On Sat, Jun 15, 2013 at 01:57:12AM +0200, Nabil Alsharif wrote: > I just setup postfix on my server but I'm having a problem with > TLS. I have TLS configured, there are no errors in the log, but > the server does not announce TLS support.Here is the output > relevant output from 'postconf -n', the full output is at the > end of the message: > > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes
smtp_* settings control smtp(8), the SMTP client, so no, those are not relevant to the server's failure to announce STARTTLS. (Also, smtp_use_tls is deprecated, superceded by smtp_tls_security_level.) > smtpd_banner = $myhostname ESMTP > smtpd_recipient_restrictions = permit_mynetworks > reject_unauth_destination Those aren't relevant either. (I'd suggest leaving the default $smtpd_banner setting, however.) > smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem I'm no OpenSSL expert, but I'm pretty sure it's wrong to have your own server certificate and key in the same file with your CAs. See TLS_README.html#server_tls for basic server TLS settings. > smtpd_tls_loglevel = 1 > smtpd_tls_security_level = encrypt What? Do you understand what this means? It's not suitable for an Internet mail exchanger, because many sites will not use TLS (TLS isn't required for mail service.) > smtpd_use_tls = yes Deprecated, superceded by smtpd_tls_security_level. > Like I saidthe server does not announce STARTTLS: What you showed us should have announced STARTTLS. I would guess the problem is related to the single file certificate+key+CAs. Since you mentioned upthread that no errors are logged, check your syslogd (try restarting it.) These errors would be logged. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
