Level 27
What is the basis of saying "... seem delivered non-encrypted way"?
Sep 30, 2020
15
Level 4
Setting up a Postfix on Ubuntu...?
I've spend entire day trying to set up Postfix on my server (Ubuntu 18.04). Right now:
-
I can send mail
-
SPF verification will PASS
-
DKIM verification will PASS
-
redirection of incoming emails doesn't work, I'm trying to do it this way (file contains: [email protected] [email protected])
virtual_alias_domains = mydomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
- it doesn't seems like it's using encrypted communication (i have HTTPS set up at mail.example.com and filled in certificates in settings, but emails sent by me seem delivered non-encrypted way)
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtpd_tls_security_level=may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#Enforce TLSv1.3 or TLSv1.2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#####################
# DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891
####################
# SSL
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
virtual_alias_domains = mydomain.com
virtual_alias_maps = hash:/etc/postfix/virtual
Does anybody knows how to troubleshoot it?
Level 4
I was trying some online checker tool and it seemed like SSL/TLS was not used.
But looking at received mail at Google now it seems like it might be working properly?
Level 27
I only see smtpd_use_tls = yes, do you have smtp_use_tls = yes?
Level 27
Online checkers are testing your SMTP server listening port smtpd_use_tls = yes, what is the exact message they are showing? It is not fruitful if "it seemed like SSL/TLS was not used".
Level 4
That's my entire config file, so I will add smtp_use_tls = yes
Level 27
@andyandy config files are one thing, what is the basis of your conclusions? Better to show the full logs otherwise I can only speculate and it won't be of much help.
Level 73
Take a look at this guide, it might give you a clue
Level 4
If I send mail to [email protected] it will be delivered at [email protected] (which is finally what I want) and in logs appears this
Oct 1 05:49:53 mail postfix/smtps/smtpd[1729]: warning: SASL: Connect to private/auth failed: No such file or directory
Oct 1 05:49:53 mail postfix/smtps/smtpd[1729]: fatal: no SASL authentication mechanisms
Oct 1 05:49:53 mail postfix/smtpd[1644]: connect from wes1-so1.HOSTING.net[46.28.106.15]
Oct 1 05:49:53 mail postfix/smtpd[1644]: Anonymous TLS connection established from wes1-so1.wedos.net[46.28.106.15]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Oct 1 05:49:53 mail postfix/smtpd[1644]: D2E3E2DCBD: client=wes1-so1.wedos.net[46.28.106.15]
Oct 1 05:49:53 mail postfix/cleanup[1731]: D2E3E2DCBD: message-id=<[email protected]>
Oct 1 05:49:53 mail opendkim[16889]: D2E3E2DCBD: external host wes1-so1.HOSTING.net attempted to send as MYMAIL.net
Oct 1 05:49:53 mail postfix/qmgr[1312]: D2E3E2DCBD: from=<[email protected]>, size=1075, nrcpt=1 (queue active)
Oct 1 05:49:53 mail postfix/smtpd[1644]: disconnect from wes1-so1.HOSTING.net[46.28.106.15] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 1 05:49:54 mail postfix/smtp[1732]: Untrusted TLS connection established to wes1-mx2.HOSTING.net[46.28.106.12]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 1 05:49:54 mail postfix/smtp[1732]: D2E3E2DCBD: to=<[email protected]>, orig_to=<[email protected]>, relay=wes1-mx2.HOSTING.net[46.28.106.12]:25, delay=0.47, delays=0.02/0.01/0.24/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued a$
Oct 1 05:49:54 mail postfix/qmgr[1312]: D2E3E2DCBD: removed
Oct 1 05:49:54 mail postfix/master[1300]: warning: process /usr/lib/postfix/sbin/smtpd pid 1729 exit status 1
Level 4
I§m sending and receiving mails, but in logs it's always
Oct 1 06:10:54 mail postfix/smtp[2070]: Untrusted TLS connection established to wes1-mx1.hosting.net[46.28.106.11]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Level 27
# openssl s_client -crlf -connect 46.28.106.11:25
CONNECTED(00000003)
139882317768544:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The issue is the SMTP server at 46.28.106.11.
Level 4
Sending mail to Gmail
Oct 1 06:25:59 mail postfix/smtp[2502]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2a00:1450:400c:c01::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Level 27
Hmm ok, try creating a file /etc/postfix/smtp_tls_policy
[smtp.office365.com]:587 encrypt
[smtp.gmail.com]:587 encrypt
In your main.cf, make sure to have these:
smtp_use_tls = yes
smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
Be sure to postfix reload after these changes. If google gets fixed, then find the setting for mymail and add it to smtp_tls_policy
Level 102
@andyandy Just curious. Are you going to be using your mailserver to send mails to your customers? If so, are you really knowledgeable about mail? Everything from SPF, to DKIM, to blacklisting, to getting off one of the many blacklists if you end up on one? These are just a few, and even though I know quite a bit about mail, I personally would never trust myself with handling the server sending business critical mails :)
Level 27
@andyandy I agree with @sinnbeck, email has become a monster due to its federated nature.
Avoid setting up a server if you can. My server is mainly to aggregate my various @gmail.com, @hotmail.com etc into 1 central server to read and send, it doesn't have a domain of it's own for reasons stated by @sinnbeck
Level 102
Agreed!
If you go forward with it, then make sure that you block each and every mail address that bounces with a hard fail.
If you send to the same non-existant email more than once, you risk getting blocked by the recipient server/blacklist (many servers use public blacklists, and if you end up on one of these, you might not be able to send to multiple domains across the world)
Please or to participate in this conversation.