On Sat, Sep 07, 2024 at 03:22:21PM +0200, hostmaster--- via Postfix-users wrote:
> So I set smtpd_tls_security_level = encrypt. However, with encrypt,
> all connection attempts fails, also those that have upgraded to TLS
> when smtpd_tls_security_level was set to may.
>
> I did a tcpdump and found that client and server are starting establishing a
> STARTTLS sequence but the server suddenly stops the process and returns the
> following error message to the sender by email:
>
> host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=2060811-04 -
> Rejected by next-hop MTA on relaying, from
> MTA(smtp:[127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS
> command first (in reply to end of DATA command)
This is completely expected, because setting
smtpd_tls_security_level = encrypt
affects not only the public internet-facing port 25 service, but also
the internal loopback SMTP (port 10025) service that receives messages
that pass through the content (or proxy) filter, but the filter DOES NOT
use TLS, and its attempts to deliver filtered mail are rejected.
Don't set
smtpd_tls_security_level = encrypt
in main.cf. Instead use a master.cf override for just the port 25
service:
smtp inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
