Enabling TLS in Postfix

Hey guys!

I'm facing some issues to set up TLS in Postfix. With my current config I can set up a mailbox in Outlook, for example, using Port 465 with SSL/TLS selected. But if I try 587 I can only get it to work if I select STARTTLS.

And when I try to use Gmail to connect to this same mailbox using 587 port, I get this:
https://i.imgur.com/nPHjZAO.png

While using 465 with either SSL or TLS selected, I get this:
https://i.imgur.com/D0AWWpj.png

This is my main.cf file:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_invalid_hostname,    reject_unauth_pipelining,    reject_unauth_destination,    ,    check_client_access hash:/etc/postfix/rbl_override,    reject_rhsbl_helo dbl.spamhaus.org,    reject_rhsbl_reverse_client dbl.spamhaus.org,    reject_rhsbl_sender dbl.spamhaus.org,    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],    permit_dnswl_client dnswl.spfbl.net,    reject_rbl_client zen.spamhaus.org,    reject_rbl_client b.barracudacentral.org,    reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,    reject_rbl_client dnsbl.spfbl.net
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_cert_file = /etc/postfix/postfix.cert.pem
smtp_tls_key_file = /etc/postfix/postfix.key.pem
smtp_tls_CAfile = /etc/postfix/postfix.ca.pem
mailbox_size_limit = 0
allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
message_size_limit = 104857600
header_size_limit = 104857600
smtpd_client_restrictions = reject_unknown_reverse_client_hostname permit_mynetworks permit_inet_interfaces
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_reverse_client_hostname reject_unknown_client_hostname reject_unknown_sender_domain
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

And this is my master.cf:

smtp inet n       -       n       -       -       smtpd
  -o smtpd_tls_auth_only=yes
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o milter_macro_daemon_name=ORIGINATING

This is my mail.log when I try a connection using 587 SSL/TLS

May 27 15:51:07 ns1 dovecot: imap-login: Login: user=, method=PLAIN, rip=my-ip, lip=server-ip, mpid=10100, TLS, session=
May 27 15:51:07 ns1 dovecot: imap(teste@mydomain.com): Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=11 out=380
May 27 15:51:07 ns1 postfix/smtpd[10104]: warning: database /etc/postfix/rbl_override.db is older than source file /etc/postfix/rbl_override
May 27 15:51:09 ns1 postfix/smtpd[10104]: warning: hostname my-ip.user.myisp.com.br does not resolve to address my-ip: Name or service not known
May 27 15:51:09 ns1 postfix/smtpd[10104]: connect from unknown[my-ip]
May 27 15:51:09 ns1 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
May 27 15:51:09 ns1 postfix/smtpd[10104]: lost connection after UNKNOWN from unknown[my-ip]
May 27 15:51:09 ns1 postfix/smtpd[10104]: disconnect from unknown[my-ip]

But there's no log when I try to connect using Gmail webmail.
This is probably due to a reject_invalid_hostname, but I had to do this to prevent massive spam that my server was getting. But I can't understand why Gmail doesn't log to my mail.log so I can identify the problem.

All related ports are open in my firewall CSF (25,465,587).
Everything else is working (I can receive mails encrypted, I can send mails if I use Starttls or localhost using webmail, etc), this is the only issue I'm facing related to mail.

Can someone help me figure it out?

Thanks!

Status: 
Closed (fixed)

Comments

Ilia's picture
Submitted by Ilia on Fri, 05/29/2020 - 05:10

Hi,

Thanks for contacting us, and sorry for a delay!

But there's no log when I try to connect using Gmail webmail.

That shouldn't be the case, as the log must be there, if connection take place, and in case there is no log, may be your firewall is blocking source (Google's) IPs.

I would also look at IPv6 configuration, and if IPv6 was configured correctly. For example, if you have configured IPv6 on DNS zone for a domain, Google will use only IPv6, without fall back to IPv4, and if your Posfix listens only on IPv4, you would face the exact issue you're facing now.

By default, Postfix listens on all interfaces but perhaps, yours is configured as inet_protocols = IPv4?

Can someone help me figure it out?

If you don't know the exact solution to the problem, start changing configuration options and set them to default temporarily, to figure out what is really going on.

Hey Ilia

Well, I didn't know about Google not falling back to IPv4. I basically set up all domains to have ipv6 records even in mail entries but I disabled in postfix using inet_protocols = IPv4, just like you said.

After changing inet_protocols to all and openning the ports in my firewall, Google started to work as expected :)

Thank you very much.

Status: Active » Fixed
Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.