Gmail red padlock during composing message to my postfix server

ssl postfix gmail

I have problem with sending secure emails from gmail to my postfix server.

Here is TLS options in main.cf:

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/cert.pem
smtpd_tls_key_file=/etc/ssl/private/cert.key
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Here is sample log from mail.log:

Feb 24 21:06:05 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-yw0-f170.google.com[209.85.161.170]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:10:07 myserver postfix/smtpd[31289]: Anonymous TLS connection established from mail-wr0-f179.google.com[209.85.128.179]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 24 21:14:48 myserver postfix/smtpd[31346]: Anonymous TLS connection established from mail-oi0-f48.google.com[209.85.218.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Here is telnet output:

telnet myserver 25
Trying XXX.XXX.XXX.XXX...
Connected to myserver.
Escape character is '^]'.
220 myserver ESMTP Postfix
ehlo domain
250-myserver
250-PIPELINING
250-SIZE 36800000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

TestReceiver from checktls.com:

CheckTLS Confidence Factor for "adress@myserver": 100

MXServer Pref Connect Allowed CanUse TLSAdv CertOK TLSNeg SndrOK RcvrOK
         20   OK      OK      OK     OK     OK     OK     OK     OK
Average       100%    100%    100%   100%   100%   100%   100%   100%

But when i have to create mail in gmail still i see red padlock. What is wrong?

Update:

Here are headers in a message from gmail:

Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK))
by myserver (Postfix) with ESMTPS id 30B65866EDB
for <address@myserver>; Sun, 26 Feb 2017 14:57:36 +0100 (CET)

It is shows that TLS is working? Why still i see red padlock? What else can I do?


Solution 1:

The red padlock indicates the mail was sent without encryption. You can enable encryption by configuring your tls settings in main.cf (certificates, private key).

If you already have those configured, just add these parameters (note it's smtp, not smtpd):

smtp_use_tls = yes
smtp_tls_security_level = may

Related

Execute RewriteRule proxy redirection directive after all others
Firmware updates for HP DL360 G5 server [closed]
How can I create two different subnets for 2.4 and 5GHz WiFi, and maintain communication between them?
PowerShell Copy-Item whilst excluding files and folders from an array list
Unable to add printer driver using Add-PrinterDriver on 2012 R2 Print Server
Unicode-like encoding for filenames using Windows10-NFS-client and Linux-NFS-server
Extend LVM when all 4 primary partitions have been taken
cisco router not nat to outside network
Nginx map directive not matching rules
What is the best way to attach instance to auto scaling?
GCP, Common labels for all project resources
"x and y are what drive them" vs "x and y are what driveS them"