On Wed, Jun 19, 2019 at 09:28:52PM +0200, sral...@gmail.com wrote:
> I'm trying to establish smtp_tls_security_level=verify connection with just
> one domain.
------
succeeding
----------
> From mail.log:
>
> Outgoing message:
>
> Verified TLS connection established to MXhost[xxx.xxx.xxx.xxx]:25:
> TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
As plainly evidenced in the log.
> postfix/smtp[]: : to=<em...@domain.com>,
> relay=MXhost[xxx.xxx.xxx.xxx]:25, delay=2190, delays=2186/0.03/3.9/0.13,
> dsn=4.7.0, status=deferred (host MXdomain[xxx.xxx.xxx.xxx] said: 403
> 4.7.0 not authenticated (in reply to MAIL FROM command))
It is understandably easy to confuse SSL with SASL and authentication
of the server by clients via server certificates, with authentication
of clients by servers via passwors, GSSAPI tokens, client certificates,
etc. So there you are, confused...
The error message is from the server, which expects your client to
present authentication credentials. Which ones depends on what
the server operator documents as the expected means for clients
to prove they are one of the ones authorized to access the server.
> smtp_tls_CApath = /etc/ssl/certs
Yes, you need that for "verify" (or "secure", which may be more
appropriate if the server is reached indirectly via insecure MX
lookup).
> smtp_tls_loglevel = 2
That's too verbose for normal operation, "1" is better.
> smtp_tls_mandatory_ciphers = high
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1
The first three are fine, but DO NOT insist on TLSv1.1, rather
either leave it out (enabling it and TLSv1.2 and TLSv1.3 is available),
or also turn it off, since pretty much nobody is using TLSv1.1. Either
of the below are fine:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
For opportunistic TLS, I'd be more permissive:
smtp_tls_protocols = !SSLv2,!SSLv3
which is the default in recent Postfix releases.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
That gives you inbound SASL auth, but nothing outbound towards the
server in question.
> smtpd_tls_loglevel = 2
Again, too verbose.
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
Again, use only exclusion:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
With session tickets (Postfix >= 2.10 IIRC), you generally don't
need a server-side cache.
> smtpd_use_tls = yes
The security level setting makes this redundant.
> tls_high_cipherlist =
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Don't. The default is fine.
--
Viktor.
