Enabling TLS in Postfix

diegoweb · May 28, 2020, 9:43pm

Hey guys!

I’m facing some issues to set up TLS in Postfix. With my current config I can set up a mailbox in Outlook, for example, using Port 465 with SSL/TLS selected. But if I try 587 I can only get it to work if I select STARTTLS.

And when I try to use Gmail to connect to this same mailbox using 587 port, I get this:

While using 465 with either SSL or TLS selected, I get this:

This is my main.cf file:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_invalid_hostname,    reject_unauth_pipelining,    reject_unauth_destination,    ,    check_client_access hash:/etc/postfix/rbl_override,    reject_rhsbl_helo dbl.spamhaus.org,    reject_rhsbl_reverse_client dbl.spamhaus.org,    reject_rhsbl_sender dbl.spamhaus.org,    permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],    permit_dnswl_client dnswl.spfbl.net,    reject_rbl_client zen.spamhaus.org,    reject_rbl_client b.barracudacentral.org,    reject_rbl_client cbl.abuseat.org,    reject_rbl_client bl.spamcop.net,    reject_rbl_client dnsbl.spfbl.net
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_cert_file = /etc/postfix/postfix.cert.pem
smtp_tls_key_file = /etc/postfix/postfix.key.pem
smtp_tls_CAfile = /etc/postfix/postfix.ca.pem
mailbox_size_limit = 0
allow_percent_hack = no
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/run/milter-greylist/milter-greylist.sock
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
message_size_limit = 104857600
header_size_limit = 104857600
smtpd_client_restrictions = reject_unknown_reverse_client_hostname permit_mynetworks permit_inet_interfaces
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated reject_unknown_reverse_client_hostname reject_unknown_client_hostname reject_unknown_sender_domain
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

And this is my master.cf:
smtp inet n - n - - smtpd
-o smtpd_tls_auth_only=yes
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o milter_macro_daemon_name=ORIGINATING

This is my mail.log when I try a connection using 587 SSL/TLS
May 27 15:51:07 ns1 dovecot: imap-login: Login: user=teste@mydomain.com, method=PLAIN, rip=my-ip, lip=server-ip, mpid=10100, TLS, session=
May 27 15:51:07 ns1 dovecot: imap(teste@mydomain.com): Connection closed (IDLE running for 0.001 + waiting input for 0.001 secs, 2 B in + 10+10 B out, state=wait-input) in=11 out=380
May 27 15:51:07 ns1 postfix/smtpd[10104]: warning: database /etc/postfix/rbl_override.db is older than source file /etc/postfix/rbl_override
May 27 15:51:09 ns1 postfix/smtpd[10104]: warning: hostname my-ip.user.myisp.com.br does not resolve to address my-ip: Name or service not known
May 27 15:51:09 ns1 postfix/smtpd[10104]: connect from unknown[my-ip]
May 27 15:51:09 ns1 milter-greylist: smfi_getsymval failed for {daemon_port}, using default smtp port
May 27 15:51:09 ns1 postfix/smtpd[10104]: lost connection after UNKNOWN from unknown[my-ip]
May 27 15:51:09 ns1 postfix/smtpd[10104]: disconnect from unknown[my-ip]

But there’s no log when I try to connect using Gmail webmail.
This is probably due to a reject_invalid_hostname, but I had to do this to prevent massive spam that my server was getting. But I can’t understand why Gmail doesn’t log to my mail.log so I can identify the problem.

All related ports are open in my firewall CSF (25,465,587).
Everything else is working (I can receive mails encrypted, I can send mails if I use Starttls or localhost using webmail, etc), this is the only issue I’m facing related to mail.

Can someone help me figure it out?
I’ve posted this in “ISSUES” as well, but got no answers there =/

Thanks!

unborn · May 29, 2020, 12:11pm

hi @diegoweb well perhaps you should start to look at your firewall… is the port open? then - follow error messages from your google or server… also please read messages - the error ones…

basically plain ? - think about it again.

well perhaps speaking for my self - you aint understand the errors you getting it or you did not read them at all. Anyway and any how, I think your server works as it should be, you need to look at your own settings… encryption != plain text. - and to be honest gmail is not a part of virtualmin… your issue is between chair and keyboard sort of speaking (no offence).

Fix is right in those error msgs… sit back, have cup of tea and think again.

Joe · May 29, 2020, 5:35pm

method=PLAIN is correct. There is no hash compatible between system users and SMTP authentication methods. But, if SSL or TLS or STARTTLS are working, it’s no problem as the password will be encrypted over the wire.

diegoweb · May 29, 2020, 9:29pm

Actually plain is set because it’s starting the connection in STARTTLS. The password should get encrypted, and every tutorial says to keep PLAIN enable, because some devices may not work with encryption.

But thank you very much for your help anyways, no offense. We are all growing up and learning more, I hope we can agree with that

yeah, that’s what I as expecting (at least from what I’ve read).

Well, I just got the answer I needed with Ilia.
I didn’t know Google didn’t fallback to IPv4 if the IPv6 connection didn’t work as expected. And for some reason (I think it was because of spammers) I disabled ipv6 in Postfix.
I just enabled to all interfaces in inet_protocols and openned the respective ports in my firewall. Working great now with Google

But I still can’t connect using Outlook if I select SSL/TLS in Port 465/587. I need to use STARTTLS.
Does anyone know the reason for that?

Thank you guys!

system · June 28, 2020, 9:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.