postfix tls configuration with several IPs
I'm trying to configure postfix to encrypt outgoing mails with different keys for several IPs.
main.cf postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 86400s
anvil_status_update_time = 120s
append_dot_mydomain = no
biff = no
compatibility_level = 2
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, domain.com, localhost.localdomain, localhost.localdomain, localhost
myhostname = domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_message_rate_limit = 200
smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
master.cf:
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
127.0.0.1:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain.com/domain.com_chained.crt
-o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain.com/domain.com.key
# domain2.com
111.1.1.222:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain2.com/domain2.com.key
-o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain2.com/domain2.com_chained.crt
mail.log:
Oct 28 11:43:05 zipserver postfix/postfix-script[2239]: starting the Postfix mail system
Oct 28 11:43:05 zipserver postfix/master[2241]: daemon started -- version 3.3.0, configuration /etc/postfix
Oct 28 11:43:32 zipserver postfix/pickup[2242]: 0BFA8104115B: uid=1000 from=<[email protected]>
Oct 28 11:43:32 zipserver postfix/cleanup[2248]: 0BFA8104115B: message-id=<[email protected]>
Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: from=<[email protected]>, size=407, nrcpt=1 (queue active)
Oct 28 11:43:32 zipserver postfix/smtp[2250]: 0BFA8104115B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=0.46, delays=0.13/0.01/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 OK 1603881812 s81si4271295wmf.188 - gsmtp)
Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: removed
version:
postconf -d | grep mail_version
mail_version = 3.3.0
But email arrives to gmail with red crossed lock and gmail says that it was not encrypted. What am I missing?
Start by setting smtp_tls_security_level=may or higher.
You have not set any option that would allow postfix to deviate from its defaults of not using TLS for outgoing mail. There are other and more fine-grained methods of controlling this behaviour available - but this is the most basic setting allowing to use what is offered. Use man 5 postconf to read about the specific meaning of the other possible options.
To help further investigations, I recommend also setting smtp_tls_log_level=1 (to have this information in your syslog) and smtpd_tls_received_header=yes (to publish information about your mail submission inside the mail headers).