If I change smtp_tls_security_level = encrypt with
smtplmtp_tls_security_level =encrypt, all seem working.
I appreciate your help.
Please find below output of "postconf -n" for completeness:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 10000000
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6
mydestination = mail.wintess.com, $myhostname, localhost.$mydomain,
localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = 78.188.xxx.yyy/32, 127.0.0.0/8, 85.105.zzz.jjj/32
myorigin = example.com
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policyd-spf_time_limit = 3600
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
relayhost = [email-smtp.eu-central-1.amazonaws.com]:587
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
check_helo_access hash:/etc/postfix/helo_access
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
warn_if_reject reject_unknown_helo_hostname
smtpd_milters = inet:127.0.0.1:8893
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_policy_service unix:private/policyd-spf, check_policy_service
unix:/var/spool/postfix/postgrey/socket, check_client_access
hash:/etc/postfix/rbl_override, reject_rhsbl_helo dbl.spamhaus.org,
reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, permit_dnswl_client list.dnswl.org,
permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3],
reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
check_sender_access hash:/etc/postfix/sender_access
reject_unknown_sender_domain reject_unknown_client_hostname
smtpd_tls_cert_file = /etc/letsencrypt/live/wintess.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/wintess.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtputf8_enable = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:2000
On 06.02.21 22:15, Bill Cole wrote:
On 6 Feb 2021, at 6:05, OzyMate wrote:
I am trying to setup my postfix (on CentOS 8) to work with Amazon SES
as SMTP relay host.
Amazon SES requires:
relayhost = [email-smtp.eu-west-2.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
If I use the above lines in main.cf, mails are not delivered with the
following error in logs:
TLS is required, but was not offered by host 127.0.0.1
Why are you routing mail via SMTP over the loopback and requiring
encryption?
If I comment "smtp_tls_security_level = encrypt" and add
"smtp_tls_security_level = may" in main.cf, postfix successfully
delivers emails.
See http://www.postfix.org/DEBUG_README.html#mail, the section on how
to effectively get help here by providing useful information.
The problem you have is not in any of the configuration above, but
should be visible in your actual non-default configuration in both
main.cf and master.cf. Log entries for a failed attempt would also help.
More info:
- I have LE certs already installed on the server
Those will most likely not matter for sending mail, but depending on
what you want your server to do, may be useful for accepting mail
securely.
- I have "smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt" in
main.cf and ca-bundle.crt is available.
Generally not relevant unless Amazon is requiring client certs, which
would be very unusual.
I would appreciate any insight to fix this problem. Also, is
"smtp_tls_security_level = may" a security problem?
Not necessarily. If you don't distrust your own machine, and can be
sure that Amazon SES will always offer STARTTLS, it is harmless. The
most direct fix is to make sure that you have smtpd_* settings that
will allow you to offer STARTTLS on the smtpd instance handling
initial submission on the loopback. Depending on how you're already
set up and what you need Postfix to do beyond sending out email, there
may be a more fit solution.
