On Fri, Apr 11, 2025 at 05:08:39PM +0000, Jeff Kletsky via Postfix-users wrote:
> 2025 Apr 11 00:27:36.696 -07:00 mx1 warning: postfix/relay/smtp[69584]: > warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt" > (or stronger) The warning is clear enough, to use "wrapper mode", you need to configure an smtp(8) delivery agent instance (transport) that has the TLS security level set to "encrypt" or perhaps "secure" (with a suitable CApath/CAfile, ... to be able to verify the remote cert). > 2025 Apr 11 00:27:36.703 -07:00 mx1 info: postfix/relay/smtp[69584]: > E12F731C5D: to=<l...@mydomain.com>, relay=none, delay=228559, > delays=228559/0/0/0, dsn=4.3.0, status=deferred (server unavailable or > unable to receive mail) Failing that, mail will be deferred until you fix the misconfiguration. > Previous configuration using `relay_transport = smtp:[fd83:<internal > MTA>]:smtps` also suffered this problem. The correct solution is: main.cf: relay_transport = relay:[hostname]:smtps master.cf: relay unix ... smtp -o {smtp_tls_security_level = secure} # Either or both of -o {smtp_tls_CAfile = ...} -o {smtp_tls_CApath = ...} -o {smtp_tls_wrappermode = yes} ... For best performance under load, you in any case SHOULD use a separate transport for inbound mail, and if the inbound relay is uses wrapper mode, then sett the security level accordingly for the transport that is *dedicated* to that function. > To the best of my knowledge, there are no transport maps in play. Well, "relay_transport" is a minimal transport mapping (for all relay domains), and it should not piggyback on the "smtp" transport. > relayhost = [fd83:<internal MTA>]:smtps > default_transport = smtp:[email-smtp.us-west-2.amazonaws.com]:smtps If you weren't using a "smarthost" for all outbound traffic, "smtps" for the default transport would be a bad idea. On what basis does Amazon allow you to relay mail through their server on port 465? Are you using SASL? Are you allowed to relay based on your IP address? > smtp_tls_loglevel = 2 Not useful. > smtp_tls_security_level = encrypt > smtp_tls_wrappermode = yes As is wrapper mode on by default. > Modifying master.cf as follows did not resolve the issue > > relay unix - - n - - smtp > -o > syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name > # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 > -o smtp_tls_wrappermode=yes > -o smtp_tls_security_level=encrypt Well, you've changed "relay_transport" to be "smtp:...", so settings for the "relay" transport are not then relevant. The solution is to use the relay transport for inbound mail, and if outbound mail is via a wrapper mode smarthost, make similar changes to the "smtp" transport, or better yet, clone the "relay" transport as follows: master.cf: outlay unix - - n - - smtp -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name -o smtp_tls_wrappermode=yes -o smtp_tls_security_level=secure -o {smtp_tls_CAfile = ...} -o {smtp_tls_CApath = ...} main.cf: relay_host = [email-smtp.us-west-2.amazonaws.com]:smtps default_transport = outlay # See above re "relay_transport". ... -- VIktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org