Re: [Djigzo users] Problem with TLS/SSL

Wed, 07 Feb 2018 00:23:08 -0800 

On 05-02-18 13:51, Stefan Günther via Users wrote:

Hello,

we have setup a server for a client (domain: client.ag), where the external MX 
requires a connection on port 465 with SSL/TLS.
Therefore we added the following lines to main.cf

relayhost = smtp.mailbox.org:465
# SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and 
"smtp_tls_security_level = encrypt" (or stronger)
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

With these setting postfix is able to connect to the external server, but 
internal connections fail:

Feb  5 13:34:56 ciphermail postfix/qmgr[6260]: 0D70040AA5: 
from=<edif...@client.ag>, size=601, nrcpt=1 (queue active)
Feb  5 13:34:56 ciphermail postfix/smtp[6269]: SSL_connect error to 
127.0.0.1[127.0.0.1]:10025: -1
Feb  5 13:34:56 ciphermail postfix/smtp[6269]: warning: TLS library problem: 
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:794:
Feb  5 13:34:56 ciphermail postfix/smtp[6269]: 0D70040AA5: to=<edif...@web.de>, 
relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.12/0.01/0/0, dsn=4.7.5, 
status=deferred (Cannot start TLS: handshake failure)

This is the current main.cf

djigzo_myhostname = ciphermail.client.ag
djigzo_mydestination = client.ag
djigzo_mynetworks = 127.0.0.1/32
djigzo_relayhost = smtp.mailbox.org
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 465
djigzo_relay_domains =
djigzo_before_filter_message_size_limit = 102400000
djigzo_after_filter_message_size_limit = 102400000
djigzo_mailbox_size_limit = 102400000
djigzo_smtp_helo_name =
djigzo_relay_transport_host = 127.0.0.1
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains =
djigzo_rbl_clients =
myhostname = ${djigzo_myhostname}
mydestination = ciphermail, $myhostname, ubuntu-2gb-nbg1-dc3-1, 
localhost.localdomain, localhost,  ${djigzo_mydestination}
mynetworks = 127.0.0.0/8, ${djigzo_mynetworks}
relay_domains = ${djigzo_relay_domains}
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
smtp_helo_name = 
${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
relay_transport = 
relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = 
${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination  reject_invalid_hostname reject_unknown_sender_domain 
reject_unknown_recipient_domain
     ${djigzo_rbl_clients}
     ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
compatibility_level=2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
mydomain = client.ag
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_transport =  cyrus
content_filter = djigzo:[127.0.0.1]:10025
recipient_delimiter = +
mailbox_size_limit = ${djigzo_mailbox_size_limit}
message_size_limit = ${djigzo_after_filter_message_size_limit}
inet_interfaces = all
inet_protocols = ipv4
myorigin = client.ag
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
smtp_sasl_security_options =
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Which parameters do we have to change, to achieve a communication in both 
directions?
Because you changed the global values for smtp_tls_wrappermode and smtp_tls_security_level, you should override these values for the connection to the back-end.
In master.cf, add smtp_tls_wrappermode=no and smtp_tls_security_level=none to the djigzo service definition. 

djigzo unix -       -       n       -       4      smtp
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o smtp_generic_maps=
            -o smtp_tls_wrappermode=no
            -o smtp_tls_security_level=none

After modifying master.cf, restart postfix
There are probably other option like not changing the global settings but only override for some destinations. See http://www.postfix.org/TLS_README.html (Postfix ≥ 3.0: Sending only mail for a specific destination via SMTPS) for some examples 

Note: the smtp_tls_wrappermode settings is only supported on Postfix >= 3.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

_______________________________________________
Users mailing list
Users@lists.djigzo.com
https://lists.djigzo.com/lists/listinfo/users

Reply via email to