LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-28-2018, 09:18 AM   #1
kkrrss
Member
 
Registered: Jun 2016
Posts: 56
Blog Entries: 1

Rep: Reputation: Disabled
Enable encryption for postfix outgoing emails


Hello There,

I have a running Postfix email server and till now without enabling TLS its working fine.

Suddenly I got an requirement to enable encryption for all outgoing email from my SMTP relay.
Therefore I have enabled TLS in my server and email working fine when I use the smtp_tls_security_level = may. But when I checked the received email to my Gmail it still not encrypted.

I hope if I could enable smtp_tls_security_level = encrypted this should work fine.

But when I enabled smtp_tls_security_level = encrypted, and trying to send an email to my gmail account, I don't get the email and following message shows in the maillog.

TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]

Here is my TLS configuration in main.cf

# TLS Configurations
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/domainname.com.pem
smtp_tls_key_file = /etc/postfix/ssl/domainname.com.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_loglevel = 1

Did anyone had the same issue ? or can anyone give me an clue to fix this issue.
 
Old 03-28-2018, 08:07 PM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181Reputation: 3181
When SMTP is using TLS, it simply means that the protocol-exchange between the mail servers is being conducted through TLS. It does not, AFAIK, mean that the messages being carried are encrypted. (In other words, while Eve would not be able to "sniff" the wire between the two mail servers, she could read the messages themselves if she could cause them to pass through a server that she had compromised.)

Last edited by sundialsvcs; 03-28-2018 at 08:08 PM.
 
Old 04-02-2018, 02:54 AM   #3
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
I found the issue;

alt3.gmail-smtp-in.l.google.com[108.177.125.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]
alt2.gmail-smtp-in.l.google.com[74.125.200.26]


These are gmail MX records, those are not allowed to connect over TLS port 587
What I have done is added entry into transport file as below. because only smtp.gmail.com enalbed TLS over 587.

gmail.com smtp:smtp.gmail.com:587

But when added this, it is then saying;

status=bounced (host smtp.gmail.com[64.233.184.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 https://support.google.com/mail/?p=WantAuthError q18sm3848228wre.40 - gsmtp (in reply to MAIL FROM command))

To fix this we have to add below into main.cf.

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


we have to create Gmail account put the user credentials into /etc/postfix/sasl_passwd. then only emails goes through.

But why do we need this? cant we send emails from Gmail clients over TLS encryption without using authentication credentials?

Last edited by kkrrss; 04-02-2018 at 02:55 AM.
 
Old 04-02-2018, 01:25 PM   #4
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.8.2003
Posts: 5,148

Rep: Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876Reputation: 1876
Quote:
Originally Posted by kkrrss View Post
But why do we need this? cant we send emails from Gmail clients over TLS encryption without using authentication credentials?
The short answer is No. The purpose of TLS login is to force the use of authentication credentials that are encrypted.
 
1 members found this post helpful.
Old 04-02-2018, 01:33 PM   #5
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
When sending emails through smtp.gmail.com:587 Gmail replacing the sender address with gmail login address.
I need to avoid from this
 
Old 04-03-2018, 04:56 AM   #6
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Finally found the reason for this. hope this will helpful to someone in future.

smtp.gmail.com:587 require you to provide your Gmail or G suite user credentials to send emails. but the problem is when you use the user credentials here, Gmail replacing the sender access to your sender email address where recipient see that email came from your Gmail account.

since this can be handle from Gmail settings, you can add any of your email address for your "Send mail as" but it is require particulate email account to be setup in your email server. this is fine if you have the manageability in your cooperate email server such as Office 365 and if you have only one or two email address should route through postfix.

The solution is to have G suite account where you can authenticate through domain name or allowed IP address so you can send email through smtp-relay.gmail.com:587 and will not require to put user credentials. so when the email pass from postfix to Gmail, the Gmail client get email as from the original sender address.

This is might confuse when looking at. but this will helpful in a situation where you have a cooperate mail server aside and you need to have another mail server like postfix to send emails through your production applications.

Let me know if anyone get same kind of issue. so I can help them.

Cheers!
 
Old 04-03-2018, 05:21 AM   #7
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Well, you're simply using gmail's servers as a relay (via a regular "client" account).
There is no guarantee that any forward hops are tls secured (and you have no way of telling).

FWIW, I'm using 'smtp_tls_security_level = may' and have no problem making tls connections to gmail servers (and many others offering STARTTLS).
Code:
Apr  1 21:09:01 wheezy01 postfix/smtp[10031]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.189.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Apr  1 21:17:31 wheezy01 postfix/smtp[16728]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.189.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Apr  3 11:47:42 wheezy01 postfix/smtp[7019]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

Last edited by descendant_command; 04-03-2018 at 05:22 AM.
 
1 members found this post helpful.
Old 04-03-2018, 05:33 AM   #8
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
That's a good point for me.
Just to avoid from confusion, I'm also using mtp_tls_security_level = may for in my main.cf.
I just added a transport_maps entry to force the Gmail traffic to encrypt to check the issue only. later I will take back to normal.


Now I have a confusion. for me, that MX record is resolving as below.

Quote:
dig gmail.com mx

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> gmail.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40346
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gmail.com. IN MX

;; ANSWER SECTION:
gmail.com. 3199 IN MX 30 alt3.gmail-smtp-in.l.google.com.
gmail.com. 3199 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3199 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3199 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3199 IN MX 40 alt4.gmail-smtp-in.l.google.com.

and they are not offering TLS, instead giving me below.

TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[108.177.125.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]


but for you its resolving;

gmail-smtp-in.l.google.com[64.233.189.26]:25:
gmail-smtp-in.l.google.com[64.233.189.26]:25:
gmail-smtp-in.l.google.com[108.177.97.27]:25

and that why may be TLS offering from these servers.

If you don't mind, can you tell me what is the DNS server you are using? I'm using 8.8.8.8.
and appreciate if you can give me TLS configuration so it will helpful for me.

Last edited by kkrrss; 04-03-2018 at 05:56 AM.
 
Old 04-04-2018, 07:06 AM   #9
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
I use my ISP DNS servers.
Differences probably due to location / load balancing.

Maybe crank up the log level to see what is happening.
http://www.postfix.org/TLS_README.html#client_logging

The rest of that page may be interesting too.
 
1 members found this post helpful.
Old 04-04-2018, 07:09 AM   #10
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
I tried many configurations from this given site. and tried by pointing to above your MX server as well. even I get the same error. "TLS is required, but was not offered by host"

I suspect if something wrong with my TLS configuration.
 
Old 04-04-2018, 07:36 AM   #11
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Have you configured a cert?
http://www.postfix.org/TLS_README.html#client_cert_key
 
Old 04-05-2018, 04:37 AM   #12
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Yes. and here is my config.

# TLS Configurations
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/postfix/ssl/mycert.pem
smtp_tls_key_file = /etc/postfix/ssl/mycert.key
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_protocols = !SSLv2, !SSLv3
 
Old 04-05-2018, 05:06 AM   #13
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Did you read the link?
 
Old 04-05-2018, 12:19 PM   #14
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Yes I did. am I missing something here?
 
Old 04-05-2018, 02:41 PM   #15
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Quote:
Originally Posted by kkrrss View Post
Yes I did. am I missing something here?
Maybe this?
Quote:
Originally Posted by http://www.postfix.org/TLS_README.html#client_cert_key
Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them. The recommended setting is to let the defaults stand:
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Enable / Configure Outgoing Emails for External Domains such as GMAIL devUnix Linux - General 3 09-17-2013 02:01 AM
LXer: How To Automatically Add A Disclaimer To Outgoing Emails With alterMIME (Postfix On Debian Squ LXer Syndicated Linux News 1 01-16-2013 09:47 PM
LXer: Adding Disclaimers To Outgoing Emails With alterMIME (Postfix On Debian Lenny) LXer Syndicated Linux News 0 09-22-2010 12:40 AM
Postfix emails send outgoing mail with wrong domain name michael.smith Ubuntu 2 01-30-2010 12:23 AM
Count outgoing emails GuitsBoy Linux - Server 3 11-27-2007 04:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration