Join Log in
Score:1
pbies avatar Server

Can't configure SMTP encryption - postfix

cl flag
pbies

I have docker-mailserver and Roundcube in containers, beside there is MySQL database for mail data and user passwords. Dovecot inside is configured to verify logging in users passwords with database. Yesterday I've configured IMAP and it is working properly. Also Roundcube is working with no problem. Now I am facing problem configuring secure connection for SMTP. Even if there is setting "require" and similar to "always use STARTTLS" I am not getting possibility to send emails with secure connection. Plain (insecure) connections works ok.

My postfix-main.cf file:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/dovecot/fullchain.pem
smtpd_tls_key_file = /etc/dovecot/privkey.pem

smtpd_tls_eecdh_grade = strong
smtpd_tls_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_security_level=may
smtpd_tls_ciphers = high
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# smtpd_tls_auth_only = yes

# smtp_use_tls = yes

# smtp_enforce_tls = yes
# smtpd_enforce_tls = yes

If I uncomment last 4 lines I am getting problems sending emails via Roundcube (SMTP server expects secure connection but on server it is not configured on Roundcube side). And also there is no possibility to secure SMTP communication from my home Thunderbird. TB with insecure connection works ok.

I've seen the documentation here:

http://www.postfix.org/SASL_README.html

but it does not help much.

What is the proper configuration needed to make postfix/dovecot work with STARTTLS?

EDIT:

Configuration: https://pastie.io/hxcfkw.ini

What I am getting at connection is:

# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 mail.correct_domain.com ESMTP
EHLO test.com
250-mail.correct_domain.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
^]
telnet> quit
Connection closed.

So seems like the server is not offering any security.

EDIT2:

I've seen this link:

Forcing encryption for outgoing SMTP with Postfix

But nothing from there helps me. TB is constantly disconnecting from STARTTLS on the mail server.

53
0 + 0
Paul avatar
cn flag
Paul
Really, the best thing to do is read this entire article: [Postfix TLS Support](http://www.postfix.org/TLS_README.html). You should post the entire output of `postconf -n` and it is fine to anonymize things like IP addresses in your post. Short answer is add `smtp_tls_security_level = may` and see if that fixes.
0
Reply
pbies avatar
cl flag
pbies
This option didn't solved the problem. I've edited the question adding configuration paste.
0
Reply
pbies avatar
cl flag
pbies
@Paul any idea?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.