Changing smtp_tls_security_level to enable TLS between mail servers

NethServer Version: 7
Module: Mail - postfix - SMTP

Hello,

It’s my first post so first of all I would like to say hello to all of you. I have 1 quick question and maybe a suggestion. I’m by no means postfix specialist, but in my understanding:

smtpd_tls_security_level - enable TLS when SMTP is receiving mail
smtp_tls_security_level - enable TLS when SMTP is sending mail

I have fresh Nethserver installation and by default it is set like that:

[root@myserver ~]# postconf | grep -i smtpd_tls_security_level
smtpd_tls_security_level = may

[root@myserver ~]# postconf | grep -i smtp_tls_security_level
smtp_tls_security_level =

When I want to send mail to whatever@gmail.com actions below happen:

  1. TLS is working when I send mail from Thunderbird client on my PC to the server
  2. TLS is NOT working when my server sends mail it received from PC to gmail (red lock icon in GMail)

To fix this I changed only 1 parameter
[root@myserver ~]# postconf -e ‘smtp_tls_security_level = may’
[root@myserver ~]# postconf | grep -i smtp_tls_security_level
smtp_tls_security_level = may
[root@myserver ~]# systemctl restart postfix

I think TLS now works properly (GMail says I’m using TLS now - red lock icon disappeared).

Question:
Will changing smtp_tls_security_level to “may” break anything? If not - do you think it would be a good idea to have this parameter set to “may” as default Nethserver setting?

4 Likes

AFAIK, no. I have at least one NethServer based mail server using smtp_tls_security_level = may since months and I didn’t notice problems.

Probably yes. :slight_smile:

Correct me if i’m wrong but postfix configuration will be lost if not changed from esmith with every reboot or configuration change from web page

In my test environment Gmail reported that mails deliverd from my nethserver mail server are not encrypted (little red unlocked Padlock under source email address).
I tried to force through esmith with :

smtp_tls_security_level = yes

but nethserver refused to deliver email falsely reporting that gmail server does not support TLS.
From my understanding when nethserver talks with gmail server it cant recognize that it supports TLS encryption

Could you attach a maillog excerpt?

It was some time ago last time i tried it, i cant remember were exactly were i saw it
I tied to recreated now, there are my results:

I added custom setting by creating this file:
nano

 /etc/e-smith/templates-custom/etc/postfix/main.cf/70extra_options

added line :

smtp_tls_security_level = yes may

Run

signal-event nethserver-mail-common-save

checked settings that “smtp_tls_security_leve = yes” is there with the following command

 cat /etc/postfix/main.cf | grep -v '^#' | sed -r '/^( |\t|$)/ d' | sort 

send mail but its stuck on Mail Queue

mail logs

mail postfix/master[18635]: warning: process /usr/libexec/postfix/smtp pid 18639 exit status 1
mail postfix/master[18635]: warning: /usr/libexec/postfix/smtp: bad command startup -- throttling
mail postfix/smtp[18656]: fatal: Invalid TLS level "yes"
1 Like

First of all - thank you for helping me :wink: I have few conclusions to share.

  1. Parameter “smtp_tls_security_level = may” has not broken anything so far. GMail is properly seeing that TLS is in use.
  2. Setting smtp_tls_security_level using “postconf -e ‘smtp_tls_security_level = may’” is not a good solution. It will survive reboot, but it won’t survive changing mail settings in web server manager.
  3. Method provided by @Nomedor is working. Reboots or configuration changes done through web server manager are not erasing parameter values set in “/etc/e-smith/templates-custom/etc/postfix/main.cf/70extra_options”

@Nomedor your method is working. You have problems, because you set “smtp_tls_security_level = yes”. “yes” is not a valid parameter. When you will use a valid parameter it will work for sure :wink:

You can find list of available parameters here - http://www.postfix.org/postconf.5.html#smtp_tls_security_level

2 Likes