Enable encryption for postfix outgoing emails
Hello There,
I have a running Postfix email server and till now without enabling TLS its working fine. Suddenly I got an requirement to enable encryption for all outgoing email from my SMTP relay. Therefore I have enabled TLS in my server and email working fine when I use the smtp_tls_security_level = may. But when I checked the received email to my Gmail it still not encrypted. I hope if I could enable smtp_tls_security_level = encrypted this should work fine. But when I enabled smtp_tls_security_level = encrypted, and trying to send an email to my gmail account, I don't get the email and following message shows in the maillog. TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] Here is my TLS configuration in main.cf # TLS Configurations smtp_use_tls = yes smtp_tls_security_level = encrypt smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_loglevel = 1 Did anyone had the same issue ? or can anyone give me an clue to fix this issue. |
When SMTP is using TLS, it simply means that the protocol-exchange between the mail servers is being conducted through TLS. It does not, AFAIK, mean that the messages being carried are encrypted. (In other words, while Eve would not be able to "sniff" the wire between the two mail servers, she could read the messages themselves if she could cause them to pass through a server that she had compromised.)
|
I found the issue;
alt3.gmail-smtp-in.l.google.com[108.177.125.26] alt2.gmail-smtp-in.l.google.com[74.125.200.26] alt2.gmail-smtp-in.l.google.com[74.125.200.26] alt2.gmail-smtp-in.l.google.com[74.125.200.26] These are gmail MX records, those are not allowed to connect over TLS port 587 What I have done is added entry into transport file as below. because only smtp.gmail.com enalbed TLS over 587. gmail.com smtp:smtp.gmail.com:587 But when added this, it is then saying; status=bounced (host smtp.gmail.com[64.233.184.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 https://support.google.com/mail/?p=WantAuthError q18sm3848228wre.40 - gsmtp (in reply to MAIL FROM command)) To fix this we have to add below into main.cf. smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd we have to create Gmail account put the user credentials into /etc/postfix/sasl_passwd. then only emails goes through. But why do we need this? cant we send emails from Gmail clients over TLS encryption without using authentication credentials? |
Quote:
|
When sending emails through smtp.gmail.com:587 Gmail replacing the sender address with gmail login address.
I need to avoid from this :( |
Finally found the reason for this. hope this will helpful to someone in future.
smtp.gmail.com:587 require you to provide your Gmail or G suite user credentials to send emails. but the problem is when you use the user credentials here, Gmail replacing the sender access to your sender email address where recipient see that email came from your Gmail account. since this can be handle from Gmail settings, you can add any of your email address for your "Send mail as" but it is require particulate email account to be setup in your email server. this is fine if you have the manageability in your cooperate email server such as Office 365 and if you have only one or two email address should route through postfix. The solution is to have G suite account where you can authenticate through domain name or allowed IP address so you can send email through smtp-relay.gmail.com:587 and will not require to put user credentials. so when the email pass from postfix to Gmail, the Gmail client get email as from the original sender address. This is might confuse when looking at. but this will helpful in a situation where you have a cooperate mail server aside and you need to have another mail server like postfix to send emails through your production applications. Let me know if anyone get same kind of issue. so I can help them. Cheers! |
Well, you're simply using gmail's servers as a relay (via a regular "client" account).
There is no guarantee that any forward hops are tls secured (and you have no way of telling). FWIW, I'm using 'smtp_tls_security_level = may' and have no problem making tls connections to gmail servers (and many others offering STARTTLS). Code:
Apr 1 21:09:01 wheezy01 postfix/smtp[10031]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.189.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) |
That's a good point for me.
Just to avoid from confusion, I'm also using mtp_tls_security_level = may for in my main.cf. I just added a transport_maps entry to force the Gmail traffic to encrypt to check the issue only. later I will take back to normal. Now I have a confusion. for me, that MX record is resolving as below. Quote:
and they are not offering TLS, instead giving me below. TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26] but for you its resolving; gmail-smtp-in.l.google.com[64.233.189.26]:25: gmail-smtp-in.l.google.com[64.233.189.26]:25: gmail-smtp-in.l.google.com[108.177.97.27]:25 and that why may be TLS offering from these servers. If you don't mind, can you tell me what is the DNS server you are using? I'm using 8.8.8.8. and appreciate if you can give me TLS configuration so it will helpful for me. |
I use my ISP DNS servers.
Differences probably due to location / load balancing. Maybe crank up the log level to see what is happening. http://www.postfix.org/TLS_README.html#client_logging The rest of that page may be interesting too. |
I tried many configurations from this given site. and tried by pointing to above your MX server as well. even I get the same error. "TLS is required, but was not offered by host"
I suspect if something wrong with my TLS configuration. |
Have you configured a cert?
http://www.postfix.org/TLS_README.html#client_cert_key |
Yes. and here is my config.
# TLS Configurations smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/mycert.pem smtp_tls_key_file = /etc/postfix/ssl/mycert.key smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_protocols = !SSLv2, !SSLv3 |
Did you read the link?
|
Yes I did. am I missing something here?
|
Quote:
Quote:
|
All times are GMT -5. The time now is 07:43 AM. |