Postfix-sent emails showing as unsecured when TLS is enabled

I’m trying to understand your issue here, but I’m having trouble:

You’ve secured your postfix with a Let’s Encrypt (LE) TLS certificate. Was this succesful? You don’t say in your post.

Also, it’s about SENDING emails to Gmail. As far as I know, the LE certificate used for RECEIVING e-mails through TLS in Postfix isn’t related to the secure SENDING of emails to Gmail.

The Postfix configuration file (main.cf) uses the smtp_tls_ prefix for its TLS settings related to its SMTP client for sending emails. It uses the smtpd_tls_ prefix (notice the subtle difference!) for its TLS settings related to its SMTP server for receiving emails. What are your smtp_tls_ and smtpd_tls_ settings?

Securing was successful.

smtpd_tls_cert_file = /etc/letsencrypt/live/redstonedesigner.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/redstonedesigner.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_loglevel=0
smtpd_tls_received_header=yes
smtpd_tls_security_level = encrypt
smtpd_tls_note_starttls_offer=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_cert_file=/etc/letsencrypt/live/redstonedesigner.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/redstonedesigner.com/key.pem
smtp_use_tls = yes
smtp_tls_loglevel=0
smtp_tls_received_header=yes
smtp_tls_security_level=may
smtp_tls_note_starttls_offer=yes

I agree, the Let’s Encrypt cert looks fine on your SMTP server.

This is for client TLS certification, which is normally not used in regular SMTP servers. Notice the difference between smtp and smtpd in the options. See for more information: http://www.postfix.org/postconf.5.html#smtp_tls_cert_file

This option (without the “d” in “smtp_”) doesn’t exist for the SMTP client, only for the SMTP server (with the “d” in “smtpd_”).


Perhaps the client certificate thing matters, but as far as I know, it shouldn't. Could you please post the *headers* of an email sent from your Postfix to Gmail which is labled as insecure?

Delivered-To: redstonedesigner1@gmail.com
Received: by 2002:ab0:5c8:0:0:0:0:0 with SMTP id e66csp1000035uae;
Thu, 21 May 2020 07:33:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzGDRFL1ms87ApUL0KMzTYsB2jRgKrhbcyFAKSc1YXtBSJ5ABm4X66G9eVQmXeG7WnKFTZn
X-Received: by 2002:adf:9286:: with SMTP id 6mr9390021wrn.179.1590071605972;
Thu, 21 May 2020 07:33:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590071605; cv=none;
d=google.com; s=arc-20160816;
b=iGZ5dz5noJCiWpiFOL+K3NYLTQXF2iVufL++WyMZVAT2hva9CjREQSQin2UAC3jF6C
Xl3X1+vydei34+7hgyNkcpBQMbFQB4ElLgGvCNIQSmJKpsEIaI4X1QYV/N5WRt8Ltr4B
l2jX5vHH6aF2SjW6WX5tONty6C8ngmNlWZ4WBvqREVNb/8wtCdgDiGrIuyqn+UF/hpWH
fblk6Ml4vp/h6/ltgv/pIZXIYs3GUVReXXyjLjWeX+DfgmL+S5zgbBo6Hw9warvYritH
iMZLENgc7l+N1lhBZwxzGvdOXrPoR3smXJWPko+NREMf0JADC16VnfAHmhUFH9irdAK8
OSLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:date:message-id:to:subject:from:dkim-signature;
bh=qEHNraQicb/6XE8RiD6AYYyRVqQSG0GkQgNGHQBjIgE=;
b=fncK01FmxL5nTo7isz1l7HsH6VfTlHKkuiiN5vBeWUhj3HIe9cBbedlmwETbaXL6au
K1iZn4HAHESIEZUXuKXeuU5MWkjCv1W2BRJCkcB+R+XzqkRpRwj272BbWhmDq5dg15GR
pkVXpbDeOcm6vZkYOSlJRCBv9cxrjbCM9gOprIoV7jvHR6FtQXvSDJjr4yji9hjzYyWh
iddaas9gLqBzcU3TTrRXU6nau0bGkMBQj17ixzdfAmPB9Fx/bx6qPaPJikTRbW9iK+HD
J+L8pl2PNmTdWvEBBlr+lZgOLoWGOBVQc/UzSsz3YAcPsmYLBKukzsQIoDc2pNCqV7G4
OnDg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redstonedesigner.com header.s=dkim header.b=5X6lL8ZR;
spf=pass (google.com: domain of noreply@redstonedesigner.com designates 144.91.64.225 as permitted sender) smtp.mailfrom=noreply@redstonedesigner.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redstonedesigner.com
Return-Path: noreply@redstonedesigner.com
Received: from redstonedesigner.com (redstonedesigner.com. [144.91.64.225])
by mx.google.com with ESMTP id g7si1587497wmg.44.2020.05.21.07.33.25
for redstonedesigner1@gmail.com;
Thu, 21 May 2020 07:33:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@redstonedesigner.com designates 144.91.64.225 as permitted sender) client-ip=144.91.64.225;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redstonedesigner.com header.s=dkim header.b=5X6lL8ZR;
spf=pass (google.com: domain of noreply@redstonedesigner.com designates 144.91.64.225 as permitted sender) smtp.mailfrom=noreply@redstonedesigner.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redstonedesigner.com
Received: by redstonedesigner.com (Postfix, from userid 1002)
id 7A5EF20401F2; Thu, 21 May 2020 15:33:25 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redstonedesigner.com;
s=dkim; t=1590071605;
bh=qEHNraQicb/6XE8RiD6AYYyRVqQSG0GkQgNGHQBjIgE=;
h=From:Subject:To:Date:From;
b=5X6lL8ZRuwNLcs8Bo2hRat4BvS4Ea8FtUht2g8wwNnpn5OjNcMxij/NZQlOqv/pZn
+fqI45wxzvzyTd0FrimNSahb3JWVZFbIsEiLyZum9zzNpMaCqffDTpShr4m+7GE6dK
aQHFRhov2oPYnoSS4Y+zdXXxa4hd6FWUqc0KVS1B743HG6HH8xakR1OtdUifEioPN/
Va6Oj+RA5BP2HWZbur8WRMgJAb+IeLwWAeF7e/lyDFhpdsNcl7pNN7zyio4q6jQAYA
pY9GxPznRxr6bHzCOrmvhFOcxIKu/Ua0GxdIe5UpWz+bSJEdOi4V88/gH952w1omm8
/Ce/JOVxsY2QQ==
From: noreply@redstonedesigner.com
Subject: Testing
To: redstonedesigner1@gmail.com
Message-Id: 1590071605.13868@redstonedesigner.com
X-Mailer: Usermin 1.780
Date: Thu, 21 May 2020 15:33:25 +0100 (BST)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=“bound1590071605”

Hm, too bad, that doesn’t tell me much. Actually, it does.

Compare these headers:

Yours:

Mine:

Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net. [194.109.24.22])
        by mx.google.com with ESMTPS id o12si3380366edq.34.2020.05.21.07.56.55
        for <...@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 May 2020 07:56:56 -0700 (PDT)

GMail lists the TLS only if it’s present. If it’s lacking, the mentioning of the TLS is lacking. As such, it seems your Postfix doesn’t indeed send its mail through a secure channel.

Have you removed the client authentication part of your configuration already and tried again?

What do you mean “remove client authentication”?

See the second part of my previous post: Postfix-sent emails showing as unsecured when TLS is enabled

I have done that, and it still shows as insecure.

What does your Postfix log say when you send an email to GMail?

May 21 16:16:01 redstonedesigner postfix/sendmail[17638]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 16:16:01 redstonedesigner postfix/postdrop[17639]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 16:16:01 redstonedesigner postfix/pickup[7272]: 648AE20401F7: uid=0 from=
May 21 16:16:01 redstonedesigner postfix/cleanup[16069]: 648AE20401F7: message-id=20200521151601.648AE20401F7@redstonedesigner.com
May 21 16:16:01 redstonedesigner postfix/qmgr[7273]: 648AE20401F7: from=root@redstonedesigner.com, size=711, nrcpt=1 (queue active)
May 21 16:16:01 redstonedesigner postfix/local[7976]: 648AE20401F7: to=root@redstonedesigner.com, orig_to=, relay=local, delay=0.06, delays=0.06/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May 21 16:16:01 redstonedesigner postfix/qmgr[7273]: 648AE20401F7: removed

Could you please set smtp_tls_loglevel to 1, reload Postfix, try again and post the log of that attempt again?

May 21 17:28:56 redstonedesigner postfix/trivial-rewrite[2778]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 17:28:56 redstonedesigner postfix/cleanup[2777]: F060520401F2: message-id=<1590078536.2773@redstonedesigner.com> May 21 17:28:57 redstonedesigner postfix/qmgr[1982]: F060520401F2: from=<noreply@redstonedesigner.com>, size=671, nrcpt=1 (queue active) May 21 17:28:57 redstonedesigner postfix/smtp[2779]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 17:28:57 redstonedesigner postfix/smtp[2779]: F060520401F2: to=redstonedesigner1@gmail.com, relay=gmail-smtp-in.l.google.com[173.194.76.27]:25, delay=0.37, delays=0.08/0.02/0.06/0.22, dsn=2.0.0, status=sent (250 2.0.0 OK 1590078537 h15si5374954wrx.350 - gsmtp)
May 21 17:28:57 redstonedesigner postfix/qmgr[1982]: F060520401F2: removed
May 21 17:29:01 redstonedesigner postfix/sendmail[2891]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache May 21 17:29:01 redstonedesigner postfix/postdrop[2892]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:{data_directory}/smtpd_scache
May 21 17:29:01 redstonedesigner postfix/pickup[1983]: 87C3520401F2: uid=0 from=
May 21 17:29:01 redstonedesigner postfix/cleanup[2777]: 87C3520401F2: message-id=20200521162901.87C3520401F2@redstonedesigner.com
May 21 17:29:01 redstonedesigner postfix/qmgr[1982]: 87C3520401F2: from=root@redstonedesigner.com, size=711, nrcpt=1 (queue active)
May 21 17:29:01 redstonedesigner postfix/local[2893]: warning: /etc/postfix/main.cf, line 23: overriding earlier entry: smtpd_tls_session_cache_database=btree:${data_directory}/smtpd_scache
May 21 17:29:01 redstonedesigner postfix/local[2893]: 87C3520401F2: to=root@redstonedesigner.com, orig_to=, relay=local, delay=0.07, delays=0.05/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)
May 21 17:29:01 redstonedesigner postfix/qmgr[1982]: 87C3520401F2: removed

I’m not seeing any TLS related log entries at all :face_with_raised_eyebrow:

What if you temporarily change smtp_tls_security_level to encrypt and try again? It should either use TLS or fail entirely.

Webmin (my control panel) now won’t send my message and shows the following:

Is openssl installed on the server at all?

Also, please follow this guide I’ve managed to find: https://www.digitalreborn.com/fix-postfix-tls-is-required-but-our-tls-engine-is-unavailable-error/ (actually, it was the first result when Google-ing "tls engine is unavailable" debian.)

OpenSSL is installed.

That guide does not do anything, the emails are still in the mail queue.

What’s the entire output of postconf?

https://pastebin.com/raw/cd6hF6va

The output was too long for me to post here.

I see you still have smtp_tls_cert_file and smtp_tls_key_file set? Why?

Not quite sure. Commented them out now.

EDIT: Had no effect.