i am getting the following alert for all domains configured in postfix, i understand that ispconfig configures smtp_tls_security_level = dane for the tls configuration of each domain but for some reason it is not working and i am not finding the error.- debian 10 Code: # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on # fresh installs. compatibility_level = 2 # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. #smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = xxx.xxxx.xxxx alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mynetworks = 127.0.0.0/8 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_protocols = ipv4 mydestination = $myhostname, localhost.$mydomain, localhost html_directory = /usr/share/doc/postfix/html virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status smtpd_tls_security_level = may transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_reject_unlisted_sender = no smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unauth_pipelining, permit smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_client_message_rate_limit = 100 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 virtual_transport = lmtp:unix:private/dovecot-lmtp header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtp_tls_security_level = dane smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA tls_preempt_cipherlist = yes address_verify_negative_refresh_time = 60s enable_original_recipient = no sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd smtp_sender_dependent_authentication = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous authorized_flush_users = authorized_mailq_users = nagios, icinga smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s smtp_dns_support_level = dnssec dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth #smtpd_milters = inet:localhost:11332 #smtpd_milters = , inet:127.0.0.1:11332 #non_smtpd_milters = inet:localhost:11332 #milter_protocol = 6 #milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} #milter_default_action = accept message_size_limit = 0 mynetworks_style = subnet inet_interfaces = all smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtputf8_enable = no address_verify_virtual_transport = smtp:[127.0.0.1]:10025 address_verify_transport_maps = static:smtp:[127.0.0.1]:10025 receive_override_options = no_address_mappings content_filter = lmtp:[127.0.0.1]:10024
Maybe a faulty DANE setup for that domain? If you do not use dane, then this setting should have no effect. Also can you please post the full error message you got from gmail.
Hello thanks for answer Code: of: [email protected] for: matias <[email protected]> date: 4 oct 2023, 17:10 asunto: nuevo sent by: xxxxx.ec security: yyyyy.ec not encrypt this message on "security: yyyyyy" i see domain of hostname not same by sent domain (xxxx)
No, sorry, I thought that Dane had something to do with the signature of the messages but in this case it wouldn't be the problem... which I still can't find.,,,, my emails sent continue without encrypt
Go back to ISPConfig's default Postfix setup. With proper certificates installed all mail should be sent and received encrypted as long as the other site supports it. (most times using tls)
yes right,...I have others servers same config debian10. ispconfig installed using automatic installer..all working fine all emils are encrypted, using differents domains, but on this server have this problem..I checked all config and are equals...and something I'm not seeing
Follow these instructions: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ How was this ISPConfig system installed? If hostname of server is correct when installing, i.e. it is the mailname postfix uses, certificates should be ok. Check Code: hostname hostname -f
