[pfx] Re: struggling with smtpd_tls_security_level = encrypt - 5.7.0 Must issue a STARTTLS command first

[hostmaster--- via Postfix-users]

Thanks Viktor, that was the right direction. 

I actually didn't configure smtpd_tls_security_level = encrypt in main.cf
but in master.cf, however, not at right place:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
                ....
                -o smtpd_tls_security_level=encrypt

Setting 

smtp      inet  n       -       -       -       -       smtpd   -o
smtpd_tls_security_level=encrypt

and

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
                ....
                -o smtpd_tls_security_level=may

Seems to work fine now, I checked all legs in the logs and with tcpdumps and
everything looks fine. 

As a next step I will also try to force outgoing encryption. 

Again, thanks a lot for your support!
Mark


-----Ursprüngliche Nachricht-----
Von: Viktor Dukhovni via Postfix-users [mailto:postfix-users@postfix.org] 
Gesendet: Samstag, 7. September 2024 17:10
An: postfix-users@postfix.org
Betreff: [pfx] Re: struggling with smtpd_tls_security_level = encrypt -
5.7.0 Must issue a STARTTLS command first

On Sat, Sep 07, 2024 at 03:22:21PM +0200, hostmaster--- via Postfix-users
wrote:

> So I set smtpd_tls_security_level = encrypt. However, with encrypt,
> all connection attempts fails, also those that have upgraded to TLS
> when smtpd_tls_security_level was set to may. 
> 
> I did a tcpdump and found that client and server are starting establishing
a
> STARTTLS sequence but the server suddenly stops the process and returns
the
> following error message to the sender by email:
> 
> host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=2060811-04 -
>     Rejected by next-hop MTA on relaying, from
>     MTA(smtp:[127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS
>     command first (in reply to end of DATA command)

This is completely expected, because setting

    smtpd_tls_security_level = encrypt

affects not only the public internet-facing port 25 service, but also
the internal loopback SMTP (port 10025) service that receives messages
that pass through the content (or proxy) filter, but the filter DOES NOT
use TLS, and its attempts to deliver filtered mail are rejected.

Don't set

    smtpd_tls_security_level = encrypt

in main.cf.  Instead use a master.cf override for just the port 25
service:

    smtp       inet  n       -       n       -       -       smtpd
        -o smtpd_tls_security_level=encrypt

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org