1 Topic by simixant (edited by simixant 2017-11-20 19:57:12)

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Topic: TLS issue

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi, I've got problem with TLS. I configured my server according to :
https://docs.iredmail.org/install.iredm … buntu.html
I obtained a new certificate from letsencrypt and I added A, MX and DKIM records.
When I log in to webmail using https://email.<mydomain>.tk/mail, I see encrypted page (green padlock in my web browser).
When I'm sending an email to my google account I get my email, but it's not encrypted. I see red padlock in my email.
I've tried to switch on checkbox in roundcube ("Encrypt this message"), but it's causing an error
Encryption failed. Public key not found for <user>@<mydomain>.tk.
Search on key server(s)
Also I've tried "Search on key server" but it doesn't work.
If I use SOGo, the options SSL and TLS are unavailable, I cannot change anything in that section.
Also I've tried "Search on key server" but it doesn't work.
If I use SOGo, the options SSL and TLS are unavailable, I cannot change anything in that section.
If I'm not wrong by default ired mail should use self signed certificate,
but at the begining I didn't recive any encrypted email.
If I'm not wrong by default iredmail should use self signed certificate,
but at the beginning (with self signed cert) I couldn't receive any encrypted email.
I have 4 ports opened :
http, https, 587, 25
Thanks in advance
Regards,
Simon

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: TLS issue

simixant wrote:

When I'm sending an email to my google account I get my email, but it's not encrypted. I see red padlock in my email.

What do you mean "not encrypted" here?

3 Reply by simixant

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Re: TLS issue

Taken from google:

Green (S/MIME enhanced encryption) encryption. Suitable for your most sensitive information. S/MIME encrypts all outgoing messages if we have the recipient's public key. Only the recipient with the corresponding private key can decrypt this message.

Gray (TLS - standard encryption) TLS standard encryption. Suitable for most messages. TLS (Transport Layer Security) is used for messages exchanged with other email services who don't support S/MIME.

Red (no encryption) No encryption. Unencrypted mail which is not secure. Past messages sent to the recipient's domain are used to predict whether the message you're sending won't be reliably encrypted.

So I see the red lock icon. I don't know how I can fix that on my server. I've done everything according to mentioned webpage.
https://docs.iredmail.org/install.iredm … buntu.html

Regards,

Simon

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: TLS issue

*) Do you have settings below in Postfix main.cf?

smtpd_tls_security_level = may
smtp_tls_security_level = may

*) Does your Postfix use an valid ssl cert?

5 Reply by simixant

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Re: TLS issue

1. I have both options configured
2. My cert is valid.
I used /etc/letsencrypt/live/... path which was main path of certbot. I updated the path in Apache, Postfix and Dovecot.

Regards,

Simon

6 Reply by swejun

  • swejun
  • Member
  • Offline
  • Registered: 2017-07-26
  • Posts: 84

Re: TLS issue

Just one idea...
End-to-end encryption in e-mail (like s-Mime or PGP, using the "encrypt|sign" options in RoundCube) has nothing to do with the TLS based transport encryption, which is done "between the mail servers" only, i.e the email items are not encrypted when stored in the sending and receiving mail server databases.
If the TLS encryption is set up correctly, like in Your case using a LetsEncrypt certificate, and storing it in the correct place under /etc/pki (replacing the selfsigned cert or using symlinks or changing all locations in the mailserver referring to the certs if placed elsewhere), sending e-mails to external addresses like gmail WILL use TLS. Also when receiving e-mails, they will be TLS encrypted in the transport.
Note that using TLS encryption or not is a negotiation between the mail servers. In the default set-up, postfix will allow both sending and receiving in clear text if the other end does not provide TLS.

How to test:
1) run localy on Your mail host
#  telnet localhost 25
    ehlo testing
"The server should respond with "250-STARTTLS" in the list"
quit
2) Use an external party to verify your mailserver, like https://mxtoolbox.com/
Enter Your domain name, and in the resulting page click SMTP-TEST for your listed  mailserver
The result should be STARTTLS supported
3) Send an email to gmail, and check the raw source (=original message)
It should show something like:
Received: from Your.Mailserver.com ([1.2.3.4])
        by mx.google.com with ESMTPS id y11si11672235edh.158.2017.11.22.02.48.10
        for <my.address@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
4) Reply the message, and check the mail using RoundCube, view the raw format. It should read something like this
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

Now, if what You are really looking for is using client certificates to to end-to-end encryption or signing using s-mime or PGP, the mail transport is not involved at all. It is handled by the mail clients.
I havnt tried it in roundcube or SOGo, but using a plugin in Thunderbird.

7 Reply by simixant (edited by simixant 2017-11-22 20:49:58)

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Re: TLS issue

To clarify
1. I installed environment (according to ired tutorial)
server name: email.mydomain.tk

2. I created a certificate :
certbot certonly --webroot  -> email.mydomain.tk

and got the path /etc/letsencrypt/live/email.mydomain.tk/
with 4 files (+ README so 5)

3. I changed the paths in files :
/etc/postfix/main.cf
---> smtpd_tls_key_file = /etc/letsencrypt/live/email.mydomain.tk/privkey.pem
---> smtpd_tls_cert_file = /etc/letsencrypt/live/email.mydomain.tk/cert.pem
---> smtpd_tls_CAfile = /etc/letsencrypt/live/email.mydomain.tk/fullchain.pem

/etc/dovecot/dovecot.conf
---> ssl_cert = </etc/letsencrypt/live/email.mydomain.tk/cert.pem
---> ssl_key = </etc/letsencrypt/live/email.mydomain.tk/privkey.pem
---> ssl_ca = </etc/letsencrypt/live/email.mydomain.tk/fullchain.pem

/etc/apache2/sites-available/default-ssl.conf
---> SSLCertificateFile /etc/letsencrypt/live/email.mydomain.tk/cert.pem
---> SSLCertificateKeyFile /etc/letsencrypt/live/email.mydomain.tk/privkey.pem
---> SSLCertificateChainFile /etc/letsencrypt/live/email.mydomain.tk/fullchain.pem

4. I opened all ports needed https://docs.iredmail.org/network.ports.html

5. I performed a test for my server https://www.htbridge.com and I saw that cert was trusted (mark A+)

One thing I noticed (probably it's not related as you've explained- swejun) : When I use Roundcube and click on "encryption" -> "Encrypt this message"
I'm getting :
"Key not found
Encryption failed. Public key not found for email@mydomain.tk.
Search on key server(s)"
There is an option "Search on key server" but it doesn't work.

Below logs from posfix. Email was sent from Roundcube without option "encryption"

Nov 22 12:38:39 email postfix/submission/smtpd[1707]: connect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: Anonymous TLS connection established from email.mydomain.tk[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-A
ES128-GCM-SHA256 (128/128 bits)
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: 093552101B: client=email.mydomain.tk[127.0.0.1], sasl_method=LOGIN, sasl_username=email@mydomain.tk
Nov 22 12:38:40 email postfix/cleanup[1722]: 093552101B: message-id=<2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
Nov 22 12:38:40 email postfix/qmgr[1364]: 093552101B: from=<email@mydomain.tk>, size=430, nrcpt=1 (queue active)
Nov 22 12:38:40 email roundcube: <5afqve29> User email@mydomain.tk [153.19.194.28]; Message for destination@gmail.com; 250: 2.0.0 Ok: queued as 093552101B
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: disconnect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: connect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: 53CC32101D: client=email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/cleanup[1722]: 53CC32101D: message-id=<2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
Nov 22 12:38:40 email postfix/qmgr[1364]: 53CC32101D: from=<email@mydomain.tk>, size=1463, nrcpt=1 (queue active)
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: disconnect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email amavis[1407]: (01407-02) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:56295 <email@mydomain.tk> -> <destination@gm
ail.com>, Queue-ID: 093552101B, Message-ID: <2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>, mail_id: pi_R0OAAJO8d, Hits: -1.01, size: 430, queued_as: 53CC321
01D, dkim_new=dkim:mydomain.tk, 272 ms, Tests: [ALL_TRUSTED=-1,T_RP_MATCHES_RCVD=-0.01]
Nov 22 12:38:40 email postfix/amavis/smtp[1727]: 093552101B: to=<destination@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.08/0/0/0.29, ds
n=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 53CC32101D)
Nov 22 12:38:40 email postfix/qmgr[1364]: 093552101B: removed
Nov 22 12:38:40 email postfix/smtp[1743]: connect to gmail-smtp-in.l.google.com[2a00:1450:4010:c05::1a]:25: Network is unreachable
Nov 22 12:38:40 email postfix/smtp[1743]: 53CC32101D: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[64.233.162.26]:25
Nov 22 12:38:41 email postfix/smtp[1743]: 53CC32101D: to=<destination@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.162.26]:25, delay=0.91, delays=0.01/0
/0.42/0.47, dsn=2.0.0, status=sent (250 2.0.0 OK 1511350721 a69si6141017ljf.68 - gsmtp)
Nov 22 12:38:41 email postfix/qmgr[1364]: 53CC32101D: removed

Regarding to your test swejun this is the output:
1.
250-email.mydomain.tk
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

_________________________________________________________________________________________________________
2.
executed for : mydomain.tk

    SMTP Banner Check    Reverse DNS does not match SMTP Banner     More Info
    SMTP Reverse DNS Mismatch    OK - x.x.x.x resolves to x.x.x.x.static.ip.netia.com.pl   
    SMTP Valid Hostname    OK - Reverse DNS is a valid Hostname   
    SMTP TLS    OK - Supports TLS.   
    SMTP Connection Time    1.028 seconds - Good on Connection time   
    SMTP Open Relay    OK - Not an open relay.   
    SMTP Transaction Time    3.615 seconds - Good on Transaction Time

_________________________________________________________________________________________________________
3.
Delivered-To: destination@gmail.com
Received: by 10.31.82.129 with SMTP id g123csp667970vkb;
        Wed, 22 Nov 2017 03:38:41 -0800 (PST)
X-Google-Smtp-Source: AGs4zMZX0B1yGpKiK0kWqhC2FXgvqPxyfY9icUq51wIkOh7Cpf/LmjjJBEqLlf9gGmiBJTHZBLIB
X-Received: by 10.46.69.67 with SMTP id s64mr7481466lja.94.1511350721218;
        Wed, 22 Nov 2017 03:38:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511350721; cv=none;
        d=google.com; s=arc-20160816;
        b=SL0UM+0lxgj1qwFxRk/x8CWQWUOdlnjqlNNQlSlGqGdDMerOaFVfznqmhaeFcyBH/O
         KDwgwD9a9AMRLkFg+ky4JXvIchx+KBFBmlQ6ddjIt9UiHYSVv4FNETINnu5YZNZViQyX
         gAUMRfP5/qrtJhRX/2Cf2zIod+sZln9fWTJ3lO5mqzFwWKbId6jR8RcRyTxdRNVQjqTs
         yTcjlfUvViA6mRf+jyZioPfLwkb4tvfqyt816BzyW4VcXmPDf/+mGFi2kR4cwatGGjRK
         WFKfeyIc1dSkyQmeG9wAGqDl96DOqeOqUVSFMbbFnjVYPW/kP013biJRglu0FREGQQpN
         7Mxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=user-agent:message-id:subject:to:from:date:mime-version
         :dkim-signature:arc-authentication-results;
        bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
        b=mwWypjdMzqQZORYklcG5GjSy3YvHknk5MrDk219UczyZ5g9iQKXXOmoYaXA5EYNGEB
         gcZ6Y+5TZSO7aRCvK0zTlI6zbbTJPBcr3DdDuBhPXGDCUKyiNJjtCWa51fbPPNI+gRf6
         wi7rVcWF4IwL0wTxjwElIBjQ1f2w3atHxmTdjWHcj0vogX9nVcs3ST4OepS7VaipLA+P
         0VdovKCJX1UgULsxA2gvkxRj10+FuuwVN5KMFzjRTPhniO9yPj6NFUT80sbjEAG+0uvN
         SPM7ca8WBYaBpCWT18dw5PTZ/bEOa+8FC9828EBQxlSV2ZEzGq5SbJVCpBt3MMatCMAw
         fJlg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mydomain.tk header.s=dkim header.b=BdaPzzwa;
       spf=neutral (google.com: x.x.x.x is neither permitted nor denied by best guess record for domain of email@mydomain.tk) smtp.mailfrom=email@mydomain.tk
Return-Path: <email@mydomain.tk>
Received: from email.mydomain.tk (x.x.x.x.static.ip.netia.com.pl. [x.x.x.x])
        by mx.google.com with SMTP id a69si6141017ljf.68.2017.11.22.03.38.40
        for <destination@gmail.com>;
        Wed, 22 Nov 2017 03:38:41 -0800 (PST)
Received-SPF: neutral (google.com: x.x.x.x is neither permitted nor denied by best guess record for domain of email@mydomain.tk) client-ip=x.x.x.x;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mydomain.tk header.s=dkim header.b=BdaPzzwa;
       spf=neutral (google.com: x.x.x.x is neither permitted nor denied by best guess record for domain of email@mydomain.tk) smtp.mailfrom=email@mydomain.tk
Received: from email.mydomain.tk (email.mydomain.tk [127.0.0.1]) by email.mydomain.tk (Postfix) with ESMTP id 53CC32101D for <destination@gmail.com>; Wed, 22 Nov 2017 12:38:40 +0100 (CET)
Authentication-Results: email.mydomain.tk (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=mydomain.tk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.tk; h= user-agent:message-id:subject:subject:to:from:from:date:date :mime-version; s=dkim; t=1511350720; x=1512214721; bh=frcCV1k9oG 9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=BdaPzzwa+AyjuotsVXiihjTnl8 o6pe+rjtLTh+LKSHXcJxPt8757fNCiCUABsMGbR6etlDIN8cvUiHV5qYYPKDivr6 97cAUDa4PhwXS/ZN/LQPAv5GbF7IUuEtp6xFLGjwvZkiDNOEm8S9H649uU2YZukw M/zyrmPNkHci4IbLQ=
X-Virus-Scanned: Debian amavisd-new at Phobos-srv
Received: from email.mydomain.tk ([127.0.0.1]) by email.mydomain.tk (email.mydomain.tk [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id pi_R0OAAJO8d for <destination@gmail.com>; Wed, 22 Nov 2017 12:38:40 +0100 (CET)
Received: from email.mydomain.tk (email.mydomain.tk [127.0.0.1]) by email.mydomain.tk (Postfix) with ESMTPSA id 093552101B for <destination@gmail.com>; Wed, 22 Nov 2017 12:38:40 +0100 (CET)
MIME-Version: 1.0
Date: Wed, 22 Nov 2017 12:38:39 +0100
From: email@mydomain.tk
To: destination@gmail.com
Subject: test
Message-ID: <2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
X-Sender: email@mydomain.tk
User-Agent: Roundcube Webmail

_________________________________________________________________________________________________________
4.
Return-Path: <destination@gmail.com>
Delivered-To: email@mydomain.tk
Received: from email.mydomain.tk (email.mydomain.tk [127.0.0.1])
    by email.mydomain.tk (Postfix) with ESMTP id BAB2520F98
    for <email@mydomain.tk>; Wed, 22 Nov 2017 12:55:01 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at Phobos-srv
Authentication-Results: email.mydomain.tk (amavisd-new);
    dkim=pass (2048-bit key) header.d=gmail.com
Received: from email.mydomain.tk ([127.0.0.1])
    by email.mydomain.tk (email.mydomain.tk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id kIMT9oBE_13v for <email@mydomain.tk>;
    Wed, 22 Nov 2017 12:54:53 +0100 (CET)
Received: from mail-ua0-f176.google.com (mail-ua0-f176.google.com [209.85.217.176])
    by email.mydomain.tk (Postfix) with ESMTPS id 85CB520F96
    for <email@mydomain.tk>; Wed, 22 Nov 2017 12:54:53 +0100 (CET)
Received: by mail-ua0-f176.google.com with SMTP id r11so10405699uah.12
    for <email@mydomain.tk>; Wed, 22 Nov 2017 03:54:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=gmail.com; s=20161025;
    h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
    bh=1k1S+YmyHdLuBSylXNHBhvngQqdyz6Yh8vk+uLmnQeg=;
    b=DD7poX2jdVms99wwKoKFenrA3s5kMHCXZARJkvs7Sfz/zZMehzxiuhBadFPlu6vAsa
    uaDV/nl5md8l3NBncHFp87HM0LJoMwfXUY9+cKP/rdndMdUlsMtGij/S8y1Nv//nttBQ
    PZ2rTrdkJcv52QQjAb4l3kBjSZhAKO2p1zTw49EwdSFLtYNqRbxTocaFIveOGJt2CtXp
    X59mm8DU3fCeYpiiySZh66SifOwFo8XxjZ3/N1uUGqBjakn/VtN8HiVVIuvEadiIKXVW
    C5r5moLh76R5NmiBYteIXCyxkVb7tDI191L1+bWXROJyV4Sr7P4GfaPpAqtivto5cflP
    3dPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=1e100.net; s=20161025;
    h=x-gm-message-state:mime-version:in-reply-to:references:from:date
    :message-id:subject:to;
    bh=1k1S+YmyHdLuBSylXNHBhvngQqdyz6Yh8vk+uLmnQeg=;
    b=YqLyPuvn+6s3H0k240XFsqlneXx1WFxbd87nAVz89qO6va3Q5eSmNltiSoSQpSoCYr
    vemQbZtUf9RSTJ265uJy8HXqV8+nbFMKthBHUEkG6Kke7S3Z6Onfk7iKg06LCflQyVUZ
    S3PI025rOCisRF9Y2YxbiKkDJShd7d3C5mLuN3JOQ15ScZtgAcS2Z10b+FyoLtDXLEiB
    YmMZJ/fOeudqQ+d4CDPRvzsQ69JdG59WUnnzyTbfKq+pPGpHAUPgp9R00FrhNdH6WzXI
    zzkOEnj16zVVRWLNer252uvSoFFJRIyOP+35wSuNJNSx7Sobi6fo05UwCjPrS+3spf3Q
    LpUw==
X-Gm-Message-State: AJaThX5WzEm6lefVteFmtHZqmJDLPR6A7580FNYMWV5pwB9U4mUbJYT3
    EYOAsTxIf9IULGDZe9YrTbbTzljx+DGy86gtfLg=
X-Google-Smtp-Source: AGs4zMZsZDMTG5VNNlRLdkmcmUGDyFxzlxHhRIStVXA0v89w6Kwtc7u/0ge2Tmdhe/DEu8/ll/XeYaL8yY7xEIzcPgo=
X-Received: by 10.176.20.81 with SMTP id c17mr16592612uae.136.1511351685743;
    Wed, 22 Nov 2017 03:54:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.31.15.65 with HTTP; Wed, 22 Nov 2017 03:54:45 -0800 (PST)
In-Reply-To: <2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
References: <2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
From: XXX <destination@gmail.com>
Date: Wed, 22 Nov 2017 12:54:45 +0100
Message-ID: <CAGNMsnxer7jbcproWG7355vW+HQ0obGdnQ20QLG6V__zPq+vaQ@mail.gmail.com>
Subject: Re: test
To: email@mydomain.tk
Content-Type: multipart/alternative; boundary="001a1145387a5c0d7e055e90fc10" 


Thanks

Simon

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: TLS issue

The "encrypted" indicator in Gmail means the secure SMTP session established with SSL/TLS.

With "smtp_tls_security_level = may", Postfix will try secure connection to remote host first, and fallback to insecure connection if unavailable.

Please check Postfix log to see whether Postfix successfully established secure connection to Gmail server.

9 Reply by simixant (edited by simixant 2017-11-23 21:09:44)

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Re: TLS issue

These are the logs from postfix:

simixant wrote:

Below logs from posfix. Email was sent from Roundcube without option "encryption"

Nov 22 12:38:39 email postfix/submission/smtpd[1707]: connect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: Anonymous TLS connection established from email.mydomain.tk[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-A
ES128-GCM-SHA256 (128/128 bits)
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: 093552101B: client=email.mydomain.tk[127.0.0.1], sasl_method=LOGIN, sasl_username=email@mydomain.tk
Nov 22 12:38:40 email postfix/cleanup[1722]: 093552101B: message-id=<2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
Nov 22 12:38:40 email postfix/qmgr[1364]: 093552101B: from=<email@mydomain.tk>, size=430, nrcpt=1 (queue active)
Nov 22 12:38:40 email roundcube: <5afqve29> User email@mydomain.tk [153.19.194.28]; Message for destination@gmail.com; 250: 2.0.0 Ok: queued as 093552101B
Nov 22 12:38:40 email postfix/submission/smtpd[1707]: disconnect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: connect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: 53CC32101D: client=email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email postfix/cleanup[1722]: 53CC32101D: message-id=<2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>
Nov 22 12:38:40 email postfix/qmgr[1364]: 53CC32101D: from=<email@mydomain.tk>, size=1463, nrcpt=1 (queue active)
Nov 22 12:38:40 email postfix/10025/smtpd[1742]: disconnect from email.mydomain.tk[127.0.0.1]
Nov 22 12:38:40 email amavis[1407]: (01407-02) Passed CLEAN {RelayedInternal}, ORIGINATING/MYNETS LOCAL [127.0.0.1]:56295 <email@mydomain.tk> -> <destination@gm
ail.com>, Queue-ID: 093552101B, Message-ID: <2782b78a6c5f3fdf7f9efe74b78720d1@mydomain.tk>, mail_id: pi_R0OAAJO8d, Hits: -1.01, size: 430, queued_as: 53CC321
01D, dkim_new=dkim:mydomain.tk, 272 ms, Tests: [ALL_TRUSTED=-1,T_RP_MATCHES_RCVD=-0.01]
Nov 22 12:38:40 email postfix/amavis/smtp[1727]: 093552101B: to=<destination@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.08/0/0/0.29, ds
n=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 53CC32101D)
Nov 22 12:38:40 email postfix/qmgr[1364]: 093552101B: removed
Nov 22 12:38:40 email postfix/smtp[1743]: connect to gmail-smtp-in.l.google.com[2a00:1450:4010:c05::1a]:25: Network is unreachable
Nov 22 12:38:40 email postfix/smtp[1743]: 53CC32101D: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[64.233.162.26]:25
Nov 22 12:38:41 email postfix/smtp[1743]: 53CC32101D: to=<destination@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.162.26]:25, delay=0.91, delays=0.01/0
/0.42/0.47, dsn=2.0.0, status=sent (250 2.0.0 OK 1511350721 a69si6141017ljf.68 - gsmtp)
Nov 22 12:38:41 email postfix/qmgr[1364]: 53CC32101D: removed

Anonymous TLS connection established from email.mydomain.tk[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-A - it means about TLS session?

10 Reply by rain6966

  • rain6966
  • Member
  • Offline
  • Registered: 2012-04-13
  • Posts: 64

Re: TLS issue

1).

simixant wrote:

Nov 22 12:38:40 email postfix/smtp[1743]: 53CC32101D: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[64.233.162.26]:25

enabling PIX workarounds: disable_esmtp delay_dotcrlf
pls. FYI :
http://postfix.1071664.n5.nabble.com/te … amp;user=6

and :
"TLS Forward Secrecy in Postfix"
http://www.postfix.org/FORWARD_SECRECY_ … uick-start

http://postfix.1071664.n5.nabble.com/te … mp;user=45

11 Reply by simixant

  • simixant
  • Member
  • Offline
  • Registered: 2017-11-19
  • Posts: 8

Re: TLS issue

Oo it works! I've disabled ESMTP on ASA firewall. I've spent a lot of time since now! Many thanks! smile