On Tue, May 13, 2025 at 12:23:40PM +0200, Gregory Kohring via Postfix-users
wrote:
Gmails MTA-STS policy says that all mails sent to google must be over TLS.
No, it says no such thing, rather it provides the parameters
necessary to upgrade from opportunistic TLS to MTA-STS when
the client supports MTA-STS, and DNS was not been MITM'ed at
teh time the client refreshed (first cached) the MTA-STS policy.
smtp_tls_security_level = may
It seems you may be missing:
smtp_tls_loglevel = 1
My certificates are from Let's Encrypt.
Irrelevant.
I don't see anything in the log files related to TLS for the outgoing mail.
Even with smtp_tls_loglevel = 4, there is nothing about TLS in the log
files.
Or not searching the logs correctly.
Looking at the Gmail account where the message was received, I find
the following header snippet:
Received: from mail.mydomain.com (mail.mydomain.com. [XXXXXXXX])
by mx.google.com with ESMTPS id
d9443c01a7336-22fc6f2f667si99667335ad.461.2025.05.12.04.13.01
for <u...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12
May 2025 04:13:01 -0700 (PDT)
I took this to mean the email was sent over TLS1_3.
Yes, this delivery used TLS. You can check the queued in the next
header below this to match it up with your own logs.
I then set
smtp_tls_security_level = none
and repeated the experiment. Again, I get an identical header snippet:
Received: from mail.mydomain.com (mail.mydomain.com [xxx])
by mx.google.com with ESMTPS id
d9443c01a7336-22fc582959asi136843645ad.116.2025.05.13.02.28.37
for <u...@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13
May 2025 02:28:38 -0700 (PDT)
Perhaps you send the test too soon after the configuration change, and
it was delived by an smtp(8) delivery agent still using the old setting,
or the setting was made incorrectly, or there's an explicit override for
gmail.com, ... In any case this also used TLS.
To make matters more interesting, I set
smtp_tls_security_level = encrypt
Now I see the following line in my log files:
May 12 09:38:58 nc1 postfix/smtp[250120]: A3CC9C7593: TLS is required, but
was not offered by host gmail-smtp-in.l.google.com[142.250.141.26]
$ posttls-finger -c -lmay -Lsummary "[142.250.141.26]"
posttls-finger: Untrusted TLS connection established to
142.250.141.26[142.250.141.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519MLKEM768 server-signature ECDSA (prime256v1)
server-digest SHA256
At least one node in the set of servers behind that IP address sometimes
supports TLS.
https://en.wikipedia.org/wiki/Mathematical_joke#Stereotypes_of_mathematicians
And this time the mail is deferred and not sent. Which makes no sense
if my interpretation of the previous headers was correct.
Absent actual configuration details, in place of anecdotal evidence
it is not possible to say what transpired.
https://www.postfix.org/DEBUG_README.html#mail
I'm guessing there is a mistake in my understanding of how all this works. I
would me thankful for any clarifications.
More likely misconfiguration, or perhaps some middlebox between you and
Gmail. Test with:
$ posttls-finger -c -F /etc/ssl/cert.pem -lsecure -Lsummary
"[gmail-smtp-in.l.google.com]"
posttls-finger: Verified TLS connection established to
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1a]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768
server-signature ECDSA (prime256v1) server-digest SHA256
replacing "/etc/ssl/cert.pem" with whatever file name holds the trusted
root CAs on your system. Any middlebox on your end should not be able
to impersonate Gmail (unless it is a locally trusted CA).
