Problem with TLS/SSL

Hello,

we have setup a server for a client (domain: client.ag), where the external MX requires a connection on port 465 with SSL/TLS.
Therefore we added the following lines to main.cf

relayhost = smtp.mailbox.org:465
# SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

With these setting postfix is able to connect to the external server, but internal connections fail:

Feb 5 13:34:56 ciphermail postfix/qmgr[6260]: 0D70040AA5: from=<edifact(a)client.ag>, size=601, nrcpt=1 (queue active)
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: SSL_connect error to 127.0.0.1[127.0.0.1]:10025: -1
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: 0D70040AA5: to=<edifact(a)web.de>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.12/0.01/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

This is the current main.cf

djigzo_myhostname = ciphermail.client.ag
djigzo_mydestination = client.ag
djigzo_mynetworks = 127.0.0.1/32
djigzo_relayhost = smtp.mailbox.org
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 465
djigzo_relay_domains =
djigzo_before_filter_message_size_limit = 102400000
djigzo_after_filter_message_size_limit = 102400000
djigzo_mailbox_size_limit = 102400000
djigzo_smtp_helo_name =
djigzo_relay_transport_host = 127.0.0.1
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains =
djigzo_rbl_clients =
myhostname = ${djigzo_myhostname}
mydestination = ciphermail, $myhostname, ubuntu-2gb-nbg1-dc3-1, localhost.localdomain, localhost, ${djigzo_mydestination}
mynetworks = 127.0.0.0/8, ${djigzo_mynetworks}
relay_domains = ${djigzo_relay_domains}
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
compatibility_level=2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
mydomain = client.ag
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_transport = cyrus
content_filter = djigzo:[127.0.0.1]:10025
recipient_delimiter = +
mailbox_size_limit = ${djigzo_mailbox_size_limit}
message_size_limit = ${djigzo_after_filter_message_size_limit}
inet_interfaces = all
inet_protocols = ipv4
myorigin = client.ag
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
smtp_sasl_security_options =
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Which parameters do we have to change, to achieve a communication in both directions?

Thanks for any suggestions,

Stefan

Because you changed the global values for smtp_tls_wrappermode and
smtp_tls_security_level, you should override these values for the
connection to the back-end.

In master.cf, add smtp_tls_wrappermode=no and
smtp_tls_security_level=none to the djigzo service definition.

djigzo unix - - n - 4 smtp
             -o smtp_send_xforward_command=yes
             -o disable_dns_lookups=yes
             -o smtp_generic_maps=
             -o smtp_tls_wrappermode=no
             -o smtp_tls_security_level=none

After modifying master.cf, restart postfix

There are probably other option like not changing the global settings
but only override for some destinations. See
Postfix TLS Support (Postfix ≥ 3.0: Sending only mail
for a specific destination via SMTPS) for some examples

Note: the smtp_tls_wrappermode settings is only supported on Postfix >= 3.

Kind regards,

Martijn Brinkers

···

On 05-02-18 13:51, Stefan Günther via Users wrote:

Hello,

we have setup a server for a client (domain: client.ag), where the external MX requires a connection on port 465 with SSL/TLS.
Therefore we added the following lines to main.cf

relayhost = smtp.mailbox.org:465
# SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

With these setting postfix is able to connect to the external server, but internal connections fail:

Feb 5 13:34:56 ciphermail postfix/qmgr[6260]: 0D70040AA5: from=<edifact(a)client.ag>, size=601, nrcpt=1 (queue active)
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: SSL_connect error to 127.0.0.1[127.0.0.1]:10025: -1
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
Feb 5 13:34:56 ciphermail postfix/smtp[6269]: 0D70040AA5: to=<edifact(a)web.de>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.14, delays=0.12/0.01/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

This is the current main.cf

djigzo_myhostname = ciphermail.client.ag
djigzo_mydestination = client.ag
djigzo_mynetworks = 127.0.0.1/32
djigzo_relayhost = smtp.mailbox.org
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 465
djigzo_relay_domains =
djigzo_before_filter_message_size_limit = 102400000
djigzo_after_filter_message_size_limit = 102400000
djigzo_mailbox_size_limit = 102400000
djigzo_smtp_helo_name =
djigzo_relay_transport_host = 127.0.0.1
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains =
djigzo_rbl_clients =
myhostname = ${djigzo_myhostname}
mydestination = ciphermail, $myhostname, ubuntu-2gb-nbg1-dc3-1, localhost.localdomain, localhost, ${djigzo_mydestination}
mynetworks = 127.0.0.0/8, ${djigzo_mynetworks}
relay_domains = ${djigzo_relay_domains}
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain
     ${djigzo_rbl_clients}
     ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
smtpd_discard_ehlo_keywords = silent-discard VRFY ETRN DSN
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
compatibility_level=2
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
mydomain = client.ag
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_transport = cyrus
content_filter = djigzo:[127.0.0.1]:10025
recipient_delimiter = +
mailbox_size_limit = ${djigzo_mailbox_size_limit}
message_size_limit = ${djigzo_after_filter_message_size_limit}
inet_interfaces = all
inet_protocols = ipv4
myorigin = client.ag
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpasswd
smtp_sasl_security_options =
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Which parameters do we have to change, to achieve a communication in both directions?

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

Twitter: http://twitter.com/CipherMail