfix -> hmailserver.
>
>The remote mailserver is configured to accept SSL/TLS on port 587. This is
>proven to work since user mail clients successfully directly connect to
>hmailserver using the related port with SSL/TLS.

tried
http://www.postfix.org/postconf.5.html#smtp_tls_per_site
?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
Reply | Threaded
Open this post in threaded view
|

Re: SSL/TLS configuration for relaying

Viktor Dukhovni
On Sun, Oct 01, 2017 at 07:15:36PM +0200, Matus UHLAR - fantomas wrote:

> > The remote mailserver is configured to accept SSL/TLS on port 587. This is
> > proven to work since user mail clients successfully directly connect to
> > hmailserver using the related port with SSL/TLS.
>
> tried
> http://www.postfix.org/postconf.5.html#smtp_tls_per_site

A long-deprecated feature (since Postfix 2.3 over a decade ago).
The non-deprecated interface is:

    http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
    http://www.postfix.org/TLS_README.html#client_tls_policy

And while requiring TLS is a good idea, it won't work if even
opportunistic TLS fails to produce a TLS connection.

The OP has posted scan concrete evidence, just anecdotes, so
no further help is presently possible.

--
        Viktor.