Outgoing email not encrypted
I have a domain example.com being served from server.com. I am sending an email to gmail.com. The email I send uses TLS from example.com to server.com, but the mail is not encrypted from server.com to gmail.com.
server.com is a VPS that I set up mail and web servers on.
example.com is one of the virtual domains on the VPS.
Here is an example of the email headers:
Delivered-To: [email protected]
Received: by 10.236.191.7 with SMTP id c7csp2141557pjs;
Tue, 1 May 2018 14:03:37 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpwQHXweJ70K6vNAako5gqTtvni9ZUm6LC0Hfl0xAefu7wtGjSsnQHRHMKL/sLpOnicPwFM
X-Received: by 2002:a63:3584:: with SMTP id c126-v6mr14324018pga.37.1525208616991;
Tue, 01 May 2018 14:03:36 -0700 (PDT)
...
...
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from server.com (server.com. [xxx.xxx.xxx.xxx])
by mx.google.com with ESMTP id d65si10640010pfd.182.2018.05.01.14.03.36
for <[email protected]>;
Tue, 01 May 2018 14:03:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates xxx.xxx.xxx.xxx as permitted sender) [email protected]
Received: from www.example.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server.com (Postfix) with ESMTPSA id 7D74260383 for <[email protected]>; Tue,
1 May 2018 14:03:36 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 01 May 2018 17:03:36 -0400
From: [email protected]
To: [email protected]
Subject: Hello
Message-ID: <[email protected]>
X-Sender: [email protected]
User-Agent: Roundcube Webmail/1.2.3
Test email body.
Any idea why the encryption is dropped?
EDIT:
My postconf -n output is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, server.com, , localhost
myhostname = server.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-vdomains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-vusers.cf
virtual_transport = dovecot
And, this is my postconf -M output:
smtp inet n - y - - smtpd
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}
And, this is my mail.log:
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: initializing the server-side TLS engine
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: connect from localhost[127.0.0.1]
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: setting up TLS connection from localhost[127.0.0.1]
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client hello
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server hello
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write certificate
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write key exchange
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client key exchange
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read change cipher spec
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read finished
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: Issuing session ticket, key expiration: 1525220445
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write session ticket
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write change cipher spec
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write finished
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: BAB6360383: client=localhost[127.0.0.1], sasl_method=LOGIN, [email protected]
May 1 16:50:46 hwsrv-230549 postfix/cleanup[29153]: BAB6360383: message-id=<[email protected]>
May 1 16:50:46 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: from=<[email protected]>, size=745, nrcpt=1 (queue active)
May 1 16:50:46 hwsrv-230549 postfix/smtp[29154]: initializing the client-side TLS engine
May 1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
May 1 16:50:47 hwsrv-230549 postfix/smtp[29154]: BAB6360383: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=0.65, delays=0.06/0.03/0.04/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK 1525218647 p84si10342745pfa.180 - gsmtp)
May 1 16:50:47 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: removed
Any ideas?
EDIT 2: I tried increasing the logging level to 4 and it did not provide any additional, useful information.
Solution 1:
The postfix configuration above works. The problem was the VPS host. I contacted technical support to see if port 587 was being blocked by their firewall. They responded with:
Kindly be infomed that since all the emails which are sending from our shared/VPS servers are decrypted due to outbound SMTP filtering, those emails are leaving our network in decrypted form.
Actually, we utilize MailChannels as our outbound SMTP filter. This prevents messages that would be regarded as SPAM from leaving our network.
To resolve the issue, I had to pay $0.50 per month to be put on the MailChannels whitelist, and had to sign an anti-spam agreement.