Viktor, I have to tell you that it doesn't work for me.
Main.cf:
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
# TLS parameters (como servidor)
smtpd_tls_cert_file = /etc/postfix/SSL/publica.crt
smtpd_tls_key_file = /etc/postfix/SSL/privada.pem
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
# TLS parameters (como cliente)
smtp_tls_security_level = may
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_starttls_timeout = 300s
myhostname = relay.mycompany.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = relay.mycomany.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 10.0.0.0/8 192.168.69.0/24 172.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client opm.blitzed.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org
check_policy_service unix:private/policy
disable_vrfy_command = yes
smtpd_hard_error_limit = 4
message_size_limit = 15240000
transport_maps = hash:/etc/postfix/transport
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_non_fqdn_sender, reject_unknown_recipient_domain,
reject_unknown_sender_domain, reject_unauth_destination, reject_rbl_client
zombie.dnsbl.sorbs.net, reject_rbl_client opm.blitzed.org,
reject_rbl_client sbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org check_policy_service unix:private/policy
anvil_rate_time_unit=60s
smtpd_client_message_rate_limit = 50
Master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
# Agregado para que funcione la implementacion SPF
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/sbin/postfix-policyd-spf-perl
spamassassin unix - n n - - pipe
user=nobody argv=/usr/bin/spamc --socket=/tmp/spamd.sock -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
#Added by hand
smtp-amavis unix - - y - 30 smtp
-o smtp_data_done_timeout=1200s
-o smtp_tls_security_level=none
## -o smtp_never_send_ehlo=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
Execution of mailx and output in the client:
# mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587" -S
smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com
TYPE A MESSAGE
.
EOT
Resolving host 10.1.1.1 . . . done.
Connecting to 10.1.1.1:587 . . . connected.
220 relay.mycompany.com ESMTP Postfix (Debian/GNU)
>>> EHLO HOST341
250-relay.mycompany.com
250-PIPELINING
250-SIZE 15240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> STARTTLS
220 2.0.0 Ready to start TLS
Missing "nss-config-dir" variable.
"/root/dead.letter" 11/314
. . . message not sent.
Can you help me again please???
Really thanks, I'm desperate.
On Mon, Mar 13, 2017 at 9:43 PM, Viktor Dukhovni <postfix-us...@dukhovni.org
> wrote:
>
> > On Mar 13, 2017, at 7:37 PM, Jeronimo L. Cabral <jelocab...@gmail.com>
> wrote:
> >
> > Dear Viktor. sorry but I'll try to be more explicit because
> > I have to put to work the submission and I can't:
> >
> > main.cf:
> >
> > smtp_tls_cert_file = /etc/postfix/SSL/publica.crt
> > smtp_tls_key_file = /etc/postfix/SSL/privada.pem
>
> Though not related to your current problem, client certificates
> are not recommended for MTAs, leave these two parameters empty.
>
> > smtp_tls_loglevel = 2
>
> And the log level at 1.
>
> > master.cf:
> >
> > submission inet n - - - - smtpd
> > -o syslog_name=postfix/submission
> > # -o smtpd_tls_security_level=encrypt
> > # -o smtpd_sasl_auth_enable=yes
> > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > # -o milter_macro_daemon_name=ORIGINATING
>
> Do uncomment the remaining options, but change "smtpd_client_restrictions"
> to "permit_mynetworks, reject", making sure that "172.1.1.1" et. al. are
> listed in my networks.
>
> > And when I send a message with mailx from client 172.1.1.1:
> >
> > $ mailx -v -r "f...@mycompany.com" -s "TLS test" -S smtp="10.1.1.1:587"
> -S smtp-use-starttls -S ssl-verify=ignore any_u...@gmail.com
>
> I still don't see where you're specifying the message to be sent.
>
> > I get this log in Postfix:
> >
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: connect
> from unknown[172.1.1.1]
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: setting up
> TLS connection from unknown[172.1.1.1]
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]:
> unknown[10.12.13.220]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: SSL_accept
> error from unknown[172.1.1.1]: lost connection
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: lost
> connection after STARTTLS from unknown[172.1.1.1]
> > Mar 13 20:34:47 MITLPSMT01 postfix/submission/smtpd[25956]: disconnect
> from unknown[172.1.1.1]
>
> The client disconnected, by the look of things without even sending
> a TLS client HELLO. Postfix can't tell you the reason for that.
> Get more verbose diagnostics from "mailx".
>
> You can try:
>
> # postconf -e "debug_peer_list = 172.1.1.1"
> # postfix reload
>
> but you probably won't see anything new and interesting on the Postfix
> side.
>
> --
> Viktor.
>
>
