Postfix-sent emails showing as unsecured when TLS is enabled

Hm, too bad, that doesn’t tell me much. Actually, it does.

Compare these headers:

Yours:

Mine:

Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net. [194.109.24.22])
        by mx.google.com with ESMTPS id o12si3380366edq.34.2020.05.21.07.56.55
        for <...@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 May 2020 07:56:56 -0700 (PDT)

GMail lists the TLS only if it’s present. If it’s lacking, the mentioning of the TLS is lacking. As such, it seems your Postfix doesn’t indeed send its mail through a secure channel.

Have you removed the client authentication part of your configuration already and tried again?

What do you mean “remove client authentication”?

See the second part of my previous post: Postfix-sent emails showing as unsecured when TLS is enabled

I have done that, and it still shows as insecure.

What does your Postfix log say when you send an email to GMail?

May 21 16:16:01 redstonedesigner postfix/sendmail[17638]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 16:16:01 redstonedesigner postfix/postdrop[17639]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 16:16:01 redstonedesigner postfix/pickup[7272]: 648AE20401F7: uid=0 from=
May 21 16:16:01 redstonedesigner postfix/cleanup[16069]: 648AE20401F7: message-id=20200521151601.648AE20401F7@redstonedesigner.com
May 21 16:16:01 redstonedesigner postfix/qmgr[7273]: 648AE20401F7: from=root@redstonedesigner.com, size=711, nrcpt=1 (queue active)
May 21 16:16:01 redstonedesigner postfix/local[7976]: 648AE20401F7: to=root@redstonedesigner.com, orig_to=, relay=local, delay=0.06, delays=0.06/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May 21 16:16:01 redstonedesigner postfix/qmgr[7273]: 648AE20401F7: removed

Could you please set smtp_tls_loglevel to 1, reload Postfix, try again and post the log of that attempt again?

May 21 17:28:56 redstonedesigner postfix/trivial-rewrite[2778]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 17:28:56 redstonedesigner postfix/cleanup[2777]: F060520401F2: message-id=<1590078536.2773@redstonedesigner.com> May 21 17:28:57 redstonedesigner postfix/qmgr[1982]: F060520401F2: from=<noreply@redstonedesigner.com>, size=671, nrcpt=1 (queue active) May 21 17:28:57 redstonedesigner postfix/smtp[2779]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 17:28:57 redstonedesigner postfix/smtp[2779]: F060520401F2: to=redstonedesigner1@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.37, delays=0.08/0.02/0.06/0.22, dsn=2.0.0, status=sent (250 2.0.0 OK 1590078537 h15si5374954wrx.350 - gsmtp)
May 21 17:28:57 redstonedesigner postfix/qmgr[1982]: F060520401F2: removed
May 21 17:29:01 redstonedesigner postfix/sendmail[2891]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 17:29:01 redstonedesigner postfix/postdrop[2892]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 17:29:01 redstonedesigner postfix/pickup[1983]: 87C3520401F2: uid=0 from=
May 21 17:29:01 redstonedesigner postfix/cleanup[2777]: 87C3520401F2: message-id=20200521162901.87C3520401F2@redstonedesigner.com
May 21 17:29:01 redstonedesigner postfix/qmgr[1982]: 87C3520401F2: from=root@redstonedesigner.com, size=711, nrcpt=1 (queue active)
May 21 17:29:01 redstonedesigner postfix/local[2893]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
May 21 17:29:01 redstonedesigner postfix/local[2893]: 87C3520401F2: to=root@redstonedesigner.com, orig_to=, relay=local, delay=0.07, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May 21 17:29:01 redstonedesigner postfix/qmgr[1982]: 87C3520401F2: removed

I’m not seeing any TLS related log entries at all :face_with_raised_eyebrow:

What if you temporarily change smtp_tls_security_level to encrypt and try again? It should either use TLS or fail entirely.

Webmin (my control panel) now won’t send my message and shows the following:

Is openssl installed on the server at all?

Also, please follow this guide I’ve managed to find: https://www.digitalreborn.com/fix-postfix-tls-is-required-but-our-tls-engine-is-unavailable-error/ (actually, it was the first result when Google-ing "tls engine is unavailable" debian.)

OpenSSL is installed.

That guide does not do anything, the emails are still in the mail queue.

What’s the entire output of postconf?

https://pastebin.com/raw/cd6hF6va

The output was too long for me to post here.

I see you still have smtp_tls_cert_file and smtp_tls_key_file set? Why?

Not quite sure. Commented them out now.

EDIT: Had no effect.

Otherwise I’m not seeing anything incorrect and I’m not sure what’s wrong with the “TLS engine” of your Postfix/server.

It appears to have fixed itself now. I’m not quite sure why, but thank you for your help @Osiris!

Perhaps you didn’t reload Postfix directly after a change, but after you’ve reloaded it, it was fixed by the previously made change.

Remember to change smtp_tls_security_level=encrypt back to smtp_tls_security_level=may for better compatibility with SMTP servers on the internet (unfortunately) and reload Postfix after the change :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.