it is written in books and on internet forums that in main.cf.
- *smtp_tls_auth_only* for outgoing mails or to send mails to other
Mailserver.
- *smtpd_tls_auth_only *for clients/customers sending emails to my server.
but my results are not like as mentioned.
*Test1 *- (sending email from postfix to gmail server)
smtp_tls_auth_only = may
smtpd_tls_auth_only = may
Result = Working fine.
*Test2 *- (sending email from my postfix to gmail server)
smtp_tls_auth_only = may
smtpd_tls_auth_only = encrypt
*Result = Fail with NDR* host 127.0.0.1[127.0.0.1] said: 530 5.7.0
id=21205-11 -
Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025):
530
5.7.0 Must issue a STARTTLS command first (in reply to end of DATA
command)
*comments : *since smtp_tls_auth_only is responsible for sending emails
then why it is rejecting for encryption purpose.
*Test3 *- (sending email from my postfix to gmail server)
smtp_tls_auth_only = encrypt
smtpd_tls_auth_only = may
*Result = fail with no NDR. but with this log :
*relay=127.0.0.1[127.0.0.1]:10024,
delay=0.07, delays=0.06/0.01/0/0, dsn=4.7.4, status=deferred (TLS is
required, but was not offered by host 127.0.0.1[127.0.0.1])
Comment : i know my email is not being deliver which is what i want as
Google is not set to encrypt a channel with me. but it is showing error at
my end 127.0.0.1 which is kinda confusing.
----------------------
MY GOAL:
----------------------
i want to Force client submission at 587 and MTA to MTA communication for
25 only.
with any of the above settings in example my clients can still submit to
port 25. which i dont want.
-----------------------
master.cf
----------------------
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-------------------------------------
postconf -n
-------------------------------------
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mail.anitbridge.com, localhost, localhost.localdomain
myhostname = mail.anitbridge.com
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/
mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf
smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/
mysql-virtual_sender.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000
any help in this regard will be highly appreciated.
Thanks,
Yousuf
