PostFix SSL issue

enginama · March 12, 2016, 9:23pm

I have postfix setup and recently added SSL Cert.
I am trying to force outgoing emails to use TLS.
I am using client Thunderbird,settings
port 465
Use SSL/TLS
Authentication Use Normal Password

The emails go but are not encrypted (I can tell as sending the email to a gmail account -gmail tells you if it’s encrypted or not).

TLS section of postfix/main.cf:

TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem

Comment: removed smtpd_use_tls = yes and replaced with smtpd_tls_security_level=encrypt

smtpd_tls_security_level=encrypt

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Checked Mail.log/Mail.err/mail.warn and nothing jumps out as an error in not being able to encrypt

Any suggestions on what I can do to find the cause?

No_Expert · March 24, 2016, 10:07pm

Hi,

I have the exact same issue.
Did you ever resolve this?

Thanks

enginama · March 29, 2016, 3:26pm

Nope. Sounds like a bug then.

Eric · March 29, 2016, 3:46pm

Howdy,

It doesn’t sound like you’re seeing a bug, just a Postfix configuration issue there.

What is the output of the command “postconf -n”?

-Eric

enginama · April 1, 2016, 4:18pm


postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions
postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = server, localhost.domain.net, localhost
mydomain = domain.net
myhostname = my.domain.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination permit_inet_interfaces
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sender_restrictions = reject_unlisted_sender
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual

enginama · May 11, 2016, 9:05pm

This is still an open issue for me. I posted postconf -n results to here and the forum question, but no response.
Having to keep unsecure information out of server emails until I can get this resolved.