Outgoing email not encrypted

Question

I have a domain example.com being served from server.com. I am sending an email to gmail.com. The email I send uses TLS from example.com to server.com, but the mail is not encrypted from server.com to gmail.com.

server.com is a VPS that I set up mail and web servers on.

example.com is one of the virtual domains on the VPS.

Here is an example of the email headers:

    Delivered-To: receiver@gmail.com
    Received: by 10.236.191.7 with SMTP id c7csp2141557pjs;
            Tue, 1 May 2018 14:03:37 -0700 (PDT)
    X-Google-Smtp-Source: AB8JxZpwQHXweJ70K6vNAako5gqTtvni9ZUm6LC0Hfl0xAefu7wtGjSsnQHRHMKL/sLpOnicPwFM
    X-Received: by 2002:a63:3584:: with SMTP id c126-v6mr14324018pga.37.1525208616991;
            Tue, 01 May 2018 14:03:36 -0700 (PDT)

...
...

    ARC-Authentication-Results: i=1; mx.google.com;
           spf=pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=sender@example.com
    Return-Path: <sender@example.com>
    Received: from server.com (server.com. [xxx.xxx.xxx.xxx])
            by mx.google.com with ESMTP id d65si10640010pfd.182.2018.05.01.14.03.36
            for <receiver@gmail.com>;
            Tue, 01 May 2018 14:03:36 -0700 (PDT)
    Received-SPF: pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) client-ip=xxx.xxx.xxx.xxx;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of sender@example.com designates xxx.xxx.xxx.xxx as permitted sender) smtp.mailfrom=sender@example.com
    Received: from www.example.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server.com (Postfix) with ESMTPSA id 7D74260383 for <receiver@gmail.com>; Tue,
      1 May 2018 14:03:36 -0700 (PDT)
    MIME-Version: 1.0
    Content-Type: text/plain; charset=US-ASCII; format=flowed
    Content-Transfer-Encoding: 7bit
    Date: Tue, 01 May 2018 17:03:36 -0400
    From: sender@example.com
    To: receiver@gmail.com
    Subject: Hello
    Message-ID: <93768232f2ddc3a08237397@example.com>
    X-Sender: sender@example.com
    User-Agent: Roundcube Webmail/1.2.3

    Test email body.

Any idea why the encryption is dropped?

EDIT:

My postconf -n output is:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
compatibility_level = 2
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
mydestination = $myhostname, server.com, , localhost
myhostname = server.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtp_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtp_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/letsencrypt/live/server.com/chain.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/server.com/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/server.com/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-valias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-vdomains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-vusers.cf
virtual_transport = dovecot

And, this is my postconf -M output:

smtp       inet  n       -       y       -       -       smtpd
submission inet  n       -       n       -       -       smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       y       -       -       smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp       unix  -       n       n       -       -       pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail     unix  -       n       n       -       -       pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp      unix  -       n       n       -       -       pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n       n       -       2       pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman    unix  -       n       n       -       -       pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot    unix  -       n       n       -       -       pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

And, this is my mail.log:

May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: initializing the server-side TLS engine
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: connect from localhost[127.0.0.1]
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: setting up TLS connection from localhost[127.0.0.1]
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:before SSL initialization
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client hello
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server hello
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write certificate
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write key exchange
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write server done
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read client key exchange
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read change cipher spec
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS read finished
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: localhost[127.0.0.1]: Issuing session ticket, key expiration: 1525220445
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write session ticket
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write change cipher spec
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: SSL_accept:SSLv3/TLS write finished
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: BAB6360383: client=localhost[127.0.0.1], sasl_method=LOGIN, sasl_username=sender@example.com
May  1 16:50:46 hwsrv-230549 postfix/cleanup[29153]: BAB6360383: message-id=<484bdbb907f3858ba851028998@example.com>
May  1 16:50:46 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: from=<sender@example.com>, size=745, nrcpt=1 (queue active)
May  1 16:50:46 hwsrv-230549 postfix/smtp[29154]: initializing the client-side TLS engine
May  1 16:50:46 hwsrv-230549 postfix/submission/smtpd[29147]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
May  1 16:50:47 hwsrv-230549 postfix/smtp[29154]: BAB6360383: to=<receiver@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.197.26]:25, delay=0.65, delays=0.06/0.03/0.04/0.53, dsn=2.0.0, status=sent (250 2.0.0 OK 1525218647 p84si10342745pfa.180 - gsmtp)
May  1 16:50:47 hwsrv-230549 postfix/qmgr[29077]: BAB6360383: removed

Any ideas?

EDIT 2: I tried increasing the logging level to 4 and it did not provide any additional, useful information.

Answer 1

The postfix configuration above works. The problem was the VPS host. I contacted technical support to see if port 587 was being blocked by their firewall. They responded with:

Kindly be infomed that since all the emails which are sending from our shared/VPS servers are decrypted due to outbound SMTP filtering, those emails are leaving our network in decrypted form.

Actually, we utilize MailChannels as our outbound SMTP filter. This prevents messages that would be regarded as SPAM from leaving our network.

To resolve the issue, I had to pay $0.50 per month to be put on the MailChannels whitelist, and had to sign an anti-spam agreement.