Hey guys!
I'm facing some issues to set up TLS in Postfix. With my current config I can set up a mailbox in Outlook, for example, using Port 465 with SSL/TLS selected. But if I try 587 I can only get it to work if I select STARTTLS.
And when I try to use Gmail to connect to this same mailbox using 587 port, I get this:
https://i.imgur.com/nPHjZAO.png
While using 465 with either SSL or TLS selected, I get this:
https://i.imgur.com/D0AWWpj.png
This is my main.cf file:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_pipelining, reject_unauth_destination, , check_client_access hash:/etc/postfix/rbl_override, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], permit_dnswl_client dnswl.spfbl.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.spfbl.net smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_loglevel = 1 smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache smtp_tls_cert_file = /etc/postfix/postfix.cert.pem smtp_tls_key_file = /etc/postfix/postfix.key.pem smtp_tls_CAfile = /etc/postfix/postfix.ca.pem mailbox_size_limit = 0 allow_percent_hack = no milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_loglevel = 1 smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache message_size_limit = 104857600 header_size_limit = 104857600 smtpd_client_restrictions = reject_unknown_reverse_client_hostname permit_mynetworks permit_inet_interfaces smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_reverse_client_hostname reject_unknown_client_hostname reject_unknown_sender_domain smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
And this is my master.cf:
smtp inet n - n - - smtpd -o smtpd_tls_auth_only=yes submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o milter_macro_daemon_name=ORIGINATING
This is my mail.log when I try a connection using 587 SSL/TLS
May 27 15:51:07 ns1 dovecot: imap-login: Login: user=, method=PLAIN, rip=my-ip, lip=server-ip, mpid=10100, TLS, session= May 27 15:51:07 ns1 dovecot: imap(teste@mydomain.com): Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=11 out=380 May 27 15:51:07 ns1 postfix/smtpd[10104]: warning: database /etc/postfix/rbl_override.db is older than source file /etc/postfix/rbl_override May 27 15:51:09 ns1 postfix/smtpd[10104]: warning: hostname my-ip.user.myisp.com.br does not resolve to address my-ip: Name or service not known May 27 15:51:09 ns1 postfix/smtpd[10104]: connect from unknown[my-ip] May 27 15:51:09 ns1 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port May 27 15:51:09 ns1 postfix/smtpd[10104]: lost connection after UNKNOWN from unknown[my-ip] May 27 15:51:09 ns1 postfix/smtpd[10104]: disconnect from unknown[my-ip]
But there's no log when I try to connect using Gmail webmail.
This is probably due to a reject_invalid_hostname, but I had to do this to prevent massive spam that my server was getting. But I can't understand why Gmail doesn't log to my mail.log so I can identify the problem.
All related ports are open in my firewall CSF (25,465,587).
Everything else is working (I can receive mails encrypted, I can send mails if I use Starttls or localhost using webmail, etc), this is the only issue I'm facing related to mail.
Can someone help me figure it out?
Thanks!
Comments
Hi,
Thanks for contacting us, and sorry for a delay!
That shouldn't be the case, as the log must be there, if connection take place, and in case there is no log, may be your firewall is blocking source (Google's) IPs.
I would also look at IPv6 configuration, and if IPv6 was configured correctly. For example, if you have configured IPv6 on DNS zone for a domain, Google will use only IPv6, without fall back to IPv4, and if your Posfix listens only on IPv4, you would face the exact issue you're facing now.
By default, Postfix listens on all interfaces but perhaps, yours is configured as inet_protocols = IPv4?
If you don't know the exact solution to the problem, start changing configuration options and set them to default temporarily, to figure out what is really going on.
Submitted by diegoweb on Fri, 05/29/2020 - 16:33 Pro Licensee Comment #2
Hey Ilia
Well, I didn't know about Google not falling back to IPv4. I basically set up all domains to have ipv6 records even in mail entries but I disabled in postfix using inet_protocols = IPv4, just like you said.
After changing inet_protocols to all and openning the ports in my firewall, Google started to work as expected :)
Thank you very much.
Submitted by diegoweb on Fri, 05/29/2020 - 16:25 Pro Licensee Comment #3
Submitted by IssueBot on Fri, 06/12/2020 - 16:30 Comment #4
Automatically closed - issue fixed for 2 weeks with no activity.