Re: TLS is required, but was not offered

Sun, 07 Feb 2021 00:46:02 -0800 

On Sun, Feb 07, 2021 at 11:09:42AM +0300, OzyMate wrote:

> If I change smtp_tls_security_level = encrypt with 
> smtplmtp_tls_security_level =encrypt, all seem working.

You completely ignored the bulk of my reply, and just fudged
something random. :-(

    0. An apparently working configuration is not the same
       as correctly/robustly working configuration.

    1. Does anything in "master.cf" actually use the new
       "smtplmtp_tls_security_level" parameter?

    2. For password-based submission, you should use "secure"
       not "encrypt".  You'll need a CAfile for that, per my
       reply...

    3. You should configure the submission server via a custom
       default_transport, rather than a relayhost.

    ...

> content_filter = smtp-amavis:[127.0.0.1]:10024

The global "smtp_" settings also affect this transport.  This is why I
suggested using a separate "smtp" transport for outgoing submission
via the relayhost, where your settings (via master.cf overrides) affect
only SMTP features used with the relay.

> relayhost = [email-smtp.eu-central-1.amazonaws.com]:587

See my previous reply.

> smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

That's going to happen twice, both in the amavis and the outgoing
deliveries.  Probably once is enough, so make this transport-specific.

> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> smtp_tls_CApath = /etc/pki/tls/certs
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may

See my previous reply.  If all outbound mail is via the relay,
you may as well set "smtp_tls_security_level = none".  Or perhaps
do that just with "smtp-amavis" in master.cf.

> smtp_use_tls = yes

This is obsolete and unnecessary.

> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_security_level = may

If you're receiving mail from the Internet at large, I'd recommend
leaving TLS 1.0 and TLS 1.1 (make sure it is both or neither!) enabled
for now.  Why force traffic to cleartext that could come in over TLS
1.0?  At the cost of repeating myself, DO NOT attempt to disable just
TLS 1.1, that will not do what you want.

And you should really post both "postconf -nf" and "postconf -Mf"
output, making sure your editor does NOT rewrap line breaks.

-- 
    Viktor.

Reply via email to