New User Needs a little help with Postfix and TLS

Discussion in 'Server Operation' started by abuttino, Aug 12, 2017.

  1. abuttino

    abuttino New Member

    I have managed to get Postfix installed and working perfectly except for one small thing relating to sending mail and TLS.

    The Architecture:
    Ubuntu 16.04
    Postfix (Newest Version)
    Exchange 2010
    Comodo Wildcard Certificate

    The Setup:
    Exchange sends mail to Postfix using a Smarthost with no authentication, does scanning and signing and sends it on it's way to the destination server

    This is a pretty simple question. I am getting this on gmail:
    Received: from fqdn of exchange server (exchange, domain, local [address of my exch server]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail, domain, com (Postfix) with ESMTPS id 100AB62B71 for <myaddress gmail.com>; Fri, 11 Aug 2017 23:22:54 -0700 (MST)

    And this on the return email from CheckTLS:
    ====tls negotiation successful (cypher: DHE-RSA-AES256-GCM-SHA384, client cert: Subject Name: undefined;Issuer Name: undefined;)

    How do I get it to hand the cert off to the server that Postfix connects to?

    My /etc/postfix/main.cf TLS info:

    # TLS parameters
    smtp_tls_security_level = may
    smtpd_tls_security_level = may
    smtpd_tls_received_header = yes
    smtpd_tls_auth_only = yes
    smtp_tls_note_starttls_offer = yes
    smtp_tls_ciphers = export
    smtpd_tls_cert_file=/etc/postfix/public.pem
    smtpd_tls_key_file=/etc/postfix/private.pem
    smtpd_tls_CApath = /etc/ssl/certs/
    smtpd_tls_CAfile = /etc/postfix/comodoca.pem
    smtpd_use_tls=yes
    smtp_tls_cert_file=/etc/postfix/public.pem
    smtp_tls_key_file=/etc/postfix/private.pem
    smtp_tls_CApath = /etc/ssl/certs/
    smtp_tls_CAfile = /etc/postfix/comodoca.pem

    When I run: "openssl s_client -connect localhost:25 -starttls smtp | openssl x509 -noout -text", I get all the info about my Comodo wildcard cert.

    Second issue: When I try to send mail using smtp_tls_security_level = verify (or secure), I get messages in the log "(TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])"

    I have googled the hell out of both of these issues, nothing seems to address them.
    Can anyone help me out please?
     
    Last edited: Aug 12, 2017
  2. abuttino

    abuttino New Member

    Anyone?
     

Share This Page