Re: TLS is required, but was not offered

Sat, 06 Feb 2021 11:15:41 -0800 

On 6 Feb 2021, at 6:05, OzyMate wrote:
I am trying to setup my postfix (on CentOS 8) to work with Amazon SES as SMTP relay host. 

Amazon SES requires:

relayhost = [email-smtp.eu-west-2.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes


If I use the above lines in main.cf, mails are not delivered with the 
following error in logs:


TLS is required, but was not offered by host 127.0.0.1



Why are you routing mail via SMTP over the loopback and requiring 
encryption?




If I comment "smtp_tls_security_level = encrypt" and add 
"smtp_tls_security_level = may" in main.cf, postfix successfully 
delivers emails.



See http://www.postfix.org/DEBUG_README.html#mail, the section on how to 
effectively get help here by providing useful information.



The problem you have is not in any of the configuration above, but 
should be visible in your actual non-default configuration in both 
main.cf and master.cf. Log entries for a failed attempt would also help.



More info:

- I have LE certs already installed on the server



Those will most likely not matter for sending mail, but depending on 
what you want your server to do, may be useful for accepting mail 
securely.



- I have "smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt" in 
main.cf and ca-bundle.crt is available.



Generally not relevant unless Amazon is requiring client certs, which 
would be very unusual.



I would appreciate any insight to fix this problem. Also, is 
"smtp_tls_security_level = may" a security problem?



Not necessarily. If you don't distrust your own machine, and can be sure 
that Amazon SES will always offer STARTTLS, it is harmless. The most 
direct fix is to make sure that you have smtpd_* settings that will 
allow you to offer STARTTLS on the smtpd instance handling initial 
submission on the loopback. Depending on how you're already set up and 
what you need Postfix to do beyond sending out email, there may be a 
more fit solution.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire






















					Reply via email to