On Fri, Apr 11, 2025 at 05:08:39PM +0000, Jeff Kletsky via Postfix-users wrote:

> 2025 Apr 11 00:27:36.696 -07:00 mx1 warning: postfix/relay/smtp[69584]: 
> warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt"
> (or stronger)

The warning is clear enough, to use "wrapper mode", you need to
configure an smtp(8) delivery agent instance (transport) that has the
TLS security level set to "encrypt" or perhaps "secure" (with a suitable
CApath/CAfile, ... to be able to verify the remote cert).

> 2025 Apr 11 00:27:36.703 -07:00 mx1 info: postfix/relay/smtp[69584]: 
> E12F731C5D: to=<l...@mydomain.com>, relay=none, delay=228559,
> delays=228559/0/0/0, dsn=4.3.0, status=deferred (server unavailable or
> unable to receive mail)

Failing that, mail will be deferred until you fix the misconfiguration.

> Previous configuration using `relay_transport = smtp:[fd83:<internal
> MTA>]:smtps` also suffered this problem.

The correct solution is:

    main.cf:
        relay_transport = relay:[hostname]:smtps

    master.cf:
        relay unix ... smtp
            -o {smtp_tls_security_level = secure}
            # Either or both of
            -o {smtp_tls_CAfile = ...}
            -o {smtp_tls_CApath = ...}
            -o {smtp_tls_wrappermode = yes}
            ...

For best performance under load, you in any case SHOULD use a separate
transport for inbound mail, and if the inbound relay is uses wrapper
mode, then sett the security level accordingly for the transport that
is *dedicated* to that function.

> To the best of my knowledge, there are no transport maps in play.

Well, "relay_transport" is a minimal transport mapping (for all
relay domains), and it should not piggyback on the "smtp" transport.

> relayhost = [fd83:<internal MTA>]:smtps
> default_transport = smtp:[email-smtp.us-west-2.amazonaws.com]:smtps

If you weren't using a "smarthost" for all outbound traffic, "smtps" for
the default transport would be a bad idea.  On what basis does Amazon
allow you to relay mail through their server on port 465?  Are you
using SASL?  Are you allowed to relay based on your IP address?

> smtp_tls_loglevel = 2

Not useful.

> smtp_tls_security_level = encrypt
> smtp_tls_wrappermode = yes

As is wrapper mode on by default.

> Modifying master.cf as follows did not resolve the issue
> 
> relay     unix  -       -       n       -       -       smtp
>         -o 
> syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
> #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
>         -o smtp_tls_wrappermode=yes
>         -o smtp_tls_security_level=encrypt

Well, you've changed "relay_transport" to be "smtp:...", so settings for
the "relay" transport are not then relevant.  The solution is to use the
relay transport for inbound mail, and if outbound mail is via a wrapper
mode smarthost, make similar changes to the "smtp" transport, or better
yet, clone the "relay" transport as follows:

    master.cf:
        outlay    unix  -       -       n       -       -       smtp
                -o 
syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
                -o smtp_tls_wrappermode=yes
                -o smtp_tls_security_level=secure
                -o {smtp_tls_CAfile = ...}
                -o {smtp_tls_CApath = ...}

    main.cf:
        relay_host = [email-smtp.us-west-2.amazonaws.com]:smtps
        default_transport = outlay
        # See above re "relay_transport".
        ...

-- 
    VIktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to