Check your relay host if support for STARTTLS or not by using telnet first.
On Thu, 22 May 2014 10:39:57 +0200 [email protected] wrote: > Hello, > I have a problem with the configuration of Postfix. I use a Postfix > as a Smarthost with a external Relayserver. The problem is, that the > SMTP-Connectioon to the Relay is not crypted with TLS. I use > "smtp_tls_securtiy_level = fingerprint" to prevent a > man-in-the-middle attack. The administrator of the relay server says, > that the POP3 Connection with fetchmail is secured with TLS, TLSv1 > with cipher DHE-RSA-AES256-SHA (256/256 bits) zlib compression. But > there is no security or crypt with the SMTP. I have no idea, what the > problem is ... Can you help me? My configuration is the following: > > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) > biff = no > > append_dot_mydomain = no > > readme_directory = no > > default_database_type = hash > myhostname = myhost > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > mydestination = myhost, localhost.localdomain, localhost, 127.0.0.1, > 192.168.1.22 relayhost = relay.domain.com > mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, > 192.168.1.0/24 mailbox_size_limit = 0 > recipient_delimiter = + > inet_interfaces = all > inet_protocols = all > > smtpd_tls_cert_file = /etc/ssl/private/server.crt > smtpd_tls_key_file = /etc/ssl/private/server.key > smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > smtpd_tls_security_level = may > smtp_tls_mandatory_ciphers = high > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache > > smtp_tls_security_level = fingerprint > smtp_tls_mandatory_ciphers = high > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_fingerprint_digest = md5 > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache > smtpd_tls_received_header = yes > smtpd_tls_loglevel = 1 > smtp_tls_loglevel = 1 > > smtp_sasl_auth_enable = yes > smtp_sasl_security_options = noanonymous > smtp_sasl_password_maps = hash:/etc/postfix/sasl_password > smtp_sender_dependent_authentication = yes > > sender_canonical_maps = hash:/etc/postfix/sender_canonical > sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent > > mailbox_command = /usr/lib/dovecot/deliver > message_size_limit = 104857600 > > smtpd_sasl_type = dovecot > smtpd_sasl_path = private/auth > smtpd_sasl_auth_enable = yes > smtpd_recipient_restrictions = > permit_sasl_authenticated, > reject_unauth_destination, > permit_tls_clientcerts
