10

I thought I successfully secured my Postfix/Dovecot email server. I have a signed certificate from LetsEncrypt, which is valid for my domain.

Sending & receiving works fine, but since Gmail started flagging insecure emails, all mail sent from my server are flagged as unencrypted.

Gmail users see "This message wasn't encrypted", like this:

enter image description here

In Postfix's main.cf, among other settings, I have:

# SASL, for SMTP authentication
smtpd_sasl_type = dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

# TLS, for encryption
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.com/privkey.pem
tls_random_source = dev:/dev/urandom
smtpd_client_new_tls_session_rate_limit = 10
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_exclude_ciphers =
    EXP
    EDH-RSA-DES-CBC-SHA
    ADH-DES-CBC-SHA
    DES-CBC-SHA
    SEED-SHA
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = yes

In Postfix's master.cf, among other settings, I have:

smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes
  -o smtpd_use_tls=yes
  -o smtpd_tls_security_level=encrypt

submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o broken_sasl_auth_clients=yes

In Dovecot's 10-ssl.conf, among other settings, I have:

ssl = required
ssl_ca = </etc/letsencrypt/live/mydomain.com/chain.pem
ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

Is Gmail falsely flagging LetsEncrypt certificates because it doesn't trust them, or is my email really being sent unencrypted?

gavanon
  • 519
  • 4
  • 12
  • 1
    Please post the Postfix `main.cf`. You have not included everything relevant in your snippets. – Michael Hampton Feb 16 '16 at 22:41
  • @MichaelHampton - sure thing. I've added all the custom content of my main.cf. It only excludes basic stuff like `smtpd_banner`, `myhostname`, etc. – gavanon Feb 17 '16 at 06:24

3 Answers3

11

I solved this by adding both these lines to Postfix's main.cf:

smtp_tls_security_level = may
smtpd_tls_security_level = may

(I had only set smtpd_tls_security_level because of a misleading article that said all smtp_ values were depreciated in favour of smtpd_.)

gavanon
  • 519
  • 4
  • 12
7

Your email is sent unencrypted. If you just want to try your best add the following to your main.cf

smtp_tls_security_level = may

To enforce TLS encryption for email sent to google add this to your main.cf

# Force TLS for outgoing server connection
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_CApath = /etc/postfix/rootcas/ 

replace /etc/postfix/rootcas/ with the location of your trusted Root CAs and in the file /etc/postfix/tls_policy add

#/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
gmail.com       secure ciphers=high
google.com      secure ciphers=high
googlemail.com  secure ciphers=high

this will enforce that email sent to gmail.com., google.com and googlemail.com are sent encrypted and authenticating the SMTP server

If you don´t want to authenticate and just encrypt (this is is necessary for sites with bogus certificates) use

gmail.com       encrypt ciphers=high
google.com      encrypt ciphers=high
googlemail.com  encrypt ciphers=high

before restarting postfix execute

postmap /etc/postfix/tls_policy
Jofre
  • 529
  • 1
  • 4
  • 11
  • Thanks for this. What I'm really trying to do is force TLS whenever possible to all destinations, and safely fall back to unencrypted only as a last resort if the destination doesn't support it. Is this possible without maintained lists of specific domains? Like a catch-all forcing of TLS? – gavanon Feb 26 '16 at 19:18
  • The problem is that there are many servers that do not support TLS and other that support it and use selfsigned or bogus certificates. Also as the STARTLS is sent in clear text an active attacker could strip it on transit. I agree that keeping a separate long table is the most secure but not the most reliable solution – Jofre Feb 26 '16 at 19:24
  • I´m also have some issues with some sites. See [Postfix “Trusted TLS connection established” but “Server certificate not verified”](https://serverfault.com/questions/759985/postfix-trusted-tls-connection-established-but-server-certificate-not-verifie) – Jofre Feb 26 '16 at 19:30
  • Thanks - the first part of your answer was helpful: `smtp_tls_security_level = may`. That was all that was required, and the rest of the google-specific settings were not necessary. – gavanon Feb 27 '16 at 18:52
5

Consider the client/server relationship with regards to SMTP and the settings make sense:

2.1. Basic Structure

The SMTP design can be pictured as:

              +----------+                +----------+
  +------+    |          |                |          |
  | User |<-->|          |      SMTP      |          |
  +------+    |  Client- |Commands/Replies| Server-  |
  +------+    |   SMTP   |<-------------->|    SMTP  |    +------+
  | File |<-->|          |    and Mail    |          |<-->| File |
  |System|    |          |                |          |    |System|
  +------+    +----------+                +----------+    +------+
               SMTP client                SMTP server

(Src: rfc5321.txt)

Thus:

"smtp_tls_security_level" is for the Postfix SMTP client. See: http://www.postfix.org/postconf.5.html#smtp_tls_security_level

"smtpd_tls_security_level" is for the Postfix SMTP server See: http://www.postfix.org/postconf.5.html#smtpd_tls_security_level

When postfix is transferring mail to gmail, the smtp_tls_security_level setting is the associated setting.

When postfix is receiving mail over smtp, the smtpd_tls_security_level setting is relevant.

user885983
  • 153
  • 1
  • 4