Thanks, I think, that the problem was the chaotic situation in the main.cf.
I've corrected it accordingly (see below).
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
default_database_type = hash
myhostname = myhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = myhost, localhost.localdomain, localhost, 127.0.0.1,
192.168.1.22
relayhost = [this.is.an.example.domain]
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128, 192.168.1.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
# TLS SMTPD parameters
smtpd_tls_cert_file = /etc/ssl/private/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache
smtpd_tls_received_header = no
smtpd_tls_loglevel = 1
#SMTP_Auth an Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_unauth_destination,
permit_tls_clientcerts
#TLS SMTP parameters
smtp_tls_security_level = fingerprint
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_fingerprint_digest = md5
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_session_cache_database = hash:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sender_dependent_authentication = yes
#sender_canonical und sender_dependent
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent
# IMAP Server Dovecot
mailbox_command = /usr/lib/dovecot/deliver
message_size_limit = 104857600
Extract from the log:
May 22 20:23:35 myhost postfix/smtpd[3914]: connect from unknown[192.168.1.10]
May 22 20:23:35 myhost postfix/smtpd[3914]: Anonymous TLS connection
established from unknown[192.168.1.10]: TLSv1 with cipher ECDHE-RSA-AES128-SHA
(128/128 bits)
May 22 20:23:36 myhost postfix/smtpd[3914]: 000000000:
client=unknown[192.168.1.10], sasl_method=PLAIN, sasl_username=main
May 22 20:23:36 myhost postfix/cleanup[3919]: 000000000:
message-id=<[email protected]>
May 22 20:23:36 myhost postfix/qmgr[3849]: 000000000: from=<[email protected]>,
size=757, nrcpt=1 (queue active)
May 22 20:23:36 myhost postfix/smtpd[3914]: disconnect from
unknown[192.168.1.10]
May 22 20:23:37 myhost postfix/smtp[3920]: Verified TLS connection established
to this.is.an.example.domain[000:000:000:000]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
May 22 20:23:37 myhost postfix/smtp[3920]: 000000000: to=<[email protected]>,
relay=this.is.an.example.domain[000:000:000:000]:25, delay=1.2,
delays=0.09/0.15/0.92/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ???)
May 22 20:23:37 myhost postfix/qmgr[3849]: 000000000: removed
I think, that the connection to the relay is now crypted. But I'm wondering
myself, that the internal crypt ist only AES128 ... And I use hash, because it
is the default setting, and my server is only a little raspberry for my own
mail traffic.
Thanks!
Mat
>Is "fingerprint" really a good idea here? Will the receiving party
> coordinate key rollover with you? Or are you operating both servers?
Why is this not a good idead? I think, that everybody can sign a certificate
from Versign, Thawte or ... And I want to prevent a man-in-the-middle attack
with signed certificates. I trust only the certificate from my mail provider.
> Gesendet: Donnerstag, 22. Mai 2014 um 18:21 Uhr
> Von: "Viktor Dukhovni" <[email protected]>
> An: [email protected]
> Betreff: Re: your mail
>
> On Thu, May 22, 2014 at 10:39:57AM +0200, [email protected] wrote:
>
> > relayhost = relay.domain.com
>
> Had you not obfuscated the relay name, you'd have your answer already.
> You should also post log entries exhibiting the unwated behaviour.
> Typically ISP relays are hostnames not MX records:
>
> relayhost = [relay.example.net]
>
> and often use the submission port:
>
> relayhost = [relay.example.net]:587
>
> > smtpd_tls_cert_file = /etc/ssl/private/server.crt
> > smtpd_tls_key_file = /etc/ssl/private/server.key
> > smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> > smtpd_tls_security_level = may
> > smtp_tls_mandatory_ciphers = high
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> > smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache
>
> That should probably be "smtpd_tls_mandatory_ciphers" or you're
> grouping your settings very poorly. Use btree, not hash for
> session caches.
>
> > smtp_tls_security_level = fingerprint
> > smtp_tls_mandatory_ciphers = high
> > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > smtp_tls_fingerprint_digest = md5
> > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > smtpd_tls_session_cache_database = hash:${data_directory}/smtpd_scache
> > smtpd_tls_received_header = yes
>
> That should probably be:
>
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> or you're grouping your settings very poorly and like repeating yourself.
>
> What's in the policy table (entry for the relay)?
>
> Is "fingerprint" really a good idea here? Will the receiving party
> coordinate key rollover with you? Or are you operating both servers?
>
> --
> Viktor.
>
