1

I've searched every forum, every article, every serverfault.com post for this issue. I'm using a fresh setup of Postfix. It is managed by Virtualmin. Whenever I try to send mail via TLS, I get the error (identifable information removed):

Sep  7 21:58:37 mail postfix/smtp[220916]: initializing the client-side TLS engine
Sep  7 21:58:37 mail postfix/tlsmgr[220917]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
Sep  7 21:58:38 mail postfix/tlsmgr[220917]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache
Sep  7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
Sep  7 21:58:38 mail postfix/tlsmgr[220917]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Sep  7 21:58:38 mail postfix/smtp[220918]: initializing the client-side TLS engine
Sep  7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host gmail-smtp-in.l.google.com[173.194.219.27]
Sep  7 21:58:38 mail postfix/smtp[220916]: E9C5637920: to=<test@TestSender.CheckTLS.com>, relay=ts11-do.checktls.com[165.227.190.238]:25, delay=3768, delays=3768/0.67/0.11/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host ts11-do.checktls.com[165.227.190.238])
Sep  7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt1.gmail-smtp-in.l.google.com[172.217.197.27]
Sep  7 21:58:38 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[108.177.12.27]
Sep  7 21:58:39 mail postfix/smtp[220918]: 536A837552: TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[64.233.186.27]
Sep  7 21:58:39 mail postfix/smtp[220918]: 536A837552: to=<myemail@gmail.com>, relay=alt4.gmail-smtp-in.l.google.com[209.85.202.27]:25, delay=3819, delays=3817/0.67/1.2/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[209.85.202.27])
Sep  7 22:00:01 mail postfix/pickup[220911]: A9D8537D1D: uid=33 from=<www-data>
Sep  7 22:00:01 mail postfix/cleanup[221006]: A9D8537D1D: message-id=<20210908020001.A9D8537D1D@mail.mydomain.com>

I am using letsencrypt (pulled with Virtualmin) for my cert. It places the certs in /home/user/ssl.* Here is my main.cf (domain replaced with example.com):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
home_mailbox = Maildir/
inet_protocols = ipv4
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
milter_default_action = accept
mydomain = EXAMPLE.com
myhostname = mail.EXAMPLE.com
mynetworks_style = subnet
non_smtpd_milters = inet:localhost:8891
recipient_delimiter = +
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_loglevel = 4
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3,TLSv1.2,TLSv1.1,!TLSv1,!SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_policy_service inet:127.0.0.1:10023
smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks permit_sasl_authenticated defer_unauth_destination}}
smtpd_sasl_auth_enable = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file=/home/EXAMPLE/ssl.cert
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file=/home/EXAMPLE/ssl.key
smtpd_tls_loglevel = 4
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_server_sni_maps = hash:/etc/postfix/sni_map
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = $mydomain

I am aware that ENCRYPT forces TLS - using MAY falls back to non-TLS connection, this is for testing

Here is my master.cf

smtp      inet  n       -       n       -       -       smtpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd

*** I restored the configuration to default hoping that help but no change.

When I telnet into my server I get the option for starttls:

Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.EXAMPLE.com ESMTP Postfix
EHLO example.com
250-mail.EXAMPLE.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING

I'm using opnsense for my firewall. I don't think it's blocking TLS with SMTP inspection.

With the settings set to MAY instead of ENCRYPT, I can send and receive emails fine. With it set to MAY, Google and checktls.com report that TLS is not being used.

All tests for dmarc, spf, etc come back as good. This is postfix (latest) running on Ubuntu server 20.

My environment:

  • Co-located server in datacenter (no limitations on their end)
  • Proxmox, up-to-date as of 9/8/21
  • The container is running in LXC, Ubuntu 20
  • Container is behind OPNSense Firewall
  • Web-based tests show the server as offering starttls
  • Running telnet from the server > another server does show starttls as an option

Any help is greatly appreciated, thank you.

Ashley
  • 41
  • 6
  • Your last tests checking your own server looks odd, are you not asking about *sending* mail? So would want to rule out network issues by investigating a connection *from* the server *to* the MX of the recipient. – anx Sep 08 '21 at 03:14
  • Sorry, it's been a long night. I'll test to gmail and respond back. – Ashley Sep 08 '21 at 03:21
  • 1
    My guess is that there is some middlebox in the network which strips the STARTTLS from the servers response in order to keep the connection to plain SMTP (w/o TLS) and analyze the delivered mails. Various firewalls can do this. Nothing is known about the environment though were you setup the server. – Steffen Ullrich Sep 08 '21 at 04:44
  • Your ISP is intercepting outgoing SMTP traffic. Contact them for further information. – Michael Hampton Sep 08 '21 at 08:02
  • My server is co-located with Dacentec. I'm running the latest version of Proxmox, the server is an LXC Container running Ubuntu 20 (up-to-date, fresh install). The Proxmox server is sitting behind OPNSense firewall. Everything is up-to-date. I checked the settings in opnsense but I do not see SMTP intercepting on my firewall. My ISP, Dacentec, does not filter any traffic that I'm aware of (they are a data center). Connecting from the server to an offsite server via Telnet does offer up starttls. I've checked opnsense multiple times, I see nothing regarding SMTP filtering. – Ashley Sep 08 '21 at 15:11
  • 1
    Have you tried `openssl s_client` command to test the connection to google servers? Something along the line: `openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp`? – Tomek Sep 08 '21 at 18:00
  • *Please [edit] your question to include the command you tried and its output.* There are ways the output could have contained the extension yet Postfix was correct in assuming STARTTLS was not offered (but the answer would remain the same, someone messing with your connection). – anx Sep 09 '21 at 06:20

1 Answers1

3

With the help of everyone at serverfault, I dug deeper into the issue and found that my host is indeed blocking TLS. After speaking with my host and being told they do NOT filter SMTP, they finally admitted to filtering SMTP.

I resolved this issue by setting up a VPS relay server at another host. My primary server now sends mail via the relay on a non-standard port. With this setup, I am able to send secure emails without my hosting filtering them.

Thank you again for the help.

Ashley
  • 41
  • 6