Gmail red padlock during composing message to my postfix server
I have problem with sending secure emails from gmail to my postfix server.
Here is TLS options in main.cf:
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/cert.pem
smtpd_tls_key_file=/etc/ssl/private/cert.key
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Here is sample log from mail.log:
Feb 24 21:06:05 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-yw0-f170.google.com[209.85.161.170]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:10:07 myserver postfix/smtpd[31289]: Anonymous TLS connection established from mail-wr0-f179.google.com[209.85.128.179]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:14:48 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-oi0-f48.google.com[209.85.218.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Here is telnet output:
telnet myserver 25
Trying XXX.XXX.XXX.XXX...
Connected to myserver.
Escape character is '^]'.
220 myserver ESMTP Postfix
ehlo domain
250-myserver
250-PIPELINING
250-SIZE 36800000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
TestReceiver from checktls.com:
CheckTLS Confidence Factor for "adress@myserver": 100
MXServer Pref Connect Allowed CanUse TLSAdv CertOK TLSNeg SndrOK RcvrOK
20 OK OK OK OK OK OK OK OK
Average 100% 100% 100% 100% 100% 100% 100% 100%
But when i have to create mail in gmail still i see red padlock. What is wrong?
Update:
Here are headers in a message from gmail:
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))
by myserver (Postfix) with ESMTPS id 30B65866EDB
for <address@myserver>; Sun, 26 Feb 2017 14:57:36 +0100 (CET)
It is shows that TLS is working? Why still i see red padlock? What else can I do?
Solution 1:
The red padlock indicates the mail was sent without encryption. You can enable encryption by configuring your tls settings in main.cf (certificates, private key).
If you already have those configured, just add these parameters (note it's smtp, not smtpd):
smtp_use_tls = yes
smtp_tls_security_level = may