Hey guys!
I’m facing some issues to set up TLS in Postfix. With my current config I can set up a mailbox in Outlook, for example, using Port 465 with SSL/TLS selected. But if I try 587 I can only get it to work if I select STARTTLS.
And when I try to use Gmail to connect to this same mailbox using 587 port, I get this:
While using 465 with either SSL or TLS selected, I get this:
This is my main.cf file:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unauth_pipelining, reject_unauth_destination, , check_client_access hash:/etc/postfix/rbl_override, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3], permit_dnswl_client dnswl.spfbl.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.spfbl.net
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_cert_file = /etc/postfix/postfix.cert.pem
smtp_tls_key_file = /etc/postfix/postfix.key.pem
smtp_tls_CAfile = /etc/postfix/postfix.ca.pem
mailbox_size_limit = 0
allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
message_size_limit = 104857600
header_size_limit = 104857600
smtpd_client_restrictions = reject_unknown_reverse_client_hostname permit_mynetworks permit_inet_interfaces
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_reverse_client_hostname reject_unknown_client_hostname reject_unknown_sender_domain
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
And this is my master.cf:
smtp inet n - n - - smtpd
-o smtpd_tls_auth_only=yes
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o milter_macro_daemon_name=ORIGINATING
This is my mail.log when I try a connection using 587 SSL/TLS
May 27 15:51:07 ns1 dovecot: imap-login: Login: user=teste@mydomain.com, method=PLAIN, rip=my-ip, lip=server-ip, mpid=10100, TLS, session=
May 27 15:51:07 ns1 dovecot: imap(teste@mydomain.com): Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=11 out=380
May 27 15:51:07 ns1 postfix/smtpd[10104]: warning: database /etc/postfix/rbl_override.db is older than source file /etc/postfix/rbl_override
May 27 15:51:09 ns1 postfix/smtpd[10104]: warning: hostname my-ip.user.myisp.com.br does not resolve to address my-ip: Name or service not known
May 27 15:51:09 ns1 postfix/smtpd[10104]: connect from unknown[my-ip]
May 27 15:51:09 ns1 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
May 27 15:51:09 ns1 postfix/smtpd[10104]: lost connection after UNKNOWN from unknown[my-ip]
May 27 15:51:09 ns1 postfix/smtpd[10104]: disconnect from unknown[my-ip]
But there’s no log when I try to connect using Gmail webmail.
This is probably due to a reject_invalid_hostname, but I had to do this to prevent massive spam that my server was getting. But I can’t understand why Gmail doesn’t log to my mail.log so I can identify the problem.
All related ports are open in my firewall CSF (25,465,587).
Everything else is working (I can receive mails encrypted, I can send mails if I use Starttls or localhost using webmail, etc), this is the only issue I’m facing related to mail.
Can someone help me figure it out?
I’ve posted this in “ISSUES” as well, but got no answers there =/
Thanks!