On Mon, Aug 22, 2022 at 01:41:35PM -0700, nate wrote:
> More recently I formalized this configuration even more in an attempt to
> make my system more up to date, being able to send and receive with
> TLS.
>
> This is my TLS related configuration
> [..]
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_tls_auth_only = yes
> smtpd_tls_loglevel = 1
> smtpd_sasl_auth_enable = yes
> smtpd_tls_security_level = may
> smtpd_tls_CAfile = /etc/postfix/cacerts.pem
Leave the CAfile empty. You're wasting cycles loading and not using it.
> smtpd_tls_cert_file =
> /etc/ssl/yehat.aphroland.org/yehat.aphroland.org_2022.crt
This should be the full certificate chain, not just the lead
certificate.
> smtpd_tls_key_file =
> /etc/ssl/yehat.aphroland.org/yehat.aphroland.org.key_nopass
> [..]
>
> I have verified that inbound email can come in with TLS, such as this
> log entry regarding my communications with the Postfix majordomo a
> short time ago:
>
> postfix/smtpd[5797]: Anonymous TLS connection established from
> camomile.cloud9.net[168.100.1.3]: TLSv1.2 with cipher AECDH-AES256-SHA
> (256/256 bits)
>
> What I am confused by is Postfix does not appear to be attempting
> to use TLS on any outbound emails. I have tested with Gmail and
> with MS Office 365. Sample tcpdump
For that, you need at least:
smtp_tls_security_level = may
or perhaps (given a local validating resolver and only loopback
nameserver IPs in /etc/resolv.conf or equivalent):
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
> I have looked around and can't find what I may be doing wrong here. What
> I've read implies to me that if SSL is enabled for inbound then it should
> just work for outbound(if the other side supports it).
This is not the case, each direction can/has to be explicitly enabled.
--
Viktor.
