postfix tls configuration with several IPs

I'm trying to configure postfix to encrypt outgoing mails with different keys for several IPs.

main.cf postconf -n:

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    anvil_rate_time_unit = 86400s
    anvil_status_update_time = 120s
    append_dot_mydomain = no
    biff = no
    compatibility_level = 2
    inet_interfaces = all
    inet_protocols = ipv4
    mailbox_size_limit = 0
    milter_default_action = accept
    milter_protocol = 6
    mydestination = $myhostname, domain.com, localhost.localdomain, localhost.localdomain, localhost
    myhostname = domain.com
    mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    myorigin = /etc/mailname
    non_smtpd_milters = inet:localhost:8891
    readme_directory = no
    recipient_delimiter = +
    relayhost =
    sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
    smtp_tls_mandatory_ciphers = high
    smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_client_event_limit_exceptions = $mynetworks
    smtpd_client_message_rate_limit = 200
    smtpd_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
    smtpd_milters = inet:localhost:8891
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_mandatory_ciphers = high
    smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

master.cf:

    smtp      inet  n       -       y       -       -       smtpd
    #smtp      inet  n       -       y       -       1       postscreen
    #smtpd     pass  -       -       y       -       -       smtpd
    #dnsblog   unix  -       -       y       -       0       dnsblog
    #tlsproxy  unix  -       -       y       -       0       tlsproxy
    #submission inet n       -       y       -       -       smtpd
    127.0.0.1:submission inet n       -       y       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_security_options=noanonymous
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain.com/domain.com_chained.crt
      -o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain.com/domain.com.key

    # domain2.com
    111.1.1.222:submission inet n       -       y       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_sasl_security_options=noanonymous
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o smtpd_tls_key_file=/srv/letsencrypt/ssl/domain2.com/domain2.com.key
      -o smtpd_tls_cert_file=/srv/letsencrypt/ssl/domain2.com/domain2.com_chained.crt

mail.log:

    Oct 28 11:43:05 zipserver postfix/postfix-script[2239]: starting the Postfix mail system
    Oct 28 11:43:05 zipserver postfix/master[2241]: daemon started -- version 3.3.0, configuration /etc/postfix
    Oct 28 11:43:32 zipserver postfix/pickup[2242]: 0BFA8104115B: uid=1000 from=<[email protected]>
    Oct 28 11:43:32 zipserver postfix/cleanup[2248]: 0BFA8104115B: message-id=<[email protected]>
    Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: from=<[email protected]>, size=407, nrcpt=1 (queue active)
    Oct 28 11:43:32 zipserver postfix/smtp[2250]: 0BFA8104115B: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[64.233.167.27]:25, delay=0.46, delays=0.13/0.01/0.05/0.27, dsn=2.0.0, status=sent (250 2.0.0 OK  1603881812 s81si4271295wmf.188 - gsmtp)
    Oct 28 11:43:32 zipserver postfix/qmgr[2243]: 0BFA8104115B: removed

version:

    postconf -d | grep mail_version
    mail_version = 3.3.0

But email arrives to gmail with red crossed lock and gmail says that it was not encrypted. What am I missing?


Start by setting smtp_tls_security_level=may or higher.

You have not set any option that would allow postfix to deviate from its defaults of not using TLS for outgoing mail. There are other and more fine-grained methods of controlling this behaviour available - but this is the most basic setting allowing to use what is offered. Use man 5 postconf to read about the specific meaning of the other possible options.

To help further investigations, I recommend also setting smtp_tls_log_level=1 (to have this information in your syslog) and smtpd_tls_received_header=yes (to publish information about your mail submission inside the mail headers).