0

Just did an [emergency] conversion from qmail to postfix last night - but now I'm getting people complaining that mail client errors are showing up stating "no available encryption methods available" - switch them to use TLS over port 587 & they are fine... From what I read in the docs I thought I understood that TLS was optional, I have my postfix configured like this: 

#smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_cert_file = /etc/postfix/servercert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
#smtpd_use_tls = yes
smtp_tls_security_level = may
#smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , 127.0.0.0/8, [::1]/128, 24.63.242.15/32
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes

the docs seem to indicate that setting smtpd_tls_security_level to "may" makes TLS optional. Is this correct or am I misunderstanding something.

Basically I'm trying to avoid forcing users to change their mail client settings. [previously using port 587 and in some cases no TLS]

Sean Kimball
  • 877
  • 1
  • 8
  • 23
  • 2
    Please confirm that when client connect to port 25, they are *not* able to use TLS, while if they connect to port 587 they *are* able to use TLS. I'm asking 'cause in standard CFG, both port (25/smtp and 587/submission) are handled by the same postfix daemon (smtpd). Also, some postfix logs related to both scenarios will surely be helpful. – Damiano Verzulli May 21 '15 at 17:40
  • none of my users connect to port 25, here [in Canada] all the internet providers have block outbound access to port 25 for their users. From home I cannot even connect to port 25. however, I can confirm that connecting to port 587 users CAN connect, if the user has TLS off then then cannot. – Sean Kimball May 21 '15 at 20:09
  • Please, can you post current setting (postconf) for "smtpd_sasl_security_options" and " smtpd_tls_auth_only"? I suspect your postfix is refusing clear-text, password authentication, due to security restrictions imposed by above two parameters. – Damiano Verzulli May 21 '15 at 20:36
  • neither one of those directives is in the config [it is a plesk default configuration] – Sean Kimball May 21 '15 at 20:48
  • using postfix 2.3 so the docs look like this is handled by the smtpd_tls_security_level directive... – Sean Kimball May 21 '15 at 20:52
  • Can you try enforcing clear-text, password based auth adding: "smtpd_tls_auth_only = no" and "smtpd_sasl_security_options = noanonymous" ? I'm suggesting this not-so-security-oriented approach, as it seems that with your previous QMAIL setup, such clear-text sasl-auth were possible... Right? – Damiano Verzulli May 21 '15 at 21:50
  • 1
    Perhaps main.cf configuration was overridden by `master.cf`. Please check that file or post it here – masegaloeh May 21 '15 at 23:20
  • Any updates in this question? – masegaloeh Sep 03 '15 at 23:30

0 Answers0