OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Cordial on September 25, 2021, 04:13:35 pm

Title: Postfix 21.7.3_1
Post by: Cordial on September 25, 2021, 04:13:35 pm

Hello,

I'm setting up another Postfixserver, but first time to version 21.7.3_1

Setup as alawsy with acme certificate: See attached picture 1

I cannot activate "Allow TLS Only". I get for every mail send this log: See attached picture 2

I dont't know what the problem is. Somebody can help?

Dear
Peter

Title: Re: Postfix 21.7.3_1
Post by: mimugmail on September 25, 2021, 05:01:13 pm

I dont click on such links

Title: Re: Postfix 21.7.3_1
Post by: Fright on September 25, 2021, 07:39:40 pm

hi
what if you set "Old"  TLS Server Compatibility and TLS Client Compatibility(if you not use smart host)?

Title: Re: Postfix 21.7.3_1
Post by: Cordial on September 28, 2021, 09:33:22 am

Hi,

"Allow TLS Only" -> Whatever i set in Server/Client. I click on it, save, refresh, and its not activate and it nothing log why.

The "Untrusted TLS Connection" to every server. Is there something missing? Like this:

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

-----------

SSL_Accept error between postfix and exchange should be fix now. I confgure some protols on exchange. Now it works.

Title: Re: Postfix 21.7.3_1
Post by: Cordial on September 28, 2021, 11:06:00 am

Here my Config:

Code: [Select]

##########################
# START SYSTEM DEFAULTS
##########################
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
mynetworks_style = host
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no
inet_protocols = ipv4
meta_directory = /usr/local/libexec/postfix
shlib_directory = /usr/local/lib/postfix
relay_domains = hash:/usr/local/etc/postfix/transport
transport_maps = hash:/usr/local/etc/postfix/transport
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual
sender_bcc_maps = hash:/usr/local/etc/postfix/senderbcc
recipient_bcc_maps = hash:/usr/local/etc/postfix/recipientbcc
sender_canonical_maps = regexp:/usr/local/etc/postfix/sendercanonical
header_checks = regexp:/usr/local/etc/postfix/header_checks_receiving
smtp_header_checks = regexp:/usr/local/etc/postfix/header_checks_delivering
##########################
# END SYSTEM DEFAULTS
##########################

myhostname = "SECRET"
mydomain = "SECRET"
myorigin = $myhostname
inet_interfaces = all
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.4/32
smtpd_banner = "SECRET"
message_size_limit = 31200000

smtp_tls_security_level = may
smtp_tls_loglevel = 1
# END SYSTEM DEFAULTS
##########################

myhostname = "SECRET"
mydomain = "SECRET"
myorigin = $myhostname
inet_interfaces = all
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.4/32
smtpd_banner = "SECRET"
message_size_limit = 31200000

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = medium
smtp_tls_protocols = $smtp_tls_mandatory_protocols
smtp_tls_ciphers = $smtp_tls_mandatory_ciphers
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/cert_opn.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/ca_opn.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_dh1024_param_file = /usr/local/etc/dh-parameters.2048
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
smtpd_tls_ciphers = $smtpd_tls_mandatory_ciphers
tls_low_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20
-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES12
8-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AE
S128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACH
A20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no


smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/smtp_auth
smtp_sasl_security_options =


smtpd_milters = unix:/var/run/rspamd/milter.sock
non_smtpd_milters = $smtpd_milters
milter_protocol = 6
milter_default_action = accept

relay_recipient_maps = hash:/usr/local/etc/postfix/recipient_access


smtpd_recipient_restrictions = check_recipient_access hash:/usr/local/etc/postfix/recipient_access, reject_unknown_client_hostname, reject_non_fqdn_helo_host
name, reject_invalid_helo_hostname, reject_unknown_helo_hostname, reject_unauth_pipelining, reject_unknown_sender_domain, reject_unknown_recipient_domain, re
ject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination


smtpd_helo_required = yes

smtpd_helo_restrictions =
        permit_mynetworks,


Title: Re: Postfix 21.7.3_1
Post by: Cordial on September 28, 2021, 01:21:19 pm

I think the "Allow only TLS" Button is no longer necessary.

In this version you always send/receive tls. With modern, intermediate and old you decide between tls 1.1, tls 1.2 and tls 1.3. With TLS setting "may" the server decide it to handle it with other server.

But i think for send over tls "letsencrypt" certificate there one line missing or im wrong?

This lines:

smtp_tls_CApath =

Title: Re: Postfix 21.7.3_1
Post by: Fright on September 28, 2021, 03:43:41 pm

@Cordial

Quote

I think the "Allow only TLS" Button is no longer necessary.

imho Yes. after https://github.com/opnsense/plugins/pull/2255 this field does not seem to be used.
a little cleanup needed

Quote

smtp_tls_CApath =

imho this is for client mode (postfix as a client) and required when the smtp_tls_security_level is set to "verify" (Mandatory receiving server servers cert verification). and the plugin only allows to choose between "none", "may" and "encrypt"