Enable encryption for postfix outgoing emails
 

Hello There,

I have a running Postfix email server and till now without enabling TLS its working fine.

Suddenly I got an requirement to enable encryption for all outgoing email from my SMTP relay.
Therefore I have enabled TLS in my server and email working fine when I use the smtp_tls_security_level = may. But when I checked the received email to my Gmail it still not encrypted.

I hope if I could enable smtp_tls_security_level = encrypted this should work fine.

But when I enabled smtp_tls_security_level = encrypted, and trying to send an email to my gmail account, I don't get the email and following message shows in the maillog.

TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]

Here is my TLS configuration in main.cf

# TLS Configurations
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_loglevel = 1

Did anyone had the same issue ? or can anyone give me an clue to fix this issue.

When SMTP is using TLS, it simply means that the protocol-exchange between the mail servers is being conducted through TLS. It does not, AFAIK, mean that the messages being carried are encrypted. (In other words, while Eve would not be able to "sniff" the wire between the two mail servers, she could read the messages themselves if she could cause them to pass through a server that she had compromised.)

I found the issue;

alt3.gmail-smtp-in.l.google.com[108.177.125.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]

These are gmail MX records, those are not allowed to connect over TLS port 587
What I have done is added entry into transport file as below. because only smtp.gmail.com enalbed TLS over 587.

gmail.com smtp:smtp.gmail.com:587

But when added this, it is then saying;

status=bounced (host smtp.gmail.com[64.233.184.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 https://support.google.com/mail/?p=WantAuthError q18sm3848228wre.40 - gsmtp (in reply to MAIL FROM command))

To fix this we have to add below into main.cf.

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

we have to create Gmail account put the user credentials into /etc/postfix/sasl_passwd. then only emails goes through.

But why do we need this? cant we send emails from Gmail clients over TLS encryption without using authentication credentials?

The short answer is No. The purpose of TLS login is to force the use of authentication credentials that are encrypted.

When sending emails through smtp.gmail.com:587 Gmail replacing the sender address with gmail login address.
I need to avoid from this :(

Finally found the reason for this. hope this will helpful to someone in future.

smtp.gmail.com:587 require you to provide your Gmail or G suite user credentials to send emails. but the problem is when you use the user credentials here, Gmail replacing the sender access to your sender email address where recipient see that email came from your Gmail account.

since this can be handle from Gmail settings, you can add any of your email address for your "Send mail as" but it is require particulate email account to be setup in your email server. this is fine if you have the manageability in your cooperate email server such as Office 365 and if you have only one or two email address should route through postfix.

The solution is to have G suite account where you can authenticate through domain name or allowed IP address so you can send email through smtp-relay.gmail.com:587 and will not require to put user credentials. so when the email pass from postfix to Gmail, the Gmail client get email as from the original sender address.

This is might confuse when looking at. but this will helpful in a situation where you have a cooperate mail server aside and you need to have another mail server like postfix to send emails through your production applications.

Let me know if anyone get same kind of issue. so I can help them.

Cheers!

Well, you're simply using gmail's servers as a relay (via a regular "client" account).
There is no guarantee that any forward hops are tls secured (and you have no way of telling).

FWIW, I'm using 'smtp_tls_security_level = may' and have no problem making tls connections to gmail servers (and many others offering STARTTLS).

That's a good point for me.
Just to avoid from confusion, I'm also using mtp_tls_security_level = may for in my main.cf.
I just added a transport_maps entry to force the Gmail traffic to encrypt to check the issue only. later I will take back to normal.


Now I have a confusion. for me, that MX record is resolving as below.


and they are not offering TLS, instead giving me below.

TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]

but for you its resolving;

gmail-smtp-in.l.google.com[64.233.189.26]:25:
gmail-smtp-in.l.google.com[64.233.189.26]:25:
gmail-smtp-in.l.google.com[108.177.97.27]:25

and that why may be TLS offering from these servers.

If you don't mind, can you tell me what is the DNS server you are using? I'm using 8.8.8.8.
and appreciate if you can give me TLS configuration so it will helpful for me.

I use my ISP DNS servers.
Differences probably due to location / load balancing.

Maybe crank up the log level to see what is happening.
http://www.postfix.org/TLS_README.html#client_logging

The rest of that page may be interesting too.

I tried many configurations from this given site. and tried by pointing to above your MX server as well. even I get the same error. "TLS is required, but was not offered by host"

I suspect if something wrong with my TLS configuration.

Have you configured a cert?
http://www.postfix.org/TLS_README.html#client_cert_key

Yes. and here is my config.

# TLS Configurations
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/mycert.pem
smtp_tls_key_file = /etc/postfix/ssl/mycert.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_protocols = !SSLv2, !SSLv3

Did you read the link?

Yes I did. am I missing something here?

Maybe this?