Hi,
Gmails MTA-STS policy says that all mails sent to google must be
over TLS.
To test Google's claim using my postfix server, I set
smtp_tls_security_level = may
My certificates are from Let's Encrypt.
I don't see anything in the log files related to TLS for the
outgoing mail. Even with smtp_tls_loglevel = 4, there is nothing
about TLS in the log files.
Looking at the Gmail account where the message was received, I
find the following header snippet:
Received: from mail.mydomain.com (mail.mydomain.com. [XXXXXXXX])
by mx.google.com with ESMTPS id
d9443c01a7336-22fc6f2f667si99667335ad.461.2025.05.12.04.13.01
for <u...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384
bits=256/256); Mon, 12 May 2025 04:13:01 -0700 (PDT)
I took this to mean the email was sent over TLS1_3.
I then set
smtp_tls_security_level = none
and repeated the experiment. Again, I get an identical header
snippet:
Received: from mail.mydomain.com (mail.mydomain.com [xxx])
by mx.google.com with ESMTPS id
d9443c01a7336-22fc582959asi136843645ad.116.2025.05.13.02.28.37
for <u...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384
bits=256/256); Tue, 13 May 2025 02:28:38 -0700 (PDT)
Am I misinterpreting this headers? Is this a claim about the
transport mechanism or not?
To make matters more interesting, I set
smtp_tls_security_level = encrypt
Now I see the following line in my log files:
May 12 09:38:58 nc1 postfix/smtp[250120]: A3CC9C7593: TLS is
required, but was not offered by host
gmail-smtp-in.l.google.com[142.250.141.26]
And this time the mail is deferred and not sent. Which makes no
sense if my interpretation of the previous headers was correct.
I'm guessing there is a mistake in my understanding of how all
this works. I would me thankful for any clarifications.
Thanks,
Greg
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
