1 Topic by someting (edited by someting 2017-02-16 06:53:08)

  • someting
  • Member
  • Offline
  • Registered: 2017-02-16
  • Posts: 4

Topic: Gmail saying email is unencrypted on Fresh iRedMail Install

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: Ubuntu 14.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

Getting a red lock icon when sending email to Gmail accounts. On the page of the email, and when hovering over it - it says "examplexx.com did not encrypt this message".

I put this in postfix:

smtpd_tls_received_header = yes

And Gmail headers for the email are showing:

Received: from mail.examplexx.com (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.examplexx.com (Postfix) with ESMTPSA id E172C460E2C for <mygmail@gmail.com>; Wed, 15 Feb 2017 17:23:43 -0500 (EST)

It has TLSv1 in the header so I would expect that this means that it is encrypted?

This is on a fresh install of iRedMail with SPF, DKIM, rDNS, and MX all set up correctly.

/var/log/mail.log says:

Feb 15 17:23:43 mail postfix/submission/smtpd[5626]: connect from localhost.localdomain[127.0.0.1]
Feb 15 17:23:43 mail postfix/submission/smtpd[5626]: Anonymous TLS connection established from localhost.localdomain[127.0.0.1]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Feb 15 17:23:43 mail postfix/submission/smtpd[5626]: E172C460E2C: client=localhost.localdomain[127.0.0.1], sasl_method=LOGIN, sasl_username=person@examplexx.com

How can Gmail say its unencrypted?

Post's attachments

example.jpg
example.jpg 74.14 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

someting wrote:

And Gmail headers for the email are showing:

Please show us all "Received:" headers.

3 Reply by someting

  • someting
  • Member
  • Offline
  • Registered: 2017-02-16
  • Posts: 4

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

Delivered-To: mygmail@gmail.com
Received: by 10.223.172.112 with SMTP id v103csp1754125wrc;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)
X-Received: by 10.200.39.77 with SMTP id h13mr36906560qth.62.1487197427303;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)
Return-Path: <person@examplexx.com>
Received: from mail.examplexx.com (mail.examplexx.com. [191.xxx.xxx.123])
        by mx.google.com with ESMTP id n14si3859523qkl.104.2017.02.15.14.23.45
        for <mygmail@gmail.com>;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)
Received-SPF: pass (google.com: domain of person@examplexx.com designates 191.xxx.xxx.123 as permitted sender) client-ip=191.xxx.xxx.123;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@examplexx.com;
       spf=pass (google.com: domain of person@examplexx.com designates 191.xxx.xxx.123 as permitted sender) smtp.mailfrom=person@examplexx.com
Received: from mail.examplexx.com (localhost.localdomain [127.0.0.1]) by mail.examplexx.com (Postfix) with ESMTP id 2539E460F80 for <mygmail@gmail.com>; Wed, 15 Feb 2017 17:23:44 -0500 (EST)
Authentication-Results: mail.examplexx.com (amavisd-new); dkim=pass reason="pass (just generated, assumed good)" header.d=examplexx.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=examplexx.com;
     h=user-agent:message-id:subject:subject:to:from:from:date:date :content-transfer-encoding:content-type:content-type :mime-version; s=dkim; t=1487197423; x=1488061424; bh=LaegeaE4sW d4l9K7YWNlAinmqUePEZwKG9dMjiYmLn8=; b=kwncSJ+1sfsaHOwC6QdWEHx51L 8lFxni/8Uf2F9JqDwZw02NpcwJgYMudwz/Y+u5D6P+TMcnN7FKP7mNpmCgBtAWY5 5o74LFW1+vyzVD3/VAZy/pv5geelunWl6F00ZTVNhvLUjlws4YGztSgKvo+cBj3U leIvBFRGhUpGH6uws=
X-Virus-Scanned: Debian amavisd-new at
Received: from mail.examplexx.com ([127.0.0.1]) by mail.examplexx.com (mail.examplexx.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rDkWtfKFDuZC for <mygmail@gmail.com>; Wed, 15 Feb 2017 17:23:43 -0500 (EST)
Received: from mail.examplexx.com (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.examplexx.com (Postfix) with ESMTPSA id E172C460E2C for <mygmail@gmail.com>; Wed, 15 Feb 2017 17:23:43 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 15 Feb 2017 17:23:43 -0500
From: person@examplexx.com
To: mygmail@gmail.com
Subject: Hi
Message-ID: <bdb2689c6599245d780e90e81ad6a5dc@examplexx.com>
X-Sender: person@examplexx.com
User-Agent: Roundcube Webmail

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

someting wrote:

Received: from mail.examplexx.com (mail.examplexx.com. [191.xxx.xxx.123])
        by mx.google.com with ESMTP id n14si3859523qkl.104.2017.02.15.14.23.45
        for <mygmail@gmail.com>;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)

This one is the key.

Do you have "smtp_tls_received_header = yes" in Postfix main.cf? NOTE: for server-to-server communication, it's "smtp_tls_received_header", not "smtpd_*"

5 Reply by someting (edited by someting 2017-02-16 20:52:57)

  • someting
  • Member
  • Offline
  • Registered: 2017-02-16
  • Posts: 4

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

ZhangHuangbin wrote:
someting wrote:

Received: from mail.examplexx.com (mail.examplexx.com. [191.xxx.xxx.123])
        by mx.google.com with ESMTP id n14si3859523qkl.104.2017.02.15.14.23.45
        for <mygmail@gmail.com>;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)

This one is the key.

Do you have "smtp_tls_received_header = yes" in Postfix main.cf? NOTE: for server-to-server communication, it's "smtp_tls_received_header", not "smtpd_*"

Postfix doesn't seem to like "smtp_tls_received_header = yes". And it seems that only the internal smtpd connections are being encrypted and the outbound smtp connection to Gmail isn't.

You're right that is key.

While my emails show:
Received: from mail.examplexx.com (mail.examplexx.com. [191.xxx.xxx.123])
        by mx.google.com with ESMTP id n14si3859523qkl.104.2017.02.15.14.23.45
        for <mygmail@gmail.com>;
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)

And should be:
Received: from mail.examplexx.com (mail.examplexx.com. [191.xxx.xxx.123])
        by mx.google.com with ESMTP id n14si3859523qkl.104.2017.02.15.14.23.45
        for <mygmail@gmail.com>;
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 15 Feb 2017 14:23:47 -0800 (PST)


It seems that the default settings of "smtp_tls_security_level = may" should be enough to apply tls to the server to server connection. Forcing encrypt with "smtp_tls_security_level = encrypt" makes the email undeliverable to Gmail - an email provider that definitely has tls capabilities.

Maybe these settings need to be changed in master.cf to allow for the server to server smtp encryption?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

someting wrote:

Maybe these settings need to be changed in master.cf to allow for the server to server smtp encryption?

"smtp_tls_security_level = may" in main.cf should be enough.

You cannot force to use encryption between servers -- if the other side doesn't have TLS support, the smtp session will fail.

7 Reply by someting (edited by someting 2017-02-17 14:51:14)

  • someting
  • Member
  • Offline
  • Registered: 2017-02-16
  • Posts: 4

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

ZhangHuangbin wrote:

if the other side doesn't have TLS support, the smtp session will fail.

Yes, since Gmail does have TLS support - it must be me and it is. A lookup for my certificate on port 993 - it shows my certificate is there. Port 443 - my certificate is there.

But when I looked up my certificates on port 587 - the tls sending port, it shows there isn't any certificate!

Explains why the emails aren't encrypting.

It must be postfix controlling this I assume. The only settings I changed in postfix were in main.cf -- the inet_protocols to ipv4 and three tls settings:

smtpd_tls_key_file = /etc/letsencrypt/live/mail.examplexx.com/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.examplexx.com/cert.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mail.examplexx.com/chain.pem

Is there something else I can change to get port 587 to use the certificate?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Gmail saying email is unencrypted on Fresh iRedMail Install

ssl cert setting in postfix looks fine. but:

someting wrote:

smtpd_tls_CAfile = /etc/letsencrypt/live/mail.examplexx.com/chain.pem

Try the fullchain.pem instead.