Problem mit tls_security_level

Daniel daniel at ist-immer-online.de
Fr Apr 1 20:44:41 CEST 2016


Huhu,

ich habe 2 Probleme, wenn ich smtpd_tls_security_level von "may" auf "encrypt" setze, kommen keine Mails mehr an. Im log steht dann
z.B.

postfix/smtpd[30166]: connect from verifier.port25.com[38.95.177.125]
postfix/smtpd[30166]: disconnect from verifier.port25.com[38.95.177.125] ehlo=1 mail=0/1 rcpt=0/1 data=0/1 quit=1 commands=2/5

Ich möchte verschlüsselt erzwingen, und nicht nur optional. Unverschlüsselt wird i.d.R. eh nicht mehr verwendet, und wenn doch kann
man auch drauf verzichten, daher nicht mehr optional.

Und wenn ich Mails versende an Server wie z.B. Posteo die DANE verwenden ist die Verbindung nur " Trusted" und nicht "Verified".

Woran liegt es?

Konfig Auszug:
broken_sasl_auth_clients = yes
disable_vrfy_command = yes
duplicate_filter_limit = 32768
inet_protocols = ipv4, ipv6
mailbox_size_limit = 0
message_drop_headers = bcc, content-length, resent-bcc
strict_rfc821_envelopes = yes

smtp_dns_support_level = dnssec
smtp_host_lookup = dns, native
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
CBC3-SHA
smtp_tls_fingerprint_digest = SHA256
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers= high
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane

smtpd_client_restrictions = check_client_access hash:/etc/access/client_access, permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_invalid_hostname
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce
smtpd_relay_restrictions = $smtpd_recipient_restrictions
smtpd_sasl_authenticated_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/etc/postfix/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /usr/etc/ssl/dh4096.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
CBC3-SHA
smtpd_tls_fingerprint_digest = SHA256
smtpd_tls_key_file = /usr/etc/postfix/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers= high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

tls_daemon_random_bytes = 64
tls_high_cipherlist =
EECDH+AESGCM:AES+EECDH:+ECDHE-RSA-AES256-SHA:+ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES:RSA+CAMELLIA:+AES256-SHA:+AES128-SHA:!EXPORT:!
eNULL:!aNULL:!DES:!3DES:!RC4:!RC2:!MD5:!IDEA:!SEED:!EDH:!aECDH:!aECDSA:!kECDHe:!SRP:!PSK
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = no_ticket, no_compression

Gruß Daniel




Mehr Informationen über die Mailingliste Postfixbuch-users