Hi,
I recently received an email with a `TLS-Required: no` header that got
stuck in the queue instead of being delivered to my LMTP server. After
looking into it, I realized that the default `yes` value of
`tls_required_enable` meant that postfix was downgrading the
`lmtp_tls_security_level = fingerprint` in my config file to `may`,
which broke the lmtp connection entirely because it uses
`lmtp_tls_wrappermode = yes`. Adding `tls_required_enable = no` to my
config fixed it.
It looks like postfix is behaving exactly as documented here, but is
this the expected behavior? At a glance, it looks like TLS-Required is
designed around using TLS when contacting an MX that somebody else owns,
not around using TLS in internal infrastructure like LMTP. I'm not sure
what if anything should be changed, but it just seemed strange to me
that a header in an incoming email could break the connection from my MX
to my LMTP server. And maybe this email will help anybody else who runs
into this in the future.
Side note: while I found this issue with lmtp_tls_wrappermode, I'm
guessing something similar could happen with smtp_tls_wrappermode in
setups that use a relay host for all outgoing emails.
Relevant lines from main.cf:
compatibility_level = 3.6
virtual_transport = lmtp:inet:REDACTED
lmtp_tls_wrappermode = yes
lmtp_tls_security_level = fingerprint
Log lines from a failed delivery attempt, note the "relay=none":
Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/qmgr[15646]:
4cyFfv6Tdcz1t: from=<REDACTED>, size=11406, nrcpt=1 (queue active)
Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/lmtp[15765]:
warning: lmtp_tls_wrappermode requires "lmtp_tls_security_level =
encrypt" (or stronger)
Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/lmtp[15765]:
warning: lmtp_tls_wrappermode requires "lmtp_tls_security_level =
encrypt" (or stronger)
Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/lmtp[15765]:
4cyFfv6Tdcz1t: to=<[email protected]>, relay=none, delay=106722,
delays=106722/0.02/0/0, dsn=4.3.0, status=deferred (server unavailable
or unable to receive mail)
The additional log lines with `lmtp -v` in master.cf that helped me
figure out what was happening:
Oct 30 20:40:13 mail-inbound-119b7863 postfix-inbound/lmtp[16018]:
global TLS level: fingerprint
Oct 30 20:40:13 mail-inbound-119b7863 postfix-inbound/lmtp[16018]:
policy_create: no tls policy lookup
Oct 30 20:40:13 mail-inbound-119b7863 postfix-inbound/lmtp[16018]:
effective TLS level: may
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
