El jue., 20 jun. 2019 a las 0:45, Viktor Dukhovni (<
postfix-us...@dukhovni.org>) escribió:
> On Wed, Jun 19, 2019 at 09:28:52PM +0200, sral...@gmail.com wrote:
>
> > I'm trying to establish smtp_tls_security_level=verify connection with
> just one domain.
> ------
> succeeding
> ----------
>
> > From mail.log:
> >
> > Outgoing message:
> >
> > Verified TLS connection established to MXhost[xxx.xxx.xxx.xxx]:25:
> > TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
>
> As plainly evidenced in the log.
>
> > postfix/smtp[]: : to=<em...@domain.com>,
> > relay=MXhost[xxx.xxx.xxx.xxx]:25, delay=2190,
> delays=2186/0.03/3.9/0.13,
> > dsn=4.7.0, status=deferred (host MXdomain[xxx.xxx.xxx.xxx] said: 403
> > 4.7.0 not authenticated (in reply to MAIL FROM command))
>
> It is understandably easy to confuse SSL with SASL and authentication
> of the server by clients via server certificates, with authentication
> of clients by servers via passwors, GSSAPI tokens, client certificates,
> etc. So there you are, confused...
>
> The error message is from the server, which expects your client to
> present authentication credentials. Which ones depends on what
> the server operator documents as the expected means for clients
> to prove they are one of the ones authorized to access the server.
>
I get a log server from the other side.
NOQUEUE: connect from DOMAIN [xxx.xxx.xxx.xxx]
STARTTLS=server, relay=DOMAIN [xxx.xxx.xxx.xxx], version=TLSv1/SSLv3,
verify=NO, cipher=ECDHE-RSA-AES256-SHA, bits=256/256
So maybe the problem is here. It expects connect from fqdn and it
arrives from domain? Is strange because I see in the handshake is
showed with fqdn, but connects from domain.
I checked mydomain, smtpbanner, myhostname and I think is ok but still
get deferred while sending.
> > smtp_tls_CApath = /etc/ssl/certs
>
> Yes, you need that for "verify" (or "secure", which may be more
> appropriate if the server is reached indirectly via insecure MX
> lookup).
>
> > smtp_tls_loglevel = 2
>
> That's too verbose for normal operation, "1" is better.
>
Only for testing, normally "1"
>
> > smtp_tls_mandatory_ciphers = high
> > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1
>
> The first three are fine, but DO NOT insist on TLSv1.1, rather
> either leave it out (enabling it and TLSv1.2 and TLSv1.3 is available),
> or also turn it off, since pretty much nobody is using TLSv1.1. Either
> of the below are fine:
>
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> Changed.
> > smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1, !TLSv1.1
>
> For opportunistic TLS, I'd be more permissive:
>
> smtp_tls_protocols = !SSLv2,!SSLv3
>
> which is the default in recent Postfix releases.
>
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_path = private/auth
> > smtpd_sasl_type = dovecot
>
> That gives you inbound SASL auth, but nothing outbound towards the
> server in question.
>
> > smtpd_tls_loglevel = 2
>
> Again, too verbose.
>
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
>
> Again, use only exclusion:
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3
>
Changed.
>
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> With session tickets (Postfix >= 2.10 IIRC), you generally don't
> need a server-side cache.
>
> > smtpd_use_tls = yes
>
> The security level setting makes this redundant.
>
> > tls_high_cipherlist =
> >
> EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
>
> Don't. The default is fine.
>
Commented.
>
> --
> Viktor.
>
