I setup a service in master.conf like this :
dovecotsandbox unix - - n - 10 lmtp
-o lmtp_send_xforward_command=yes
-o lmtp_tls_security_level=encrypt
Then I tried to add starttls option :
-o lmtp_tls_note_starttls_offer=yes
But Postfix still can't deliver the email. Postfix log :
(…) status=deferred (TLS is required, but was not offered by host
xx.xx.xx.xx[xx.xx.xx.xx])
Le 17 nov. 2014 à 11:03, Reindl Harald <h.rei...@thelounge.net> a écrit :
>
> Am 17.11.2014 um 10:58 schrieb Stanislas SABATIER:
>> Hello,
>> I tried to activate SSL on LMTP service, to secure connections between
>> Postfix and Dovecot on my LAN, but Dovecot is not negociating a TLS session
>> with Postfix.
>> If I enforce TLS for LMTP at Postfix's side, communication between Postfix
>> and Dovecot is not working.
>>
>> I put
>> ssl = yes
>> ssl_cert = </dovecot/ssl/ssl-LMTP.pem
>> ssl_key = </dovecot/ssl/ssl-LMTP.key
>> in section protocol LMTP within 20-lmtp.conf
>>
>> and
>> service lmtp {
>> inet_listener lmtp {
>> name = dovecot_lmtp
>> address = xx.xx.xx.xx
>> port = 26
>> ssl = yes
>> }
>> process_min_avail = 5
>> }
>> within 10-master.conf
>>
>> Did I miss something?
>
> did you configure postfix?
> postconf -d | grep tls
>
> not sure if postfix prefers STARTTLS only (likely since the smtop-client also
> don't support wrapper mode and lmtp is more or less the same as smtp)
>
> lmtp_enforce_tls = no
> lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
> lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
> lmtp_starttls_timeout = 300s
> lmtp_tls_CAfile =
> lmtp_tls_CApath =
> lmtp_tls_block_early_mail_reply = no
> lmtp_tls_cert_file =
> lmtp_tls_ciphers = export
> lmtp_tls_dcert_file =
> lmtp_tls_dkey_file = $lmtp_tls_dcert_file
> lmtp_tls_eccert_file =
> lmtp_tls_eckey_file = $lmtp_tls_eccert_file
> lmtp_tls_enforce_peername = yes
> lmtp_tls_exclude_ciphers =
> lmtp_tls_fingerprint_cert_match =
> lmtp_tls_fingerprint_digest = md5
> lmtp_tls_force_insecure_host_tlsa_lookup = no
> lmtp_tls_key_file = $lmtp_tls_cert_file
> lmtp_tls_loglevel = 0
> lmtp_tls_mandatory_ciphers = medium
> lmtp_tls_mandatory_exclude_ciphers =
> lmtp_tls_mandatory_protocols = !SSLv2
> lmtp_tls_note_starttls_offer = no
> lmtp_tls_per_site =
> lmtp_tls_policy_maps =
> lmtp_tls_protocols = !SSLv2
> lmtp_tls_scert_verifydepth = 9
> lmtp_tls_secure_cert_match = nexthop
> lmtp_tls_security_level =
> lmtp_tls_session_cache_database =
> lmtp_tls_session_cache_timeout = 3600s
> lmtp_tls_trust_anchor_file =
> lmtp_tls_verify_cert_match = hostname
