When I send a message to Gmail I am informed that it could not be authenticated and will probably end in the spam folder. I understand the resolution to this is to obtain an SSL certificate and configure postfix to use that certificate.
I have obtained a certificate from LetsEncrypt which is working well with Apache. I have tried to update my main.cf file to use this certificate however I am now unable to send email. I am following this post: https://community.letsencrypt.org/t/using-lets-encrypt-certs-with-postfix/18957 Another guide suggests I can check the config using sslscan which outputs: sslscan --starttls --no-failed localhost:587 _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| Version 1.8.2 http://www.titania.co.uk Copyright Ian Ventura-Whiting 2009 Testing SSL server localhost on port 587 Supported Server Cipher(s): ERROR: The SMTP service on localhost port 587 did not appear to support STARTTLS. My main.cf file is as follows: cat /etc/postfix/main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters #smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem #smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key #smtpd_use_tls=yes #smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache #smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = hermes.mydomain.local alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = ldap:/etc/postfix/ldap/mydestination.cf relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all smtpd_tls_auth_only = yes transport_maps = ldap:/etc/postfix/ldap/transport_maps.cf, hash:/etc/postfix/transport content_filter = smtp-amavis:[127.0.0.1]:10024 smtpd_sender_login_maps = $local_recipient_maps local_recipient_maps = ldap:/etc/postfix/ldap/local_recipient_maps.cf virtual_alias_maps = $alias_maps, ldap:/etc/postfix/ldap/virtual_alias_maps.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_mailforwarding.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_sharedfolders.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf submission_sender_restrictions = reject_non_fqdn_sender, check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject submission_recipient_restrictions = check_policy_service unix:private/submission_policy, permit_sasl_authenticated, reject smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_recipient, reject_invalid_helo_hostname, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service unix:private/recipient_policy_incoming, permit smtp_tls_security_level = may smtpd_data_restrictions = permit_mynetworks, check_policy_service unix:private/recipient_policy_incoming submission_data_restrictions = check_policy_service unix:private/submission_policy smtpd_tls_security_level = may smtpd_sasl_auth_enable = yes smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, check_policy_service unix:private/sender_policy_incoming # logging smtpd_tls_loglevel = 1 # Allow use of TLS but make it optional smtp_use_tls=yes # Disable SSLv2/3 as they are vulnerable smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 # Insist on stronger ciphers smtpd_tls_ciphers = high smtp_tls_ciphers = high # keys smtp_tls_cert_file = /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/mail.mydomain.com/privkey.pem I am unsure of how to figure the fact that the certificate is for mail.mydomain.com however the mail server is on our internal LAN called hermes.mydomain.local
