Using let's encrypt certs with postfix


#1

hi all,

I don’t have a ton of experience with email servers/postfix so this could very well be a newbie issue. for some reason, I cannot get postfix to encrypt emails, at least that’s what google is saying when I send a test email from the server to a gmail account.

when I check my server against checktls.com, it appears to be ok, so I’m not totally sure what’s going on. I have postfix set up to forward all emails; imap/pop is not in use on my server.

here’s my postfix main.cf that relates to TLS stuff…it’s a mix of a conf I found on https://cipherli.st/ and some posts in here:

smtpd_use_tls=yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mysite.com/privkey.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/mysite.com/chain.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

thanks!


#2

First: the use of smtpd_tls_CAfile is a) not usefull as you’ve already specified fullchain.pem (which includes chain.pem) in smtpd_tls_cert_file and b) used for client authentication, something which is rarely needed.

Second: all these settings are for ‘smtpd’: the server. When you send mail to e.g. Gmail, you’re using the client part of Postfix, which has nothing to do with the server part and with that, even nothing to do with Let’s Encrypt.

So you’d probably need to read up in the client section of Postfix: http://www.postfix.org/TLS_README.html#client_tls


#3

Thanks Osiris, I was looking at the settings and wracking my brain trying to figure out what was wrong so I could help, and completely missed that they were all for smtpd.

It’s such an easy oversight to make. I did the same with my own server when I was setting it up, so it should have been obvious to me.


#4

FWIW, smtp usually doesn’t care about a cert being authentic (i.e. self-signed certificates are fine). The RFCs have stated that it is a local decision; in practice I haven’t seen anyone require it.


#5

thanks for the help, gentlemen. I replaced smtpd* with smtp and it seems to work now. here’s my updated config, for anyone else that’s ever having this same issue:

smtp_use_tls=yes
smtp_tls_loglevel = 1
smtp_tls_security_level = may
#smtp_tls_auth_only = yes
smtp_tls_cert_file=/etc/letsencrypt/live/mysite.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mysite.com/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols=!SSLv2,!SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

regarding the smtpd_tls_CAfile bit, I actually found that on a blog that spoke about using let’s encrypt certs with postfix. if I find the site again, I’ll post it.


#6

What’s your Postfix version? B/c since 2.3 smtp_use_tls is obsolete. smtp_tls_security_level is all you need.

And why are you setting certificates for your CLIENT? Please, do read the documentation.

More over, I’m hoping you didn’t replace your smtpd directives, but added the smtp ones? Because now noone can reach your Postfix SERVER though TLS…

And about blogs… Yeah, euh, there’s a lot of bullcrp out there I’m afraid… All well-meant, but bullcrp nonetheless.


#7

True, but once you’ve got the cert for your domain, you may as well use it for mail as well. (That’s what I did.)


#8
  • Drop smtp_use_tls it is obsolete.
  • Client certicate files in SMTP are generally counter-productive. Servers typically don’t request client certificates, and may choke on any you offer. Plus client-certs are sent in the clear, so pose a privacy leak in some cases.
  • The cipher exclusion list contains a bogus entry PSD, purge it. If you really insist on excluding aNULL there is no need to also list ADH which is a proper subset.
  • Disabling TLSv1 and TLSv1.1 even for opportunistic TLS is probably unwise, there are still many sites that don’t yet support TLSv1.2, and sending to those in the clear is not better than using TLSv1
  • Changing the definition of tls_high_cipherlist is STRONGLY discouraged. Don’t do it.

#9

P.S. Questions about Postfix and TLS should really be asked on the postfix-users mailing list. The Let’s Encrypt forum is not the best place to find Postfix expertise, even on TLS.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.