> On Mar 13, 2017, at 9:07 PM, Jeronimo L. Cabral <[email protected]> wrote:
>
> Viktor, I have to tell you that it doesn't work for me.
>
> # TLS parameters (como servidor)
> smtpd_tls_cert_file = /etc/postfix/SSL/publica.crt
> smtpd_tls_key_file = /etc/postfix/SSL/privada.pem
> smtpd_tls_security_level = may
> smtpd_tls_loglevel = 1
> smtpd_tls_auth_only = no
Much better.
> # TLS parameters (como cliente)
> smtp_tls_security_level = may
> smtp_tls_cert_file =
> smtp_tls_key_file =
> smtp_tls_loglevel = 1
> smtp_starttls_timeout = 300s
> smtp_tls_note_starttls_offer = yes
Good, but you don't need the last setting, it'll never
be used.
> mynetworks = 127.0.0.0/8 10.0.0.0/8 192.168.69.0/24 172.0.0.0/8
Change 172.0.0.0/8 to 172.16.0.0/12, only the 172.16.0.0 throuh 172.31.255.255
are RFC1918 private addresses, the rest of 172 is public space.
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender,
> reject_unknown_recipient_domain,
> reject_unknown_sender_domain,
> reject_unauth_destination,
> reject_rbl_client zombie.dnsbl.sorbs.net,
> reject_rbl_client opm.blitzed.org,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client pbl.spamhaus.org,
> reject_rbl_client cbl.abuseat.org
> check_policy_service unix:private/policy
You'll want to override this in the submission entry.
Since you have 2.11, you should have in main.cf:
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destinations
Which lets you set "-o smtpd_recipient_restrictions="
in master.cf for the submission service. For good
measure you should also clear all four of:
smtpd_{helo,sender,data,end_of_data}_restrictions
> smtpd_hard_error_limit = 4
I would not do that.
> smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
> reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender, reject_unknown_recipient_domain,
> reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client
> zombie.dnsbl.sorbs.net, reject_rbl_client opm.blitzed.org, reject_rbl_client
> sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rbl_client
> cbl.abuseat.org check_policy_service unix:private/policy
This is a really bad idea, use relay restrictions *JUST* to avoid
being an open relay, put anti-spam access control in
smtpd_recipient_restictions.
>
> submission inet n - - - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_mynetworks,reject
Plus:
-o smtpd_recipient_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
> -o milter_macro_daemon_name=ORIGINATING
And now to the root of your problem:
> # mailx -v -r "[email protected]" -s "TLS test" -S smtp="10.1.1.1:587" -S
> smtp-use-starttls -S ssl-verify=ignore [email protected]
>
> TYPE A MESSAGE
> .
> EOT
> Resolving host 10.1.1.1 . . . done.
> Connecting to 10.1.1.1:587 . . . connected.
> 220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
> >>> EHLO HOST341
> 250-relay.mycompany.com
> 250-PIPELINING
> 250-SIZE 15240000
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> >>> STARTTLS
> 220 2.0.0 Ready to start TLS
> Missing "nss-config-dir" variable.
> "/root/dead.letter" 11/314
> . . . message not sent.
>
> Can you help me again please???
I must say that you're not paying attention here. That
Missing nss-config-dir variable.
message should not have been ignored. Your mailx program
wants to find a certificate directory even when ignoring
certificate verification failure.
https://stackoverflow.com/questions/16799407/mailx-and-gmail-nss-config-dir
You must have seen this message all along, and should be feeling
ashamed to not have reported it before...
--
Viktor.
