How do you properly enable encryption in Postfix?

Discussion in 'HOWTO-Related Questions' started by fbarcenas, Apr 29, 2016.

  1. fbarcenas

    fbarcenas Member

    My certs are properly install I tested them and they are fine.

    I changed:
    Code:
    smtpd_tls_security_level = may
    to
    Code:
    smtpd_tls_security_level = encrypt
    
    in main.cf
    and mail was being retunred with:
    Code:
    <test@TestSenderAssureTLS.CheckTLS.com>: host 127.0.0.1[127.0.0.1] said: 530
        5.7.0 id=23526-06 - Rejected by next-hop MTA on relaying, from
        MTA(smtp:[127.0.0.1]:10027): 530 5.7.0 Must issue a STARTTLS command first
        (in reply to end of DATA command)
    so I added:
    Code:
    -o smtpd_tls_wrappermode=yes
    under
    Code:
    127.0.0.1:10027 inet n - n - - smtpd
    in the master.cf

    then my mail began getting stuck in the queue with:
    Code:
    (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=23584-06 - Temporary MTA failure on relaying, From MTA() during fwd-connect (No greeting, dt: 35.034 s): id=23584-06 (in reply to end of DATA command))
                                             test@TestSenderAssureTLS.CheckTLS.com
    
    Is there a guide I can follow? I'm starting to run out of ideas.
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Seems, that amavis can not verify your cert. Is there any need to encrypt mails sending to localhost?
     
  3. fbarcenas

    fbarcenas Member

    Probably not. Any recommendation as to what I need to do? Do you know of a guide to help?
     
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    -o smtpd_tls_security_level = may in the master.cf for amavis-connections?
     
  5. bpn4it

    bpn4it New Member

    Please set below parameter in main.cf file and restart/reload your postfix server.

    smtpd_tls_security_level = may
    smtp_tls_security_level = may
    smtpd_tls_key_file = /etc/postfix/certificate/server.key
    smtpd_tls_cert_file = /etc/postfix/certificate/server.pem
    smtpd_tls_CAfile = /etc/postfix/certificate/serverca.pem
    smtpd_tls_loglevel = 1
    smtp_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtp_tls_note_starttls_offer = yes
    smtp_tls_CAfile = $smtpd_tls_CAfile
    tls_random_source = dev:/dev/urandom
    smtpd_tls_session_cache_timeout = 3600s

    Regards,
    Bipin Patel
     

Share This Page