Creating a separate hash file with following content like below solved my issue but doing the same for all domain will not be acceptable solution ...
In case any other solution exist which i may be missing just let me know. smtp_tls_policy_maps = hash:/etc/postfix/tls_policy gmail.com encrypt .gmail.com encrypt On Sat, Feb 13, 2016 at 6:12 PM, Wietse Venema <wie...@porcupine.org> wrote: > Christian Kivalo: > > > > > > Am 13. Februar 2016 11:10:25 MEZ, schrieb Joy <pj.netfil...@gmail.com>: > > >May i know how can i force postfix to use TLS if remote MTA advertises > > >STARTTLS on port 25 to connect to remote server ? > > > > > >I am already using TLS and connecting from outlook is working > > >perfectly, > > >but when sending mail to google it now says TLS fail. > > Take a look at http://www.postfix.org/DEBUG_README.html#mail and > provide all necessary information > > > > At least postconf -n / postconf -Mf and log output of the tls fail to > google > > Indeed. google.com MX hosts support STARTTLS on port 25. If you > must verify certificates issued from third-party issuers, see: > > http://www.postfix.org/postconf.5.html#tls_append_default_CA > > Wietse > > $ posttls-finger google.com > posttls-finger: Connected to aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25 > posttls-finger: < 220 mx.google.com ESMTP 207si21470864qhw.106 - gsmtp > posttls-finger: > EHLO tail.porcupine.org > posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] > posttls-finger: < 250-SIZE 35882577 > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-CHUNKING > posttls-finger: < 250 SMTPUTF8 > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 Ready to start TLS > ..lotsa stuff.. > posttls-finger: certificate verification failed for > aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: > untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > posttls-finger: aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: subject_CN= > aspmx.l.google.com, issuer_CN=Google Internet Authority G2, > fingerprint=17:C3:E9:B6:EB:1C:7E:BB:95:67:BE:EA:E6:48:43:90:E0:24:95:03, > pkey_fingerprint=AD:4B:02:AC:67:0F:96:F3:D1:85:C9:3D:E3:A2:04:B3:9A:0F:36:17 > posttls-finger: Untrusted TLS connection established to > aspmx.l.google.com[2607:f8b0:400d:c07::1b]:25: > TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > posttls-finger: > EHLO tail.porcupine.org > posttls-finger: < 250-mx.google.com at your service, [2604:8d00:189::3] > posttls-finger: < 250-SIZE 35882577 > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-CHUNKING > posttls-finger: < 250 SMTPUTF8 > posttls-finger: > QUIT > posttls-finger: < 221 2.0.0 closing connection 207si21470864qhw.106 - gsmtp > >
