On Tue, May 13, 2025 at 12:23:40PM +0200, Gregory Kohring via Postfix-users
wrote:
> Gmails MTA-STS policy says that all mails sent to google must be over TLS.
No, it says no such thing, rather it provides the parameters
necessary to upgrade from opportunistic TLS to MTA-STS when
the client supports MTA-STS, and DNS was not been MITM'ed at
teh time the client refreshed (first cached) the MTA-STS policy.
> smtp_tls_security_level = may
It seems you may be missing:
smtp_tls_loglevel = 1
> My certificates are from Let's Encrypt.
Irrelevant.
> I don't see anything in the log files related to TLS for the outgoing mail.
> Even with smtp_tls_loglevel = 4, there is nothing about TLS in the log
> files.
Or not searching the logs correctly.
> Looking at the Gmail account where the message was received, I find
> the following header snippet:
>
> Received: from mail.mydomain.com (mail.mydomain.com. [XXXXXXXX])
> by mx.google.com with ESMTPS id
> d9443c01a7336-22fc6f2f667si99667335ad.461.2025.05.12.04.13.01
> for <u...@gmail.com>
> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12
> May 2025 04:13:01 -0700 (PDT)
>
> I took this to mean the email was sent over TLS1_3.
Yes, this delivery used TLS. You can check the queued in the next
header below this to match it up with your own logs.
> I then set
>
> smtp_tls_security_level = none
>
> and repeated the experiment. Again, I get an identical header snippet:
>
> Received: from mail.mydomain.com (mail.mydomain.com [xxx])
> by mx.google.com with ESMTPS id
> d9443c01a7336-22fc582959asi136843645ad.116.2025.05.13.02.28.37
> for <u...@gmail.com>
> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13
> May 2025 02:28:38 -0700 (PDT)
Perhaps you send the test too soon after the configuration change, and
it was delived by an smtp(8) delivery agent still using the old setting,
or the setting was made incorrectly, or there's an explicit override for
gmail.com, ... In any case this also used TLS.
> To make matters more interesting, I set
>
> smtp_tls_security_level = encrypt
>
> Now I see the following line in my log files:
>
> May 12 09:38:58 nc1 postfix/smtp[250120]: A3CC9C7593: TLS is required, but
> was not offered by host gmail-smtp-in.l.google.com[142.250.141.26]
$ posttls-finger -c -lmay -Lsummary "[142.250.141.26]"
posttls-finger: Untrusted TLS connection established to
142.250.141.26[142.250.141.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519MLKEM768 server-signature ECDSA (prime256v1)
server-digest SHA256
At least one node in the set of servers behind that IP address sometimes
supports TLS.
https://en.wikipedia.org/wiki/Mathematical_joke#Stereotypes_of_mathematicians
> And this time the mail is deferred and not sent. Which makes no sense
> if my interpretation of the previous headers was correct.
Absent actual configuration details, in place of anecdotal evidence
it is not possible to say what transpired.
https://www.postfix.org/DEBUG_README.html#mail
> I'm guessing there is a mistake in my understanding of how all this works. I
> would me thankful for any clarifications.
More likely misconfiguration, or perhaps some middlebox between you and
Gmail. Test with:
$ posttls-finger -c -F /etc/ssl/cert.pem -lsecure -Lsummary
"[gmail-smtp-in.l.google.com]"
posttls-finger: Verified TLS connection established to
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1a]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768
server-signature ECDSA (prime256v1) server-digest SHA256
replacing "/etc/ssl/cert.pem" with whatever file name holds the trusted
root CAs on your system. Any middlebox on your end should not be able
to impersonate Gmail (unless it is a locally trusted CA).
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
