Hello list
Been using postfix for over 20 years now, though haven't really spent
much
time on the SSL end of things for it.
A few years ago I setup SSL for inbound mainly for SASL auth sending
that
has worked fine.
More recently I formalized this configuration even more in an attempt to
make my system more up to date, being able to send and receive with
TLS.
This is my TLS related configuration
[..]
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /etc/postfix/cacerts.pem
smtpd_tls_cert_file =
/etc/ssl/yehat.aphroland.org/yehat.aphroland.org_2022.crt
smtpd_tls_key_file =
/etc/ssl/yehat.aphroland.org/yehat.aphroland.org.key_nopass
[..]
I have verified that inbound email can come in with TLS, such as this
log entry regarding my communications with the Postfix majordomo a
short time ago:
postfix/smtpd[5797]: Anonymous TLS connection established from
camomile.cloud9.net[168.100.1.3]: TLSv1.2 with cipher AECDH-AES256-SHA
(256/256 bits)
I use a cheap shit SSL provider (Comodo), and didn't have their CA
chain added to Postfix until today. I used the TLS checker on
www.checktls.com and it reports green across the board with an
overall score of 114. Cert valid, chain valid, everything looks
good.
https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=aphroland.org
What I am confused by is Postfix does not appear to be attempting
to use TLS on any outbound emails. I have tested with Gmail and
with MS Office 365. Sample tcpdump
---
220 DM6NAM10FT086.mail.protection.outlook.com Microsoft ESMTP MAIL
Service ready at Mon, 22 Aug 2022 20:14:33 +0000
EHLO yehat.aphroland.org
250-DM6NAM10FT086.mail.protection.outlook.com Hello [64.62.244.122]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
MAIL FROM:<myem...@example.com> SIZE=1549
RCPT TO:<anotherem...@example2.com>
ORCPT=rfc822;anotherem...@example2.com
DATA
250 2.1.0 Sender OK
250 2.1.5 Recipient OK
354 Start mail input; end with <CRLF>.<CRLF>
[..]
----
I have looked around and can't find what I may be doing wrong here. What
I've
read implies to me that if SSL is enabled for inbound then it should
just work
for outbound(if the other side supports it). I would expect to see some
kind of error or something but it doesn't even try.
I do have a basic content filtering setup, something that dates back
again
to about 20 years ago, relevant lines from Postfix master.conf:
smtp inet n - - - - smtpd -o
content_filter=filter:
filter unix - n n - - pipe user=filter argv=/usr/local/sbin/filter.sh -f
${sender} -- ${recipient}
That just passes email through Spamassassin and Anomy Mail Sanitizer. I
tried disabling this (changing the smtp setting back to basic by
removing
the "-o content_filter=filter:" though it seemed to have no effect, I
suspect this is unrelated to TLS on outbound. I expect by the time the
message is in the queue to go outbound it's already passed through
the filtering, and is not filtered again when the message is
transmitted.
thanks
nate
