Fix untrusted TLS connection established with Gmail, Yahoo... for Postfix


#1

Hello world,

Have you idea why i get this error with letsencrypt when i sent email via postfix? thanks,

> Mar 27 11:36:23 Mathis postfix/qmgr[13440]: 9C0991C7E2: from=<no-reply@lightpics.net>, size=561, nrcpt=1 (queue active)
> Mar 27 11:36:23 Mathis postfix/smtp[13461]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[64.233.166.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

#2

I don’t think GMail is using Let’s Encrypt?


#3

It has to do with forcing Postfix to recognize the /etc/ssl/certs/ store as trusted, but I don’t know how to do it… I have exactly the same problem and it doesn’t have to do with LE.


#4

work with Gandi :heart_eyes:

TLS connection established to spool.mail.gandi.net[217.70.184.6]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)

but also not work with Yahoo… very strange. :anguished:

Untrusted TLS connection established to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits


#5

Nope, I am sorry to disappoint you, but it doesn’t work with Gandi. Trusted connections should read “Trusted TLS connection established …” and here Gandi doesn’t show Trusted or Untrusted because the cipher used (AECDH-AES256-SHA) is an anonymous (Elliptic Curve) cipher.


#6

Yup thats working.

Mar 27 12:35:43 Mathis postfix/smtp[15592]: Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.166.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)


Mar 27 12:41:15 Mathis postfix/smtp[15626]: Trusted TLS connection established to mx-eu.mail.am0.yahoodns.net[188.125.69.79]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)


If you have this bug, add this 2 lines on your main.cf (Debian, Ubuntu…):

smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs

Have nice day :smirk:


#7

Thanks a lot, you saved my time in researching that!!


#8

My Postfix works well when sending out (smtp), but when receiving smtpd always say:
Anonymous TLS connection established from mail-io0-f169.google.com[209.85.223.169]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

I never saw “Trusted …”, what is wrong with my configuration?
smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/letsencrypt/live/xxxxxxx.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/xxxxxxx.com/privkey.pem smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_protocols= !SSLv2, !SSLv3 smtpd_tls_mandatory_protocols= !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high

Although it doesn’t say “Trusted” but the connection established correctly ans email arrives without issue. So is the “Anonymous” is normal?


#9

I think in this situation it means the lack of client certificate authentication, which is normal. So this anonymous isn’t a problem.

The usageof CBC-AES is IMHO something you could have a look at :stuck_out_tongue:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.