I've searched every forum, every article, every serverfault.com post for this issue. I'm using a fresh setup of Postfix. It is managed by Virtualmin. Whenever I try to send mail via TLS, I get the error (identifable information removed):
Sep 7 21:58:37 mail postfix/smtp[220916]: initializing the client-side TLS engine
Sep 7 21:58:37 mail postfix/tlsmgr[220917]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
Sep 7 21:58:38 mail postfix/tlsmgr[220917]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache
Sep 7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Sep 7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Sep 7 21:58:38 mail postfix/smtp[220918]: initializing the client-side TLS engine
Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host gmail-smtp-in.l.google.com[173.194.219.27]
Sep 7 21:58:38 mail postfix/smtp[220916]: E9C5637920: to=<[email protected]>, relay=ts11-do.checktls.com[165.227.190.238]:25, delay=3768, delays=3768/0.67/0.11/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host ts11-do.checktls.com[165.227.190.238])
Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt1.gmail-smtp-in.l.google.com[172.217.197.27]
Sep 7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[108.177.12.27]
Sep 7 21:58:39 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[64.233.186.27]
Sep 7 21:58:39 mail postfix/smtp[220918]: 536A837552: to=<[email protected]>, relay=alt4.gmail-smtp-in.l.google.com[209.85.202.27]:25, delay=3819, delays=3817/0.67/1.2/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[209.85.202.27])
Sep 7 22:00:01 mail postfix/pickup[220911]: A9D8537D1D: uid=33 from=<www-data>
Sep 7 22:00:01 mail postfix/cleanup[221006]: A9D8537D1D: message-id=<[email protected]>
I am using letsencrypt (pulled with Virtualmin) for my cert. It places the certs in /home/user/ssl.* Here is my main.cf (domain replaced with example.com):
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
home_mailbox = Maildir/
inet_protocols = ipv4
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
milter_default_action = accept
mydomain = EXAMPLE.com
myhostname = mail.EXAMPLE.com
mynetworks_style = subnet
non_smtpd_milters = inet:localhost:8891
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_loglevel = 4
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3,TLSv1.2,TLSv1.1,!TLSv1,!SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks permit_sasl_authenticated defer_unauth_destination}}
smtpd_sasl_auth_enable = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file=/home/EXAMPLE/ssl.cert
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file=/home/EXAMPLE/ssl.key
smtpd_tls_loglevel = 4
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_server_sni_maps = hash:/etc/postfix/sni_map
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = $mydomain
I am aware that ENCRYPT forces TLS – using MAY falls back to non-TLS connection, this is for testing
Here is my master.cf
smtp inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
*** I restored the configuration to default hoping that help but no change.
When I telnet into my server I get the option for starttls:
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.EXAMPLE.com ESMTP Postfix
EHLO example.com
250-mail.EXAMPLE.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
I'm using opnsense for my firewall. I don't think it's blocking TLS with SMTP inspection.
With the settings set to MAY instead of ENCRYPT, I can send and receive emails fine. With it set to MAY, Google and checktls.com report that TLS is not being used.
All tests for dmarc, spf, etc come back as good. This is postfix (latest) running on Ubuntu server 20.
My environment:
- Co-located server in datacenter (no limitations on their end)
- Proxmox, up-to-date as of 9/8/21
- The container is running in LXC, Ubuntu 20
- Container is behind OPNSense Firewall
- Web-based tests show the server as offering starttls
- Running telnet from the server > another server does show starttls as an option
Any help is greatly appreciated, thank you.
Best Answer
With the help of everyone at serverfault, I dug deeper into the issue and found that my host is indeed blocking TLS. After speaking with my host and being told they do NOT filter SMTP, they finally admitted to filtering SMTP.
I resolved this issue by setting up a VPS relay server at another host. My primary server now sends mail via the relay on a non-standard port. With this setup, I am able to send secure emails without my hosting filtering them.
Thank you again for the help.