New User Needs a little help with Postfix and TLS

Discussion in 'Server Operation' started by abuttino, Aug 12, 2017.

  1. abuttino

    abuttino New Member

    I have managed to get Postfix installed and working perfectly except for one small thing relating to sending mail and TLS.

    The Architecture:
    Ubuntu 16.04
    Postfix (Newest Version)
    Exchange 2010
    Comodo Wildcard Certificate

    The Setup:
    Exchange sends mail to Postfix using a Smarthost with no authentication, does scanning and signing and sends it on it's way to the destination server

    This is a pretty simple question. I am getting this on gmail:
    Received: from fqdn of exchange server (exchange, domain, local [address of my exch server]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail, domain, com (Postfix) with ESMTPS id 100AB62B71 for <myaddress>; Fri, 11 Aug 2017 23:22:54 -0700 (MST)

    And this on the return email from CheckTLS:
    ====tls negotiation successful (cypher: DHE-RSA-AES256-GCM-SHA384, client cert: Subject Name: undefined;Issuer Name: undefined;)

    How do I get it to hand the cert off to the server that Postfix connects to?

    My /etc/postfix/ TLS info:

    # TLS parameters
    smtp_tls_security_level = may
    smtpd_tls_security_level = may
    smtpd_tls_received_header = yes
    smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    smtp_tls_ciphers = export
    smtpd_tls_CApath = /etc/ssl/certs/
    smtpd_tls_CAfile = /etc/postfix/comodoca.pem
    smtp_tls_CApath = /etc/ssl/certs/
    smtp_tls_CAfile = /etc/postfix/comodoca.pem

    When I run: "openssl s_client -connect localhost:25 -starttls smtp | openssl x509 -noout -text", I get all the info about my Comodo wildcard cert.

    Second issue: When I try to send mail using smtp_tls_security_level = verify (or secure), I get messages in the log "(TLS is required, but was not offered by host[])"

    I have googled the hell out of both of these issues, nothing seems to address them.
    Can anyone help me out please?
    Last edited: Aug 12, 2017
  2. abuttino

    abuttino New Member

  3. Tomislav Aurednik

    Tomislav Aurednik Member HowtoForge Supporter

    check if you have to uncomment something in TLS uses port 587.

Share This Page