Postfix as SMTP Relay appears unsecure to GMail [closed]










0















I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.



The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.



Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS


Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:



Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS


I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.



Not secure according to google



Here is my master.cf



smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no


And here is my main.cf



smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom


I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.



Any help would be appreciated.



e: As per the comments, here is my connection log with Google.



Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it@doma.in>


Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.










share|improve this question















closed as off-topic by tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub Nov 15 '18 at 16:18


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on Server Fault." – tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub
If this question can be reworded to fit the rules in the help center, please edit the question.
















  • Can you post the logs showing the connection to gmail?

    – Stephan
    Nov 14 '18 at 15:34











  • Also, the message source from gmail showing the checks would help.

    – Stephan
    Nov 14 '18 at 16:48















0















I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.



The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.



Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS


Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:



Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS


I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.



Not secure according to google



Here is my master.cf



smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no


And here is my main.cf



smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom


I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.



Any help would be appreciated.



e: As per the comments, here is my connection log with Google.



Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it@doma.in>


Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.










share|improve this question















closed as off-topic by tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub Nov 15 '18 at 16:18


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on Server Fault." – tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub
If this question can be reworded to fit the rules in the help center, please edit the question.
















  • Can you post the logs showing the connection to gmail?

    – Stephan
    Nov 14 '18 at 15:34











  • Also, the message source from gmail showing the checks would help.

    – Stephan
    Nov 14 '18 at 16:48













0












0








0








I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.



The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.



Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS


Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:



Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS


I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.



Not secure according to google



Here is my master.cf



smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no


And here is my main.cf



smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom


I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.



Any help would be appreciated.



e: As per the comments, here is my connection log with Google.



Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it@doma.in>


Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.










share|improve this question
















I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.



The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.



Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS


Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:



Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS


I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.



Not secure according to google



Here is my master.cf



smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no


And here is my main.cf



smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom


I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.



Any help would be appreciated.



e: As per the comments, here is my connection log with Google.



Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it@doma.in>


Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.







postfix-mta






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 6:15







Philipp R

















asked Nov 13 '18 at 13:25









Philipp RPhilipp R

43




43




closed as off-topic by tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub Nov 15 '18 at 16:18


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on Server Fault." – tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub
If this question can be reworded to fit the rules in the help center, please edit the question.







closed as off-topic by tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub Nov 15 '18 at 16:18


This question appears to be off-topic. The users who voted to close gave this specific reason:


  • "Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on Server Fault." – tripleee, Mike M., Vadim Kotov, Pearly Spencer, Paul Roub
If this question can be reworded to fit the rules in the help center, please edit the question.












  • Can you post the logs showing the connection to gmail?

    – Stephan
    Nov 14 '18 at 15:34











  • Also, the message source from gmail showing the checks would help.

    – Stephan
    Nov 14 '18 at 16:48

















  • Can you post the logs showing the connection to gmail?

    – Stephan
    Nov 14 '18 at 15:34











  • Also, the message source from gmail showing the checks would help.

    – Stephan
    Nov 14 '18 at 16:48
















Can you post the logs showing the connection to gmail?

– Stephan
Nov 14 '18 at 15:34





Can you post the logs showing the connection to gmail?

– Stephan
Nov 14 '18 at 15:34













Also, the message source from gmail showing the checks would help.

– Stephan
Nov 14 '18 at 16:48





Also, the message source from gmail showing the checks would help.

– Stephan
Nov 14 '18 at 16:48












1 Answer
1






active

oldest

votes


















0














I finally found the solution.
For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"



Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.



Solution:
In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:



smtp_pix_workarounds = delay_dotcrlf


Hard for me to believe that I haven't found anything about this.






share|improve this answer





























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I finally found the solution.
    For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"



    Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.



    Solution:
    In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:



    smtp_pix_workarounds = delay_dotcrlf


    Hard for me to believe that I haven't found anything about this.






    share|improve this answer



























      0














      I finally found the solution.
      For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"



      Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.



      Solution:
      In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:



      smtp_pix_workarounds = delay_dotcrlf


      Hard for me to believe that I haven't found anything about this.






      share|improve this answer

























        0












        0








        0







        I finally found the solution.
        For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"



        Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.



        Solution:
        In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:



        smtp_pix_workarounds = delay_dotcrlf


        Hard for me to believe that I haven't found anything about this.






        share|improve this answer













        I finally found the solution.
        For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"



        Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.



        Solution:
        In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:



        smtp_pix_workarounds = delay_dotcrlf


        Hard for me to believe that I haven't found anything about this.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 '18 at 7:31









        Philipp RPhilipp R

        43




        43















            Popular posts from this blog

            Use pre created SQLite database for Android project in kotlin

            Darth Vader #20

            Ondo