Issue PostFix TLS fails between servers

[bsass]

So I followed the directions on adding a Let's Encrypt certificate here on GitHub for securing PostFix and Dove Cot

Secure Mail Server · plesk/letsencrypt-plesk Wiki · GitHub

And everything Client <--> Server is working perfectly, using Outlook 2016 and the mail app on iOS also tested TLS inbound with a site here:

// email / test To:

But when I test going from My Server --> to Gmail it falls back to plain text. If I go into my PostFix main.cf and comment out the 6 added lines and change it back to the normal Plesk configuration sending to Gmail works with TLS. I'm at a loss at what is going on.

I'm running:
OS:
‪CentOS Linux 7.3.1611 (Core)

Plesk version:
12.5.30 Update #67, last updated at May 30, 2017 03:50 AM

With the newest Let's Encrypt Plugin 2.1.0

Here is a copy of my main.cf file

# readme_directory: The location of the Postfix README files.
#
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
#smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file

smtpd_tls_cert_file = /usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
smtpd_tls_key_file = /usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
smtpd_tls_CAfile = /usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/chain.pem

smtp_tls_cert_file = /opt/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
smtp_tls_key_file = /opt/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
smtp_tls_CAfile = /opt/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/chain.pem

smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks =
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client dnsrbl.org
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
myhostname = server3.mydomain.com
message_size_limit = 52428800

Any help is appreciated.

Thanks!

 

[UFHH01]

Hi bsass,

You missed to configure your networks:

mynetworks =

Correct configuration sample:

...

relayhost =
mynetworks = , 127.0.0.0/8 [::1]/128 XXX.XXX.XXX.XX1/32 XXX.XXX.XXX.XX2/32

...

... where XXX.XXX.XXX.XX1 or/and XXX.XXX.XXX.XX2 should be replaced with EACH associated IP of your server.
​

Pls. don't forget to adjust your master.cf with for example:

...
# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 25
# ======================================================================================
localhost:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtp_helo_name=mydomain.com
    -o myhostname=securemail.mydomain.com
    -o cleanup_service_name=pre-cleanup
   
XXX.XXX.XXX.XX1:smtp inet n - - - - smtpd
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtp_helo_name=mydomain.com
    -o myhostname=mail.mydomain.com
    -o cleanup_service_name=pre-cleanup

# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 465
# ======================================================================================
localhost:smtps   inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtp_helo_name=mydomain.com
    -o myhostname=securemail.mydomain.com
       
XXX.XXX.XXX.XX1:smtps   inet n - - - - smtpd 
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtp_helo_name=mydomain.com
    -o myhostname=mail.mydomain.com
   
# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - port 587
# ======================================================================================
localhost:submission inet n - - - - smtpd 
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtpd_enforce_tls=yes 
    -o smtpd_tls_security_level=encrypt 
    -o smtpd_sasl_auth_enable=yes 
    -o smtp_helo_name=mydomain.com
    -o myhostname=mail.mydomain.com

XXX.XXX.XXX.XX1:submission inet n - - - - smtpd 
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/fullchain.pem
    -o smtpd_enforce_tls=yes 
    -o smtpd_tls_security_level=encrypt 
    -o smtpd_sasl_auth_enable=yes 
    -o smtp_helo_name=mydomain.com
    -o myhostname=mail.mydomain.com
   
# ======================================================================================
# Special hostname configurations to fit SMTP banner and certificates - Plesk-modified
# ======================================================================================
plesk-mydomain.com-XXX.XXX.XXX.XX1- unix - n n - - smtp 
    -o smtpd_enforce_tls=yes 
    -o smtpd_tls_security_level=encrypt 
    -o smtpd_sasl_auth_enable=yes 
    -o smtpd_tls_key_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/privkey.pem
    -o smtpd_tls_cert_file=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtpd_tls_CAfile=/usr/local/psa/var/modules/letsencrypt/etc/live/securemail.mydomain.com/cert.pem
    -o smtp_bind_address=XXX.XXX.XXX.XX1 
    -o smtp_bind_address6=   
    -o smtp_address_preference=ipv4 
    -o smtp_helo_name=mydomain.com
    -o myhostname=mail.mydomain.com
    -o cleanup_service_name=pre-cleanup
...

Pls. don't forget to backup your main.cf + master.cf, before you make any changes and pls. post possible issues/errors/problems from your mail.log if you experience any issues, or if you have any further questions.

 

[bsass]

Hi UFHH01, I adjusted the mynetworks in the main.cf to

mynetworks = 127.0.0.0/8 [::1]/128 XXX.XXX.XXX.198/32

As for the master.cf file do I need to append all of what you posted to the end of that file? As looking at mine I don't see anything like that in the file at all.

Thanks!

 

[bsass]

Here is a copy of the current master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
#submission inet n       -       n       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
cleanup   unix  n       -       n       -       0       cleanup
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup fifo n - n 60 1 pickup
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
qmgr fifo n - n 1 1 qmgr
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes


submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination


plesk-XXX.XXX.XXX.198- unix - n n - - smtp -o smtp_bind_address=XXX.XXX.XXX.198 -o smtp_bind_address6= -o smtp_address_preference=ipv4

Thanks

 

[UFHH01]

Hi bsass,

pls. have a CLOSER look at the given sample and your current master.cf:

smtp unix - - n - - smtp

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes

submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

plesk-XXX.XXX.XXX.198- unix - n n - - smtp -o smtp_bind_address=XXX.XXX.XXX.198 -o smtp_bind_address6= -o smtp_address_preference=ipv4

As you can see, there are only "global", "standart" configurations and the modifications made by Plesk.


"localhost:smtp" / "localhost:smtps" / "localhost:submission" are the equivalents for the standarts ( you only have that currently without "localhost:" ), but due to the fact, that you might want to add additional domains and IPs on your server, with different certificates, you might want to modify that with the given sample.

"plesk-XXX.XXX.XXX.198-" is already modified by Plesk, according to your settings at: => HOME > Tools & Settings > Mail Server Settings > Outgoing mail mode , but if you desire different SSL certificates for IPs and domains hosted on your server, you need the suggestions from the sample.