Hi all
I'm struggling with smtpd_tls_security_level = encrypt.
I have a postfix installation/configuration with smtpd_tls_security_level =
may and public (letsencrypt) certificates running nicely since years.
Postfix is offering STARTTLS upon connections from incoming smtp servers
which a good part (all the relevant ones) are using to upgrade to TLS. This
works fine.
After checking the logs, I found that 99% of the non-TLS connections are
SPAM attempts, that get sorted out anyway, so I decided it might be a good
idea to enforce TLS, to avoid unencrypted email transfers at all (I might be
wrong). So I set smtpd_tls_security_level = encrypt. However, with encrypt,
all connection attempts fails, also those that have upgraded to TLS when
smtpd_tls_security_level was set to may.
I did a tcpdump and found that client and server are starting establishing a
STARTTLS sequence but the server suddenly stops the process and returns the
following error message to the sender by email:
host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=2060811-04 -
Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025):
530
5.7.0 Must issue a STARTTLS command first (in reply to end of DATA
command)
---
S: 220 smtp.******* - Nice to meet you!
C: EHLO vimdzmsp-sfwd06.*******
S: 250-smtp. ******* | PIPELINING | SIZE 102400000 | ETRN | STARTTLS |
ENHANCEDSTATUSCODES | 8BITMIME | DSN | SMTPUTF8 | CHUNKING
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
TLSv1.2 357 Client Hello
TLSv1.2 2964 Server Hello, Certificate
TLSv1.2 227 Server Key Exchange, Server Hello Done
TLSv1.2 194 Client Key Exchange, Change Cipher Spec, Encrypted Handshake
Message
TLSv1.2 294 New Session Ticket, Change Cipher Spec, Encrypted Handshake
Message
After this, 12 application data packages are exchanged in both directions
(with the corresponding SYN and ACKs)
TLSv1.2 130 Application Data
(I have not yet been able to decrypt them on wireshark although I gave
wireshark access to the priv.key)
After the 12th application data package sent from S to C, C responds with an
ACK and the communication stops.
About 30 seconds later, S sends a "Undelivered Mail Returned to Sender"
email back to C.
--
This is where I don't understand what's going on.
Related to my setup, I need to mention that S acts as a rely smtp proxy,
forwarding incoming messages to a smtp server in a LAN. On this connection
leg (S -> LAN S), STARTTLS is used and connections are encrypted. As written
above, this has been working for years.
Now, from what I see, I got the impression from C to S the TLS handshake has
worked and data has been transferred, as according to the error message in
the email, C has received an "end of DATA command". Also, if the data
transfer between C and S wouldn't have worked, there wouldn't have been the
necessity for S to send an Email to C, as C would have known the email
delivery between C and S hasn't worked (so error handling would be a part of
the smtp protocol and S would be in duty to handle transmission errors). In
the Email message the error message refers to the "next hop" as the
rejecting party. Wouldn't the next hop be the LAM smtp server? However, I
can't see any indications postfix (a) has successfully received the message
from C nor it has been trying to transfer it to the LAN MTA (nothing related
in the logs on both servers).
I'm not able to put the pieces together atm to get a clear picture where or
what the problem is. I will go on investigating, but would be happy if
someone who has an idea of what could be wrong could point me into the right
direction.
Thanks a lot and enjoy the weekend
Mark
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
