it is written in books and on internet forums that in main.cf. - *smtp_tls_auth_only* for outgoing mails or to send mails to other Mailserver. - *smtpd_tls_auth_only *for clients/customers sending emails to my server.
but my results are not like as mentioned. *Test1 *- (sending email from postfix to gmail server) smtp_tls_auth_only = may smtpd_tls_auth_only = may Result = Working fine. *Test2 *- (sending email from my postfix to gmail server) smtp_tls_auth_only = may smtpd_tls_auth_only = encrypt *Result = Fail with NDR* host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=21205-11 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 530 5.7.0 Must issue a STARTTLS command first (in reply to end of DATA command) *comments : *since smtp_tls_auth_only is responsible for sending emails then why it is rejecting for encryption purpose. *Test3 *- (sending email from my postfix to gmail server) smtp_tls_auth_only = encrypt smtpd_tls_auth_only = may *Result = fail with no NDR. but with this log : *relay=127.0.0.1[127.0.0.1]:10024, delay=0.07, delays=0.06/0.01/0/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]) Comment : i know my email is not being deliver which is what i want as Google is not set to encrypt a channel with me. but it is showing error at my end 127.0.0.1 which is kinda confusing. ---------------------- MY GOAL: ---------------------- i want to Force client submission at 587 and MTA to MTA communication for 25 only. with any of the above settings in example my clients can still submit to port 25. which i dont want. ----------------------- master.cf ---------------------- smtp inet n - - - - smtpd #smtp inet n - - - 1 postscreen #smtpd pass - - - - - smtpd #dnsblog unix - - - - 0 dnsblog #tlsproxy unix - - - - 0 tlsproxy submission inet n - n - - smtpd -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #smtps inet n - - - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING ------------------------------------- postconf -n ------------------------------------- alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = mail.anitbridge.com, localhost, localhost.localdomain myhostname = mail.anitbridge.com mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks readme_directory = /usr/share/doc/postfix receive_override_options = no_address_mappings recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/ mysql-virtual_relayrecipientmaps.cf relayhost = smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = encrypt smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/ mysql-virtual_client.cf smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/ mysql-virtual_sender.cf smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = static:5000 any help in this regard will be highly appreciated. Thanks, Yousuf